INSIDERS CLOUD SECURITY REPORT - Synopsys · operations teams in securing their cloud data, systems, and services in this shared responsibility model. The results are a continuation

CLOUD SECURITY REPORT

2019 CybersecurityI N S I D E R S

2019 CLOUD SECURITY REPORT 2All Rights Reserved. Copyright 2019 Cybersecurity Insiders.

INTRODUCTIONOrganizations continue to adopt cloud computing at a rapid pace to benefit from the

promise of increased efficiency, better scalability, and improved agility.

While cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and

Google Cloud Platform (GCP) continue to expand security services to protect their

evolving cloud platforms, it is ultimately the customers’ responsibility to secure their

applications and data within these cloud environments.

The 2019 Cloud Security Report highlights what is and what is not working for security

operations teams in securing their cloud data, systems, and services in this shared

responsibility model. The results are a continuation of past challenges:

• The top cloud security concern of cybersecurity professionals is data loss and leakage (64%).

• The biggest barriers to cloud adoption are data security, loss, and leakage risk (29%) and

general security risks (28%).

• Forty-three percent say monitoring for new vulnerabilities in cloud services is the most

challenging part of the cloud compliance process.

Overall, the findings in this report emphasize that to protect their evolving IT environments,

security teams must reassess their security posture and strategies and address the

shortcomings of legacy security tools and approaches.

This 2019 Cloud Security Report has been produced by Cybersecurity Insiders, the

400,000 member information security community, to explore how organizations are

responding to the evolving security threats in the cloud.

Many thanks to Synopsys for supporting this important research project.

We hope you’ll find this report informative and helpful as you continue your efforts in

securing your cloud environments.

Thank you,

Holger Schulze

Holger SchulzeCEO and FounderCybersecurity Insiders

https://www.synopsys.com/

http://www.isc2.org


METHODOLOGY & DEMOGRAPHICSThis Cloud Security Report is based on the results of a comprehensive online survey of cybersecurity

professionals conducted in March 2019 to gain deep insight into the latest trends, key challenges, and

solutions in cloud security. The respondents range from technical executives to IT security practitioners

and represent a balanced cross-section of organizations of varying sizes across multiple industries.

CAREER LEVEL

28% 17% 11% 10% 8% 8% 5% 13%

35% 33% 6% 5% 3% 3% 15%

8% 10% 19% 22% 10% 20%11%

IT Security IT Operations Engineering DevOps Product Management Compliance Other

Manager/Supervisor Director Specialist Consultant Owner/CEO/President CTO, CIO, CISO, CMO, CFO, COOProject Manager Other

DEPARTMENT

COMPANY SIZE

Fewer than 10 10-99 100-499 500-999 1,000-4,999 5,000-10,000 Over 10,000


While adoption of public clouds continues to surge, security concerns show no signs of abating. An overwhelming majority of cybersecurity professionals (93%) say they are at least moderately concerned about public cloud security, a small increase from last year.

SECURITY IN PUBLIC CLOUDS

How concerned are you about the security of public clouds?

Extremely concerned

93%Organizations are moderately toextremely concerned about cloud security

Not at all concerned

38%

37%

18%

Not at all concerned Slightly concerned Moderately concerned Very concerned Extremely concerned

3%4%


Most organizations are at least moderately confident in their cloud security posture (84%) – perhaps reflecting a level of overconfidence not supported by the security incidents and challenges presented in this report.

CLOUD SECURITY CONFIDENCE

How confident are you in your organization’s cloud security posture?

Extremely confident

Extremely confident

Only about 1/3 are very confidentor extremely confident in their

organization's cloud security posture.

Not at all confident

7% 11%

26%47%

9%

Not at all confident Very confidentSlightly confident Moderately confident

37%


Although cloud providers offer increasingly robust security measures, customers are ultimately responsible for securing their workloads in the cloud. The top cloud security challenges highlighted in our survey are related to data loss (64%) and data privacy (62%). These are followed by compliance concerns (39%) and concerns about accidental exposure of credentials (39%).

CLOUD SECURITY CONCERNS

What are your biggest cloud security concerns?

