Palo Alto Networks on the State of Cloud Native Security
With software security getting kicked in the teeth almost every day, it’s more important than ever that we take securing our programs and clouds more seriously than ever. But before we can do that, we must know what’s insecure today. That’s where security company Palo Alto Networks (PANW) comes in with its latest State of Cloud Native Security Report.
The single biggest factor in the cloud and its security, though, was beyond the control of any technology company. According to PANW, the Covid-19 pandemic represents one of the most profound worldwide social and economic upheavals since World War II. The results were:
- The rapid shift to remote work, school, and healthcare driving a surge in online collaboration and meeting tools.
- A sudden, acute demand for cloud-delivered business-critical applications
- A broad consumer shift to low-contact online shopping and takeout dining.
- Intensified demands for cloud infrastructure support for everything from social services to supply chain management.
Increased Movement to the Cloud
In terms of numbers, organizations expanded their use of clouds during the pandemic by more than 25% overall. In addition, today 69% of organizations host over half of their workloads in the cloud, up from just 31% in 2020. It really is a cloud IT world today.
Businesses also spent more on platform as a service (PaaS) and serverless. This probably came with their rapid transition to the cloud. At the same time, containers and containers as a service (CaaS) saw more moderate growth. This last part I found surprising. I would have guessed that containers, in no small part because of Kubernetes, would have taken up more funding.
Too bad, they’re not spending that much on securing their new cloud services. Despite this great growth, companies are paying less on average on their clouds. Now, this may be because of across-the-board budget cuts; reallocation of funds due to the pandemic; or it may simply reflect a “normalization” of cloud activities, with budgets.
Or, I suspect, it’s companies cheaping out on their cloud deployments. And I think we all know that security gets the short end of the budget when businesses are in a rush to deploy new technologies.
Expanding Cloud Security Teams
That isn’t what PANW found. It’s just my cynical guess from having spent way too many years covering technology. While top-line cloud budgets fell, cloud security budgets remained steady. Indeed, PANW believes that while organizations spent less money on the cloud overall, they did not let their security budgets waver. PANW also saw companies expand their cloud security teams. Fifty-three percent of organizations reported having a security team with over 30 people, up from 41% last year. I hope this means that everyone really is doing better at securing their clouds. I really do, but color me cynical.
Interestingly, those who did the best with their cloud moves tended to have the strongest security posture, with 81% ranking strong or very strong. However, those that were embracing the cloud quickly and doing a poor job of it usually had weak security. This leads me to think that smart companies with successful deployments know security is important, while those that have trouble with the cloud also have trouble with security. In other words, if you’re bad at deployment and migration, you’re going to be bad at security too.
All this would be more than enough of a challenge by itself. But then as companies raced to meet these new, unexpected demands, they found themselves facing a global threat that was squarely on their technology shoulders: Cyberattacks.
Explosion of Incidents
So it was as PANW noted “an explosion of security incidents” that correlated to increased cloud spending by organizations beginning in the first six months of the pandemic. The conclusion was that “rapid cloud-scale and complexity without automated security controls embedded across the entire development pipeline are a toxic combination.”
Things haven’t improved. Thanks to Omicron, the pandemic stretches on. Organizations continue to push workloads to the cloud while still struggling to automate cloud security and mitigate cloud risks.
PANW isn’t panic-mongering. Others have noticed this continuing problem too. The NCC Group has remarked on how continuous integration/continuous delivery (CI/CD) pipeline attacks are gaining momentum. It’s all part of the growing assault against software supply chains.
Interestingly enough, companies with best-in-class security operations see the greatest benefits to their workforce in terms of productivity and satisfaction. Eighty percent of those with strong security posture reported increased workforce productivity.
Weak Security Posture
Unfortunately, most organizations, 55%, report a weak security posture and believe they need to improve their underlying activities. No kidding? Running insecure clouds today is just asking for a disaster.
PANW also found 80% of organizations that primarily use open source security tools have weak or very weak security posture, compared to 26% of those who primarily leverage their cloud services provider and 52% of those who depend on third parties. The problem isn’t the open source security tools, however. It’s that it’s hard to piece together a platform using disparate tools. In short, if you don’t specialize in using open source security tools, get someone who does. It’s a false saving to leave open source tools together if you don’t know how they fit together.
Companies seem to be getting this lesson. PANW found that nearly three-quarters of businesses are now using 10 or fewer security tools. They also found a 27% increase from the 2020 data in the number of organizations using just one to five security vendors. This suggests that they are looking to fewer security vendors for more capabilities.
Automation Is Key
PANW also discovered that the more groups automate security automation the more likely they are to have strong security. Along with this, PANW found that the organizations, which did a good job of adopting and implementing DevSecOps methodologies tend to have best-in-class security. Specifically, organizations that tightly integrate DevSecOps principles are over seven times more likely to have a very strong security posture.
In conclusion, PANW believes “organizations that made cloud infrastructure a strategic focus across the business were more successful. Further, cloud security is a clear enabler of business outcomes. For any type of organization, anywhere in the world, security best practices are consistent and can be implemented as key drivers for cloud success.”
Of course, better security, in and of itself, doesn’t mean that everything will be great on your cloud. “But having security under control — consolidating tools and vendors as well as using proven DevSecOps and security automation strategies — sets a baseline that lets development teams do their jobs better and enables organizations to succeed in their cloud transformations.”