Measuring the State of Cloud Native Security

Prisma, from Palo Alto Networks, sponsored this post.

Cloud security might be the single most difficult thing security professionals are dealing with today. Most organizations aren’t adequately prepared for cloud security, because they are trying to apply a security model designed for an era long gone. Traditional security is based on a model where there is a hard shell around the organization and everything inside the shell is good and needs to be protected; while everything outside should be considered bad. This worked when the majority of compute platforms were inside that shell.
The State of the Cloud: Challenges
Then along came the cloud and businesses started moving resources out of that shell. Then came multicloud, where applications and data are scattered across numerous cloud providers. This has many challenges, because most traditional enterprise security tools do not extend to the cloud. Also, while the cloud providers offer their own security solutions, those won’t extend across clouds. For example, I can’t use an AWS firewall to secure a workload in Azure. For multicloud, security professionals need to consider a solution that can span across both the enterprise data center and all the major cloud providers.
But wait, there’s more difficulty coming. Multicloud is the norm now and security professionals need to start looking ahead to what’s next. That’s something I’m calling distributed cloud, which will raise the complexity bar on security to new heights. That’s right, we haven’t really figured out multicloud yet and I’m stating the era of multicloud is ending — with distributed cloud already starting to appear.
A distributed environment can be thought of as a highly-distributed set of cloud services that spans private and public clouds, but also a myriad of edge locations. This includes the IoT edge, campus edge, home edge, 5G edge and many more. Within these clouds, edges and data centers, customers can run workloads on bare metal, within virtual machines or in containers. This combination of containers, VMs, clouds and edges create an additional layer of difficulty for organizations, driving the need for a different model for cloud security.
The Latest Statistics and Trends
To better understand what technologies companies around the world use to manage cloud security, Palo Alto Networks conducted its first “State of 2020 Cloud Native Security” report.
The report is based on a survey of 3,000 professionals in cloud architecture, information security, DevOps, and application development. Half of the respondents are from the U.S., with the rest split evenly between Germany, UK, Singapore and Australia.
About three-quarters of the respondents work in three industries: financial services and insurance, consumer and industrial products, and energy and resources. The others work in either technology, media and telecommunications, or life sciences and healthcare.
The report found that most organizations (94%) use more than one cloud platform, with 60% of survey respondents indicating they use between two and five. Those that are utilizing cloud computing are close to the halfway point in their transition.
There isn’t a single cloud computing service that dominates, as workloads are almost evenly spread across different services. Virtual machines (VMs) account for 30% of all workloads on average, then 24% for containers, 21% for containers as a service (CaaS), and 22% for Platform-as-a-Service (PaaS). The majority of respondents (86%) expect their usage of all four services to either increase or stay the same in the immediate future. Meanwhile, the diversity of architectures that power cloud applications (IaaS, CaaS and PaaS) is also expected to increase.
The findings indicate that cloud will become the dominant computing model for organizations over the next 24 months. While currently, 46% of organizations are running their workloads in the cloud, the report anticipates it will grow to 64% within two years. That’s because cloud infrastructures are constantly evolving, according to 80% of respondents.
Top Organizational Concerns
Unsurprisingly, the biggest concern for organizations as they move workloads to the cloud is security. Maintaining comprehensive security is a top challenge for 39% of respondents. When zooming in on the threats organizations face with cloud services, they named: data security and malware, application vulnerabilities, weak and broken authentication, insider threats, credential leakage, insecure APIs, over-permissioned access, and misconfigurations.
Organizations struggle to provide comprehensive cloud security for a number of reasons. Some lack visibility into security vulnerabilities. Others don’t have adequate employee training on security tools and safe practices.
Cloud security team structures vary across organizations. The report found that 77% of companies have more than 20 people on their cloud security teams. A further breakdown shows 47% have a centralized cloud security team and security experts working within delivery teams, 31% have a centralized cloud security structure, and 22% employ a cross-functional cloud security structure.
Many organizations don’t understand that they are responsible for the applications and configurations in the cloud, so they must secure those themselves — instead of assuming providers will do it for them. Overwhelmingly, 73% of respondents don’t have a clear notion of their cloud security responsibilities and the cloud service provider’s (CSP) responsibilities.
Deploying more security tools doesn’t translate into better protection of the cloud infrastructure. Au contraire, as acquiring more tools can create inefficiencies and make it more difficult to train employees. Of those surveyed in the report, 71% use third-party vendor tools, 65% use CSP-provided security tools, and 62% use open source tools.
Among companies that invest $50 to $100 million in cloud computing, 30% use 11 or more cloud security vendors. The number of vendors drops significantly for companies investing more than $100 million in the cloud. In this high-spending group, 53% use fewer than five security tools. Companies with larger cloud budgets are able to consolidate and rationalize their investments, by eliminating overlapping tools and vendors.
Organizations with the largest annual cloud budgets ($100 million or higher) are also spending more on cloud security. Among the high spenders, 34% allocate 16% or more of their cloud budget to security.
Palo Alto Networks developed a “cloud security preparedness” metric to determine the levels of readiness among surveyed organizations — from low to medium to high. Only 18% of organizations are highly prepared to secure their cloud, whereas 29% of organizations are in the lowest-prepared category. The scary part of this number is that most companies tend to overestimate their capabilities. Of the 18% that claim to be prepared, I would guess that maybe half actually are and the other half think they are but really are not.
Organizations with the highest level of cloud security preparedness are making smarter decisions. Out of the most prepared companies, 45% are embedding security into DevOps and 41% are integrating security in at least four stages of the software development lifecycle. In comparison, 21% of the lowest-prepared companies have embedded security in DevOps and 12% involve security in the development lifecycle.
The report also found a correlation between security preparedness and the number of cloud security tools that organizations use. Highly prepared organizations believe that having many tools makes it more difficult to prioritize risks and prevent threats, whereas those with low preparedness don’t view having multiple tools as problematic.
Half (50%) of the highly prepared organizations said they’re actively reducing the number of security tools they use. The consensus among these organizations is that a single, comprehensive security solution would improve their overall cloud posture. This may have been a pipe dream in the past and it’s still difficult to achieve, but some of the leading security vendors have taken a platform approach that allows third parties to easily plug into their framework. This enables the security provider to offer a single-vendor solution, but ensure that any gap can be filled with a third party that works with the underlying platform.
You can read through the full dataset and analysis in the “2020 State of Cloud Native Security Report.” Download your free copy today.
Feature image via Pixabay.
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.