Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
CLOUD SECURITY REPORT
2019 CybersecurityI N S I D E R S
2019 CLOUD SECURITY REPORT 2All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
INTRODUCTIONOrganizations continue to adopt cloud computing at a rapid pace to benefit from the
promise of increased efficiency, better scalability, and improved agility.
While cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and
Google Cloud Platform (GCP) continue to expand security services to protect their
evolving cloud platforms, it is ultimately the customers’ responsibility to secure their
applications and data within these cloud environments.
The 2019 Cloud Security Report highlights what is and what is not working for security
operations teams in securing their cloud data, systems, and services in this shared
responsibility model. The results are a continuation of past challenges:
• The top cloud security concern of cybersecurity professionals is data loss and leakage (64%).
• The biggest barriers to cloud adoption are data security, loss, and leakage risk (29%) and
general security risks (28%).
• Forty-three percent say monitoring for new vulnerabilities in cloud services is the most
challenging part of the cloud compliance process.
Overall, the findings in this report emphasize that to protect their evolving IT environments,
security teams must reassess their security posture and strategies and address the
shortcomings of legacy security tools and approaches.
This 2019 Cloud Security Report has been produced by Cybersecurity Insiders, the
400,000 member information security community, to explore how organizations are
responding to the evolving security threats in the cloud.
Many thanks to Synopsys for supporting this important research project.
We hope you’ll find this report informative and helpful as you continue your efforts in
securing your cloud environments.
Thank you,
Holger Schulze
Holger SchulzeCEO and FounderCybersecurity Insiders
2019 CLOUD SECURITY REPORT 3All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
METHODOLOGY & DEMOGRAPHICSThis Cloud Security Report is based on the results of a comprehensive online survey of cybersecurity
professionals conducted in March 2019 to gain deep insight into the latest trends, key challenges, and
solutions in cloud security. The respondents range from technical executives to IT security practitioners
and represent a balanced cross-section of organizations of varying sizes across multiple industries.
CAREER LEVEL
28% 17% 11% 10% 8% 8% 5% 13%
35% 33% 6% 5% 3% 3% 15%
8% 10% 19% 22% 10% 20%11%
IT Security IT Operations Engineering DevOps Product Management Compliance Other
Manager/Supervisor Director Specialist Consultant Owner/CEO/President CTO, CIO, CISO, CMO, CFO, COOProject Manager Other
DEPARTMENT
COMPANY SIZE
Fewer than 10 10-99 100-499 500-999 1,000-4,999 5,000-10,000 Over 10,000
2019 CLOUD SECURITY REPORT 4All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
While adoption of public clouds continues to surge, security concerns show no signs of abating. An overwhelming majority of cybersecurity professionals (93%) say they are at least moderately concerned about public cloud security, a small increase from last year.
SECURITY IN PUBLIC CLOUDS
How concerned are you about the security of public clouds?
Extremely concerned
93%Organizations are moderately toextremely concerned about cloud security
Not at all concerned
38%
37%
18%
Not at all concerned Slightly concerned Moderately concerned Very concerned Extremely concerned
3%4%
2019 CLOUD SECURITY REPORT 5All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
Most organizations are at least moderately confident in their cloud security posture (84%) – perhaps reflecting a level of overconfidence not supported by the security incidents and challenges presented in this report.
CLOUD SECURITY CONFIDENCE
How confident are you in your organization’s cloud security posture?
Extremely confident
Extremely confident
Only about 1/3 are very confidentor extremely confident in their
organization's cloud security posture.
Not at all confident
7% 11%
26%47%
9%
Not at all confident Very confidentSlightly confident Moderately confident
37%
2019 CLOUD SECURITY REPORT 6All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
Although cloud providers offer increasingly robust security measures, customers are ultimately responsible for securing their workloads in the cloud. The top cloud security challenges highlighted in our survey are related to data loss (64%) and data privacy (62%). These are followed by compliance concerns (39%) and concerns about accidental exposure of credentials (39%).
CLOUD SECURITY CONCERNS
What are your biggest cloud security concerns?
