Security policy management in hybrid cloud environments
A new survey by AlgoSec found that 79 percent of organizations need better visibility in order to unify security policy management across their on-premise and public cloud environments
Conducted in August 2014, the survey polled 363 information security and network operations professionals, data center architects, application owners and CIOs worldwide. 239 respondents (66 percent) reported they are currently deploying or planning to deploy business applications on an IaaS platform within the next 12-36 months.
The following key findings are based on these 239 respondents, and include:
Visibility is obscured by clouds – 79 percent of respondents agreed or strongly agreed that they need better visibility across on-premise data centers and public clouds. Two-thirds (66 percent) of respondents agreed or strongly agreed that it is difficult to extend the corporate network security policy to the public cloud.
Lack of processes hinders cloud management and compliance – 59 percent of respondents noted the lack of operational workflows to manage network security in a hybrid environment. Demonstrating compliance on IaaS compared with on-premise data centers was another major issue, with 49 percent of those surveyed claiming difficultly.
Disparate selection of security controls used across IaaS – Only a third of respondents (33 percent) use commercial network firewalls to protect access to their data in the cloud. 25 percent of respondents use provider controls such as Amazon Security Groups, and 10 percent use host-based firewalls.
Companies are in the dark about security controls in the cloud – Worryingly, a third of companies that are planning to deploy business applications in the cloud within the next 12-24 months do not know which tools they will use to manage their network security policies in the cloud.
Data and network security are the most challenging functions to migrate to public clouds – Network security is the second most complex function to migrate to the public cloud (following data security), and the most complex for small to medium size organizations.
Responsibility for cloud security is fragmented – At small to medium size companies, security for business applications running in public clouds is handled mostly by IT Operations (70 percent). In the future, companies plan to transition this responsibility over to Information Security. At large companies, the responsibility is and will remain in the hands of Information Security (72 percent).