The Move to Multiple Public Clouds

Creates Security Silos

Although security professionals have better Organizations look to public cloud service providers for
network infrastructures that enable more agile responses
visibility into what is happening on their
to customer needs and deliver high availability and network
networks when computing resources are performance while reducing operational costs.
managed on-premise, the benefits of a public
To further understand how the migration to public cloud
cloud environment are compelling. As expected,
platforms is impacting cybersecurity, Radware surveyed
enterprises continued to transition more over 600 security and business professionals from around
applications and data to public cloud the globe.

environments in 2019.

2
1
 THE MOVE TO MULTIPLE PUBLIC CLOUDS CRE ATES SECURIT Y SILOS

The next step in this migration is the concurrent

use of multiple public cloud environments
for a number of reasons:
Ð Cost optimization — Every public cloud service provider offers different
services and pricing packages. Organizations have more negotiating power
when they are not tied to only one service provider.

Ð Service redundancy — If all digital assets reside in one public cloud

environment, there is too much risk for network downtime. Using multiple
public cloud environments enables strategic planning for backup protection.

Ð Best-of-breed functionality — Each public cloud provider has its strengths

and weaknesses when it comes to certain capabilities such as computing power,
automation, big data processing, etc.

Ð Acquisitions/mergers — When companies combine operations, it is

common practice to maintain applications and services on multiple public
cloud environments.

Ð Shadow IT teams — Development and operations (DevOps) and other teams,

which cannot wait for a central IT organization to allocate network resources,
often secure their own arrangements with public cloud service providers.

40%

30% 27% 29% 27%

20%

10%
10% 7%

0%
None One Two Three Four or more

Figure 1. Use of public cloud environments.

Three-fourths of survey respondents said that their organizations used at least one public
cloud, and more than two of five used two or more public clouds. Large and worldwide
companies were most likely to have used three or more public cloud environments.
Amazon Web Services (AWS) (44%) and Microsoft Azure (43%) were the two most used
public cloud vendors. Only about one-quarter of respondents said that they have not used
public clouds.

2
THE MOVE TO MULTIPLE PUBLIC CLOUDS CRE ATES SECURIT Y SILOS

Balancing Business Challenges

The strategic use of multiple public cloud environments management of the security posture by utilizing one common
introduces new business challenges. Although organizations language. The goal is to be able to:
are better able to respond rapidly to market opportunities, the
Ð Prevent attacks by reducing the size of the attack surface
decentralized nature of this model adds complexity to how
applications and computing resources are secured. Ð Detect and identify evolving threats

Ð Respond with accurate and effective mitigation

Organizations — whether via chief information security
officers (CISOs) or other security teams — need to stay
abreast of the technological and environmental changes in Security professionals weighed the benefits of having
their public clouds. There is a need for visibility across all the used a public cloud against the risks. Although only 10% of
different platforms from one holistic solution that enables respondents felt that their data was more secure in a public
cloud environment, 30% felt that the benefits of the cloud,
such as agility and lower costs, justified the security risks.

My data is equally secure in either

a data center or the public cloud 32%

My data is less secure in the

public cloud, but other 30%
benefits of the cloud outweigh the
security risks (agility, cost, etc.)

My data is less secure

in the public cloud
29%

My data is more secure

in the public cloud
10%

0% 5% 10% 15% 20% 25% 30% 35%

Figure 2. Lack of confidence in public cloud security.

But lack of visibility about which entity — the organization or the public

65%
cloud service provider — is responsible for specific elements of network
aren’t clear where
security caused security breaches. In Radware’s 2019 State of Web the boundaries of
Application Security Research report, 65% said that they aren’t clear about responsibility are
security boundaries, and 53% of respondents experienced data exposure
as a result of misunderstandings with the public cloud provider regarding

53%
security responsibilities. have experienced
data exposure caused
by misunderstandings

Figure 3. Misunderstandings about responsibilities for public cloud security.

3
 THE MOVE TO MULTIPLE PUBLIC CLOUDS CRE ATES SECURIT Y SILOS

In the public cloud environment, web and application intrusion

(27%) was seen as the biggest threat to their companies’
Web and application intrusion 27%
cloud environments, similar to previous years’ surveys. Credential threat 20%
Malware 15%
The Need to Rethink Security Strategies
DDoS 14%
Often when organizations migrate from on-premise to public
cloud environments, security teams want to continue to use Insider threat 11%
the same approach for protecting applications and data. Other 2%
But use of a public cloud, especially multiple public clouds,
introduces new attack vectors that require better visibility into
None/don’t know/don’t use the cloud 11%
what is happening across the entire ecosystem. Security tools Figure 4. Security threats to the public cloud environment.

offered by public cloud vendors are often a popular choice to

fill the gap following migration.

Use the native security tools

of the public cloud vendors 31%

Combine native tools

with third-party solutions 31%

Use a dedicated cloud security

solution from a third party 16%

Use the same tools as for our

physical data center security 12%

Don’t have a security solution

for the public cloud 8%

0% 5% 10% 15% 20% 25% 30% 35%

Figure 5. Main approaches to secure the public cloud.

The majority of respondents who said that their organizations used public cloud environments indicate that they selected native
security tools or a combination of native tools with third-party solutions to secure their public cloud.

Possible reasons for organizations adopting a heterogeneous approach to securing public clouds might be because public cloud
vendors are not cybersecurity experts and typically provide best-of-breed security tools vs. a 360-degree holistic security solution.
Many organizations recognize the risks associated with relying solely on a public cloud vendor for security and opt to include a
dedicated cybersecurity/distributed denial-of-service (DDoS) vendor.

