Over-reliant on cloud security, app-loving SMBs must bolster management: F5

Small and medium businesses (SMBs) are putting too much faith in the security of cloud platforms and need to make sure they tighten application and data-security protections while making the shift, a security expert has warned on the back of a survey suggesting that application-service rollouts are continuing to pick up despite a lack of skills to protect them.

Widespread use of application services was a key feature of the F5 Networks State of Application Delivery Report 2017, in which 72 percent of organisations said they had 11 or more application services already deployed and the average organisation said they were planning 17 more deployments over the next 12 months.

Many existing services were security related – ranging from network firewalls and antivirus (installed at 83 percent of organisations) to SSL VPNs (78 percent), load balancing (72 percent), and spam mitigation (72 percent).

Yet only 40 percent of respondents were planning to roll out further security-related application services in the next 12 months, with performance (35 percent), availability (34 percent), identity (34 percent), and mobility (28 percent) topping the leaderboard.

DDoS mitigation (21 percent), DNSSEC protection (25 percent), and Web application firewall services (20 percent) were also on the cards, but with less than 1 in 5 companies adopting these services it’s clear that they are far from ubiquitous.

The figures support anecdotal evidence that security-adopting large enterprises “get it” when it comes to understanding the new risks they are introducing while small companies are less vigilant, Rob Malkin, ANZ managing director of F5 Networks, told CSO Australia.

“Smaller businesses are thinking that they put their applications and data into the cloud and it’s secure,” he explained. “That’s the messaging that is out there. They believe it’s going to make them more efficient – but then we point out that once they move they are 100% committed, and we ask whether their employees understand how to manage it.”

The speed of cloud migration was particularly an issue in the Asia-Pacific region, where 54 percent of companies said they were following a cloud-first strategy – up from 42 percent last year. This was well ahead of the global average of 47 percent, which itself grew from 33 percent last year.

Such rapid adoption requires appropriate data-management skills and security expertise to be embedded in every stage of the process. Yet concerns about the prevalence of management skills are compounded by the tendency of many companies to adopt ‘fail-fast’ models in which application development and deployment are accelerated with the intention of quickly iterating new services to a usable state.

While fail-fast development may meet objectives around improving organisational agility, Malkin worries that in many cases it is also compromising efforts to maintain adequate application security.

“It’s OK to fail fast,” he says, “but make sure that you’re failing fast and still have security in place. Security is going to be the #1 conversation you’re having.”

A growing number of organisations have recently redoubled their efforts around ensuring adequate security is in place, with Telstra and Macquarie Group leading the charge through the recent establishment of internal groups charged specifically with vetting and improving the security of internal applications.

Extending security policies into cloud environments is a key part of such efforts, yet the survey results suggested this remained a challenge for many organisations. Fully 28 percent of respondents to the survey said they struggled to manage consistent security policies across multiple environments, while 25 percent named the lack of analytics as a key security challenge.

The lack of skills around security remained a key security challenge for respondents, 34 percent of whom named it as an issue. This was ironic given that many companies were embracing cloud for the very reason that they hoped it would reduce their dependence on hard-to-find security skills.

“Organisations that do employ a cloud-first strategy had more confidence in their abilities to withstand an attack,” Malkin said. “But if they’re not employing an information officer or a lead security person at these local firms, they really need to cast a critical eye on things.”

While the percentage citing skills as a challenge remained consistent over the previous year, other categories showed improvement: just 50 percent said they were concerned about attack sophistication, for example, compared with the previous year. And just 30 percent were concerned about the complexity of security solutions, well down from 42 percent the year before.