On Monday 27 March 2023, the EU Agency for Cybersecurity released its analysis report on the cloud cybersecurity market within its Work Programme 2022. The Report focused on the common service model used (IaaS, PaaS, SaaS), the deployment model (public cloud, private cloud, multi-cloud, community cloud or hybrid cloud) indicating the preferred access model of the provided services; and, the cloud attributes indicating the most appropriate/efficient provisioning model to use the cloud services.

Image by Fakhruddin Memon from Pixabay 

Regulation & certification 

Compliance with regulation, guidelines and best practices, business requirements, other relevant requirements (i.e., geopolitical requirements, supply chain or procurement rules, etc.) influence on the cloud cybersecurity market. At the present, it is worth noting that a significant number of suppliers still do not use any certifications for the offered services. Due to the higher risk appetite of the demand side, they lack cybersecurity awareness or a higher prioritisation of cost/performance issues. Nonetheless, the desire of the demand side to use certified services (ca. 50 %) does not fully resonate with the supplier side, when considering the level of supported certifications of offered cloud services.

Although the EU Cybersecurity Certification Scheme for Cloud Services (EUCS) may become an important EU instrument to achieve better cybersecurity protection levels. It has not been sufficiently envisaged yet within implementations in available cloud offerings. This shall probably change when regulators make their transition to the EUCS in the future.

Observations of cloud usage patterns and requirements 

Firstly, PaaS is more affordable, and has become more widely adopted due to the increase of the use of microservice architectures. Similarly, the larger users the more they usually use the private cloud services in comparison to the smaller. Because of the shift from Capital Expenditures (CAPEX) to Operational Expenditures (OPEX), the suppliers found the importance of the arguments to move to the cloud as the businesses do not need high up-front investment in IT. Thus, the user can pay for the services when they need them or only when they use them (OPEX). 

Furthermore, the on-demand self-service provisioning features, for example, enable ‘shadow IT’, which is the use of cloud services without an IT department’s consent. As a result, this unauthorised use of cloud services may lead to an increase of malware infections or data exfiltration incidents. Then, the APIs managing and interacting with cloud services may contain vulnerabilities, a security responsibility of the suppliers. Finally, the Report found that In both public and private clouds, the security risks always exist for the suppliers.    

Observations of threats, challenges and capabilities 

First, it is the most difficult to address and model the insider threats. Then, the lack of visibility and transparency of cyberthreat management may influence market adoption. Regarding the “shared model responsibility” in cloud security: the supply-side might minimise the probability of vulnerabilities in their application programming interfaces (API), while the demand side would do the same for their misconfigurations.

Regulatory stakeholders are important to the trustworthiness as they take a more holistic approach and deal with IT supply-chain security in general. Moreover, the incident management and audit scores are low on the supply side because many service providers are reluctant to share logs and give access to their cloud for incident-management services. In addition, the multi-tenancy appears to be mainly beneficial for the supply side, as it brings risks for the demand side from the cybersecurity perspective. Then, the segments of cloud-native, application and cloud infrastructure cybersecurity and policy enforcement show a high level of adoption as an indication of good cybersecurity awareness from demand-side stakeholders.

Suppliers may be “in control of API vulnerabilities, while considering “customer-side” threats, such as misconfigurations, as a source of higher risk. Given the relatively low level of vulnerability information communicated to the demand side, it may be necessary to raise awareness and intensify notification on vulnerabilities both via the cloud services and the applications used by all users of the cloud services. For example, the Service Level Agreements (SLAs) would need the vulnerability management of incident notification for the service users as a part of new or emerging EU regulations. 

Source: https://www.enisa.europa.eu/publications/cloud-cybersecurity-market-analysis

For more news on AstraIA Gear: https://www.astraiagear.com/2023/02/27/australia-cyber-security-roundtable/

For more short news, follow me, or our Page on LinkedIn, cheers!