Black Hat survey finds enterprises are increasing their attackable surface area by 100 times with a move to cloud infrastructure environments
No shift to the cloud comes without a conversation about security, and for attendees of the annual Black Hat security conference, one of the main issues about moving companies to cloud computing is seen to be the increase of the attackable surface area.
Almost all of the respondents to a survey conducted by CloudPassage at the conference noted that when moving from traditional data centres to a cloud infrastructure environment, they increased the number of server workloads by a factor of two to 100 times.
‘Attackable surface area’
This, in turn, greatly increases their attackable surface area, and enterprises are worried. In fact, over three quarters of respondents said that security team hiring in the enterprise has not kept pace with this rate at which new server workloads are created, changed or retired in the cloud.
“Adopting cloud infrastructure and agile application delivery creates exponential growth in server workloads, meaning more potentially attackable surface area and more security management overhead,” said Carson Sweet, co-founder of CloudPassage. “At the same time, organisations rarely increase the size of their security teams at all, much less enough to keep up with the higher scale and pace.
Of those who reported an increase in the number of server workloads when they moved to the cloud, a third of respondents reported they doubled the number of server instances from the number in their traditional data centres. A quarter reported the number of server instances to be five times higher in the cloud than in their traditional data centres.
Only 28 percent of respondents to the survey reported that they are leveraging a full suite of tools that let them to secure and audit cloud server workloads automatically when configuring and deploying them. However, 37 percent have some security automation tools for configuration and deployment, but another 35 percent are not automating security for configuration or deployment at all.
Adrian Sanabria, security analyst at 451 Group, said: “There’s less and less separation between building out the application and building out the infrastructure. Security has to be built in. It has to be automated. It’s no longer something we deploy manually.”