4
THE MOVE TO MULTIPLE PUBLIC CLOUDS CRE ATES SECURIT Y SILOS

Fortifying the Public Cloud Keeping Permissions Tight

Threats have evolved dramatically over the past few years,
SundaySky’s video marketing platform provides marketers and and hackers have devised methods to leverage cloud
customer experience professionals with video-powered content to technologies. When data and applications are hosted
provide consumers with an exceptional digital experience. Founded in
in the cloud, the number of entry points to the network
2006, the company is headquartered in New York City with additional
offices in Tel Aviv and Tokyo. increases dramatically. Controlling who has permission
to access network elements and data is very important.
Network elasticity and scalability have always been critical to
SundaySky’s business. With customers leveraging the network
Organizations need to find the right balance between too
more during business hours than in the evening, using a cloud-based
platform for SundaySky’s network infrastructure benefits the company excessive and restrictive permission policies. Excessive
immensely. SundaySky uses AWS, which provides the ability to scale permissions leave environments open to malicious activity.
network capacity to meet spikes in demand and offers a pay-as-you-go Permissions that are too restrictive block DevOps teams
pricing model.
from being able to do their jobs.
But with progress comes new challenges — and new security threats.
SundaySky had to comply with various regulations, including Twenty percent of survey respondents ranked credential
HIPAA, regarding the handling and security of data. Multiple AWS threats as the biggest threat to their company’s cloud
environments and accounts meant that SundaySky required a single
environment, slightly behind web and application intrusion.
workload security solution that would:

Ð Assist with managing access permissions

to AWS services and data
Diffusion of Staff Responsibilities
Ð Reduce obsolete/excessive permissions across Part of the problem is that IT administrators are generally
multiple AWS environments
no longer part of a centralized team controlling and
Ð Provide a centralized console for management administering the entire computing environment. As the
of account updates and timely identification of role of DevOps grows, DevOps teams are spread across
insecure misconfigurations and compliance assurance
development Scrum teams, small groups with members
Ð Protect against data breaches, account takeovers representing the different functions needed to accomplish
and other attacks while eliminating false positives the goals at hand. No one entity controls the granting of
permissions, but developers, DevOps, compliance and
To protect its AWS environment and attain improved visibility into others should only receive the permissions they need.
account updates and insecure misconfigurations, SundaySky
implemented Radware’s Cloud Workload Protection Service (CWPS),
an agentless, cloud-native workload security solution. Aggressive governance policies might harden organizations’
environments but could limit the ability of development
“Radware’s Cloud Workload Protection provides us with teams to react quickly to update applications or access
the single pane of glass to manage the permissions and data as needed to address changing business requirements.
workloads that we were looking for. Being concerned about
misconfigurations and potential risks has become a thing
of the past. It’s fortified our cloud-based network.”
— Shay Reshef, Director of Security, SundaySky

SundaySky’s operation and security teams now leverage CWPS for a

single view of accounts and workloads running across their network,
in addition to account updates and associated permissions. Previously
unidentified workloads and/or outdated accounts have been pinpointed
and secured, and CWPS monitors account updates and configuration
changes for misconfigurations and excessive permissions, ensuring
that SundaySky meets compliance regulations regarding the handling
of customer data.

5
 THE MOVE TO MULTIPLE PUBLIC CLOUDS CRE ATES SECURIT Y SILOS

Skills Shortage Affects Security Tactics Strategies to Secure Multiple

Competition for qualified employees is high, as are salaries. Public Cloud Environments
Constant turnover makes it difficult to maintain qualified Applying security protocols that were successful for
knowledge transfer. Cybersecurity Ventures predicts that on-premise environments will not work as applications and
3.5 million cybersecurity jobs around the globe will go data migrate to public cloud environments. Security teams
unfilled by 2021. CISO respondents to the Radware global
1 need to adopt new strategies to harden security across
survey indicated that they struggle to find and hire skilled their entire public cloud ecosystem by:
IT security staff. Ð Adopting third-party security solutions
The public cloud service providers’ core competencies
The role of the CISO is also evolving. As different security are not network security. Rather, network protection is
and developer roles in organizations gain prominence, such generally a proprietary add-on to their service offerings
as DevOps, management of relationships with public cloud that operate in a silo. Instead, select a security solution
vendors might not reside directly with the CISO. It is quite from a vendor with proven expertise and thought leadership.
possible that multiple groups have relationships with each Choose a holistic approach that can protect multiple
public cloud vendor. This arrangement can add complexity public cloud environments with consistent implementation
and potentially conflict with departments and working groups and maintenance of security protocols while automating
regarding how security policies should be applied. prevention, detection and response.

Threat propagation in public cloud environments and Ð Engaging a fully managed security service
the shortage of qualified security professionals necessitate To overcome staff and skills shortages, take advantage
the need for greater automation in security solutions. of an outside team focused on securing your public cloud
In the Radware global survey, CISOs indicated that there network security environments.
was a greater reliance on automation to detect and
Ð Centralizing management of network security
mitigate threats.
With a security solution in place that provides visibility
and control of security policies across all virtual public
clouds and clouds, it is possible to achieve tighter
regulation of user credentials and permissions from
a centralized dashboard.

https://cybersecurityventures.com/jobs/
1

Download the 2019–2020 Global Application & Network Security Report

to further understand what leading organizations are doing to keep digital assets
secure in an age of cloud computing.

© 2020 Radware Ltd. All rights reserved. The Radware products and solutions mentioned in this report are protected by trademarks, patents and pending patent applications
of Radware in the U.S. and other countries. For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.