64%Data loss/leakage
62%Data privacy/confidentiality
Legal and regulatorycompliance
39%
Accidentalexposure ofcredentials
39%
Data sovereignty/residency/control
35%
Incidentresponse
29%
Fraud (e.g., theft of SSN records) 28% | Visibility and transparency 28% | Lack of forensic data 27% | Disaster recovery 25% |Availability of services, systems, and data 25% | Liability 24% | Performance 23% | Business continuity 23% |Having to adopt new security tools 19% | Not sure/other 8%
2019 CLOUD SECURITY REPORT 7All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
As workloads continue to move to the cloud, cybersecurity professionals are realizing the complications of protecting these workloads. The top two security headaches SOCs are struggling with are compliance (34%) and lack of visibility into infrastructure security (33%). Setting consistent security policies across cloud and on-premises environments (31%) and the continuing lack of qualified security staff (31%) are tied for third place.
OPERATIONAL SECURITY HEADACHES
What are your biggest operational, day-to-day headaches caused by trying to protect cloud workloads?
33%Visibility into
infrastructure security
34%Compliance
Setting consistentsecurity policies
31%
Lack ofqualified staff
31%
Lack of integrationwith on-premises
security technologies
29%
Security can’t keepup with the pace
of changes tonew/existingapplications
29%
Securing traffic flows 24% | Can’t identify misconfigurations quickly 24% | Complex cloud-to-cloud/cloud-to-on-premises security rule matching 24% | Securing access from personal and mobile devices 23% | Reporting security threats 23% | Remediating threats 22% | Understanding network traffic patterns 21% | Justifying more security expenditure 21% | No automatic discovery/visibility/control of infrastructure security 19% | Automatically enforcing security across multiple datacenters 17% | Lack of feature parity with on-premises security solution 14% | No flexibility 8% | Not sure/other 10%
2019 CLOUD SECURITY REPORT 8All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
With use of the cloud increasing every year, more data is stored in cloud environments. For the third year in a row, cybersecurity professionals say access controls (52%) are the primary method they use to protect data in the cloud, followed by encryption or tokenization (48%), the use of security services offered by the cloud provider (45%), deployment of cloud security monitoring tools (36%), and connecting to the cloud via protected networks (36%).
DATA PROTECTION IN THE CLOUD
How do you protect data in the cloud?
48%We use encryption
or tokenization
45%We use securityservices offered
natively bythe cloud provider
52%We use access
controls
We connect to the cloudvia protected networks
36%
We deploy cloudsecurity monitoring
tools
36%
We deploy additionalsecurity services offeredby third party vendors
We don’t protectdata in the cloud
25% 6%
Not sure/other 10%
2019 CLOUD SECURITY REPORT 9All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
When it comes to compliance challenges, monitoring cloud services for new vulnerabilities stands out at 43%, followed by going through audits and risk assessments (40%) and monitoring for compliance (39%).
COMPLIANCE CHALLENGES
Which part of the cloud compliance process is the most challenging?
Not sure/other 12%
39%
35% 34% 26% 24%
Monitoring forcompliance with
policies andprocedures
43%Monitoring for new
vulnerabilities incloud services
that must be secured
40%Going through audit/risk
assessment within thecloud environment
Staying up to dateon new/changing compliance and
regulatory requirements
Data qualityand integrity in
regulatory reporting
Scaling andautomating
compliance activities
Applying/following the shared
responsibility model
2019 CLOUD SECURITY REPORT 10All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
The vast majority of organizations (95%) that secure on-premises workloads consider it extremely important (46%), very important (38%), or somewhat important (11%) to maintain continuous compliance when migrating workloads to the cloud.
CONTINUOUS COMPLIANCE
If you secure your workloads (VMs and container instances) on-premises, how important is maintaining continuous compliance when migrating them to the cloud?
46%38%
11%3% 2%
Extremelyimportant
Veryimportant
Somewhatimportant
Not soimportant
Not at allimportant
2019 CLOUD SECURITY REPORT 11All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
Despite all its benefits, cloud computing is not without challenges. Data security (29%) and general security risks (28%), combined with lack of budget (26%), compliance challenges (26%), and lack of qualified staff (26%), top the list of barriers to faster cloud adoption.
BARRIERS TO CLOUD ADOPTION
What are the biggest barriers to cloud adoption in your organization?