64%Data loss/leakage

62%Data privacy/confidentiality

Legal and regulatorycompliance

39%

Accidentalexposure ofcredentials

39%

Data sovereignty/residency/control

35%

Incidentresponse

29%

Fraud (e.g., theft of SSN records) 28% | Visibility and transparency 28% | Lack of forensic data 27% | Disaster recovery 25% |Availability of services, systems, and data 25% | Liability 24% | Performance 23% | Business continuity 23% |Having to adopt new security tools 19% | Not sure/other 8%


As workloads continue to move to the cloud, cybersecurity professionals are realizing the complications of protecting these workloads. The top two security headaches SOCs are struggling with are compliance (34%) and lack of visibility into infrastructure security (33%). Setting consistent security policies across cloud and on-premises environments (31%) and the continuing lack of qualified security staff (31%) are tied for third place.

OPERATIONAL SECURITY HEADACHES

What are your biggest operational, day-to-day headaches caused by trying to protect cloud workloads?

33%Visibility into

infrastructure security

34%Compliance

Setting consistentsecurity policies

31%

Lack ofqualified staff

31%

Lack of integrationwith on-premises

security technologies

29%

Security can’t keepup with the pace

of changes tonew/existingapplications

29%

Securing traffic flows 24% | Can’t identify misconfigurations quickly 24% | Complex cloud-to-cloud/cloud-to-on-premises security rule matching 24% | Securing access from personal and mobile devices 23% | Reporting security threats 23% | Remediating threats 22% | Understanding network traffic patterns 21% | Justifying more security expenditure 21% | No automatic discovery/visibility/control of infrastructure security 19% | Automatically enforcing security across multiple datacenters 17% | Lack of feature parity with on-premises security solution 14% | No flexibility 8% | Not sure/other 10%


With use of the cloud increasing every year, more data is stored in cloud environments. For the third year in a row, cybersecurity professionals say access controls (52%) are the primary method they use to protect data in the cloud, followed by encryption or tokenization (48%), the use of security services offered by the cloud provider (45%), deployment of cloud security monitoring tools (36%), and connecting to the cloud via protected networks (36%).

DATA PROTECTION IN THE CLOUD

How do you protect data in the cloud?

48%We use encryption

or tokenization

45%We use securityservices offered

natively bythe cloud provider

52%We use access

controls

We connect to the cloudvia protected networks

36%

We deploy cloudsecurity monitoring

tools

36%

We deploy additionalsecurity services offeredby third party vendors

We don’t protectdata in the cloud

25% 6%

Not sure/other 10%


When it comes to compliance challenges, monitoring cloud services for new vulnerabilities stands out at 43%, followed by going through audits and risk assessments (40%) and monitoring for compliance (39%).

COMPLIANCE CHALLENGES

Which part of the cloud compliance process is the most challenging?

Not sure/other 12%

39%

35% 34% 26% 24%

Monitoring forcompliance with

policies andprocedures

43%Monitoring for new

vulnerabilities incloud services

that must be secured

40%Going through audit/risk

assessment within thecloud environment

Staying up to dateon new/changing compliance and

regulatory requirements

Data qualityand integrity in

regulatory reporting

Scaling andautomating

compliance activities

Applying/following the shared

responsibility model


The vast majority of organizations (95%) that secure on-premises workloads consider it extremely important (46%), very important (38%), or somewhat important (11%) to maintain continuous compliance when migrating workloads to the cloud.

CONTINUOUS COMPLIANCE

If you secure your workloads (VMs and container instances) on-premises, how important is maintaining continuous compliance when migrating them to the cloud?

46%38%

11%3% 2%

Extremelyimportant

Veryimportant

Somewhatimportant

Not soimportant

Not at allimportant


Despite all its benefits, cloud computing is not without challenges. Data security (29%) and general security risks (28%), combined with lack of budget (26%), compliance challenges (26%), and lack of qualified staff (26%), top the list of barriers to faster cloud adoption.

BARRIERS TO CLOUD ADOPTION

What are the biggest barriers to cloud adoption in your organization?

