Mature Cloud Native Security Improves Developer Efficiency
When you’re in the middle of transforming to cloud native development and the security strategy it demands, all of your organization’s traditional ways of working are disrupted. Software development may slow down, and securing the applications themselves — newly deployed on distributed cloud environments — can be tough.
But once the period of adjustment is over, and everything’s in place, a mature cloud native organization, armed with security practices designed for cloud native applications, can improve business outcomes, according to a new study. Developers can find and fix vulnerabilities faster — before they reach production — ship more secure code, and help their company boost revenue.
That’s all according to Palo Alto Networks’ new ebook, “Cloud-native Security Maturity.” The ebook reports the results of a survey of 1,000 senior IT and security professionals; the study was conducted over a period of three years, in partnership with market research firm ESG.
The researchers defined organizations’ “maturity” based on their answers to a set of questions about their security program, including queries about their DevSecOps practices, cloud native security controls in use, security team structure and executive sponsorship.
“As companies move their applications and data to the cloud, security should be helping them move safely in that direction,” Mohit Bhasin, senior product marketing manager for Prisma Cloud by Palo Alto Networks, told The New Stack. “It shouldn’t slow down your development teams or the business. It should be a business enabler, helping you to operate in a secure manner.”
The report found that most mature cloud native organizations find and fix vulnerabilities 28% faster than the average, Bhasin said. “So their development teams see the value in security and what the security team provides to the business.”
Establishing Security Benchmarks
The report explored the effectiveness of mature cloud native security programs, and sought to gauge how those mature programs affect software development and business outcomes.
The study established benchmarks by looking at how organizations differ in people, processes, and technology — in, for example, security team structure, DevSecOps and security platforms, respectively, said Doug Cahill, vice president of analyst services and senior analyst for ESG.
The researchers grouped four cohorts of survey respondents based on their organizations’ different stages of maturity in adopting cloud native security.
“The most mature Stage Four companies, those most involved in cloud native security, are much more apt to leverage more security technologies in business-critical applications,” Cahill said. “They’re more competitive in their markets, and they get better revenue results.”
Eighty-one percent of respondents said they’re running some business-critical applications in the cloud, because doing so is more agile, cost-effective and scalable, according to Bhasin.
To secure these programs, he thinks, those organizations need to take a holistic platform approach: “You can’t just buy products that secure only one part of an application — you need products that can secure the entire application stack, and the entire lifecycle of applications, as well.”
Trends the study uncovered support this. In addition to possessing centralized, top-down security buying patterns with executive sponsorships and integrating security with DevOps processes, mature organizations tend to prefer a platform approach that consolidates security tools and controls.
Palo Alto Networks’ Prisma Cloud, for example, is a comprehensive, cloud native application-protection platform that secures the entire technology stack throughout the application lifecycle, and across hybrid and multicloud environments, Bhasin said.
How Long Does It Take to Reach Full Maturity?
The report classified the majority of respondents in the first two cohorts of maturity, Stages One and Two, which together total 63%. Stage Three represents 28% of the surveyed organizations, and the most mature, in Stage Four, constitute only 10%.
That means most companies have barely begun the shift to benefiting from cloud native security practices and technologies. So the question naturally arises: how long does it take to reach Stage Four and achieve the benefits of full maturity?
That depends on how fast they move: how quickly they can leverage a mature cloud security platform, and how quickly they can enable the integration of security with their DevOps, said Bhasin.
Although Stage Four organizations aren’t necessarily larger, organizations that have invested in modernizing their cybersecurity programs have a competitive advantage in the market, Cahill said. “There’s tremendous pressure to move quickly, and these organizations can move faster safely.”
Organizations with mature security processes in place are also more collaborative, the researchers found. The main collaboration is between the security team and the development team throughout the software development lifecycle, said Cahill. “But collaboration can also expand to include line-of-business leaders, and the cloud engineering team,” he added.
In contrast, if everyone is working in a silo, that organization will tend to fall behind, because there are no clear processes or lines of communication, said Bhasin.
Stage Four organizations also use a broad portfolio of controls to secure cloud native applications. They include security posture management, container security, API security, entitlement management and web application firewalls.
These mature organizations have fewer cloud native application security incidents than less mature groups, even though they have more than three times the number of cloud native applications in production.
Organizations can use a quick, interactive, online assessment tool to determine where they are on the maturation scale and what it takes to improve.
Repeatability and Automation Matter Most
The amount of time it takes for an organization to reach Stage Four will also be shorter if it implements repeatable processes that are reusable across multiple projects, said Cahill: “That’s where you get scale.”
Automation can have a positive effect on, and help remediate, the well-known current cloud skills shortage and the cybersecurity skills shortage.
Just over 80% of respondents in the report said they had been affected at least somewhat by cloud security skills shortages. But Stage Four organizations are 47% less likely to struggle with that problem.
In ESG’s “2022 Technology Spending Intentions Survey,” respondents cited cybersecurity and IT architectural planning — which often means public cloud planning — as the top areas in which their organization has a problematic shortage of skills, Cahill said.
“The result is, your current cybersecurity team is probably not cloud-literate,” he said. “That makes cloud security programs that enable automation all that more important, because the acute shortage of cloud security skills is not going to get better anytime soon.
“We need ways to scale, and one way is repeatability, by automating security and integrating it into the DevOps process.”