28%
Legal and regulatorycompliance
Integration with existingIT environment
29%
Lack of staffresources or expertise
Data security, loss,and leakage risks
26%
Lack of budget
26% 26%
General securityrisks
24%
Loss of control 22% | Complexity of managing cloud deployment 20% | Fear of vendor lock-in 20% | Cost/lack of ROI 19% | Internal resistance and inertia 19% | Performance of apps in the cloud 16% | Lack of transparency and visibility 16% | Lack of customizability 16% | Billing and tracking issues 15% | Lack of management buy-in 13% | Availability 13% | Lack of maturity of cloud service models 13% | Dissatisfaction with cloud service offerings/performance/pricing 11% | Lack of support by cloud provider 10% | Other 4%
2019 CLOUD SECURITY REPORT 12All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
For the third year in a row, training and certifying IT staff (51%) ranks as the primary tactic organizations deploy to ensure that their evolving security needs are met. Forty-five percent of respondents rely on their cloud provider’s native security tools, and 30% partner with a managed security services provider to fill any gaps in capabilities.
PATHS TO STRONGER CLOUD SECURITY
When moving to the cloud, how do you handle your changing security needs?
Use native cloud provider security tools(e.g., Azure Security Center, AWS Security Hub,
Google Cloud Command Center)
Partner with a managed securityservices provider (MSSP)
Deploy security software fromindependent software vendors
Hire staff dedicated to cloud security
45%30%
Train and certify existing IT staff 51%
29%27%
2019 CLOUD SECURITY REPORT 13All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
Organizations are focusing on malware defense (25%), reaching regulatory compliance (20%), and securing major cloud apps (15%) as their number one cloud security priorities this year.
CLOUD SECURITY PRIORITIES
What are your cloud security priorities for your company this year?
20%Reaching regulatory
compliance
15%Securing major cloudapps already in use
25%Defending against
malware
Discoveringunsanctioned
cloud apps in use
11%
Securing mobiledevices
10%
Preventing cloudmisconfigurations
9%
Securing lesspopular cloud apps
already in use
7%
Securing BYOD (bring your own device) 4%
2019 CLOUD SECURITY REPORT 14All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
DEVOPS TOOLCHAIN INTEGRATION
Do you integrate your DevOps toolchain into your cloud deployments?
43% 57%NO YES
More organizations are adopting DevOps for faster software development and delivery while improving application quality and security. A DevOps toolchain is the integration of a set of software development tools used to support development, operations, and delivery tasks.
We asked IT professionals whether they integrate their DevOps toolchain into their cloud deployments. Of all respondents, 57% said yes and 43% said no.
2019 CLOUD SECURITY REPORT 15All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
SECURITY TRAINING PROGRAM
How effective is your current security training program?
24%
39%
20%12%
5%
Veryeffective
Somewhateffective
Neither effectiveor ineffective
Somewhatineffective
Veryineffective
A majority of organizations (63%) consider their current security training programs to be very effective (24%) or somewhat effective (39%).
2019 CLOUD SECURITY REPORT 16All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
When it comes to prioritizing security training topics, the participants in our survey selected cloud-enabled cybersecurity (49%), followed by application security (41%) and incident response (34%).
TRAINING FOCUS
Which of the following topic areas would you find most valuable for ongoing training and education to be successful in your current role?
41%
DevOps
34%Incidentresponse
Mobilesecurity
49%
Regulatorycompliance
Cloud-enabledcybersecurity
33% 32%
Applicationsecurity
31%
Internet ofThings (IoT)
27%
Soft skills (leadership, effective teamwork, communicating to persuade/educate) 26% | Risk-based frameworks 25% | Open source vulnerabilities 25% | Digital forensics 24% | Identifying social engineering/phishing 22% | PII 18% | Not sure/other 4%
2019 CLOUD SECURITY REPORT 17All Rights Reserved. Copyright 2019 Cybersecurity Insiders.
The Synopsys Difference
Synopsys helps development teams build secure, high-quality software,
minimizing risks while maximizing speed and productivity. Synopsys, a
recognized leader in application security, provides static analysis, software
composition analysis, and dynamic analysis solutions that enable teams to
quickly find and fix vulnerabilities and defects in proprietary code, open source
components, and application behavior. If you are developing a cloud-native
application or migrating an existing application to the cloud, Synopsys can help
you increase innovation, reliability, and efficiency without sacrificing security.
We offer four services to meet your evolving needs:
1 ) Cloud Security Maturity Action Plan (MAP)
2) Cloud Architectural Risk Analysis
3) Cloud Configuration Review
4) Cloud Security Training
For more information, go to www.synopsys.com/software