28%

Legal and regulatorycompliance

Integration with existingIT environment

29%

Lack of staffresources or expertise

Data security, loss,and leakage risks

26%

Lack of budget

26% 26%

General securityrisks

24%

Loss of control 22% | Complexity of managing cloud deployment 20% | Fear of vendor lock-in 20% | Cost/lack of ROI 19% | Internal resistance and inertia 19% | Performance of apps in the cloud 16% | Lack of transparency and visibility 16% | Lack of customizability 16% | Billing and tracking issues 15% | Lack of management buy-in 13% | Availability 13% | Lack of maturity of cloud service models 13% | Dissatisfaction with cloud service offerings/performance/pricing 11% | Lack of support by cloud provider 10% | Other 4%


For the third year in a row, training and certifying IT staff (51%) ranks as the primary tactic organizations deploy to ensure that their evolving security needs are met. Forty-five percent of respondents rely on their cloud provider’s native security tools, and 30% partner with a managed security services provider to fill any gaps in capabilities.

PATHS TO STRONGER CLOUD SECURITY

When moving to the cloud, how do you handle your changing security needs?

Use native cloud provider security tools(e.g., Azure Security Center, AWS Security Hub,

Google Cloud Command Center)

Partner with a managed securityservices provider (MSSP)

Deploy security software fromindependent software vendors

Hire staff dedicated to cloud security

45%30%

Train and certify existing IT staff 51%

29%27%


Organizations are focusing on malware defense (25%), reaching regulatory compliance (20%), and securing major cloud apps (15%) as their number one cloud security priorities this year.

CLOUD SECURITY PRIORITIES

What are your cloud security priorities for your company this year?

20%Reaching regulatory

compliance

15%Securing major cloudapps already in use

25%Defending against

malware

Discoveringunsanctioned

cloud apps in use

11%

Securing mobiledevices

10%

Preventing cloudmisconfigurations

9%

Securing lesspopular cloud apps

already in use

7%

Securing BYOD (bring your own device) 4%


DEVOPS TOOLCHAIN INTEGRATION

Do you integrate your DevOps toolchain into your cloud deployments?

43% 57%NO YES

More organizations are adopting DevOps for faster software development and delivery while improving application quality and security. A DevOps toolchain is the integration of a set of software development tools used to support development, operations, and delivery tasks.

We asked IT professionals whether they integrate their DevOps toolchain into their cloud deployments. Of all respondents, 57% said yes and 43% said no.


SECURITY TRAINING PROGRAM

How effective is your current security training program?

24%

39%

20%12%

5%

Veryeffective

Somewhateffective

Neither effectiveor ineffective

Somewhatineffective

Veryineffective

A majority of organizations (63%) consider their current security training programs to be very effective (24%) or somewhat effective (39%).


When it comes to prioritizing security training topics, the participants in our survey selected cloud-enabled cybersecurity (49%), followed by application security (41%) and incident response (34%).

TRAINING FOCUS

Which of the following topic areas would you find most valuable for ongoing training and education to be successful in your current role?

41%

DevOps

34%Incidentresponse

Mobilesecurity

49%

Regulatorycompliance

Cloud-enabledcybersecurity

33% 32%

Applicationsecurity

31%

Internet ofThings (IoT)

27%

Soft skills (leadership, effective teamwork, communicating to persuade/educate) 26% | Risk-based frameworks 25% | Open source vulnerabilities 25% | Digital forensics 24% | Identifying social engineering/phishing 22% | PII 18% | Not sure/other 4%


The Synopsys Difference

Synopsys helps development teams build secure, high-quality software,

minimizing risks while maximizing speed and productivity. Synopsys, a

recognized leader in application security, provides static analysis, software

composition analysis, and dynamic analysis solutions that enable teams to

quickly find and fix vulnerabilities and defects in proprietary code, open source

components, and application behavior. If you are developing a cloud-native

application or migrating an existing application to the cloud, Synopsys can help

you increase innovation, reliability, and efficiency without sacrificing security.

We offer four services to meet your evolving needs:

1 ) Cloud Security Maturity Action Plan (MAP)

2) Cloud Architectural Risk Analysis

3) Cloud Configuration Review

4) Cloud Security Training

For more information, go to www.synopsys.com/software

https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/ds-cloudsecurity-map.pdf

https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/cloud-architectural-risk-analysis.pdf

https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/cloud-configuration-review.pdf

https://securitylearning.synopsys.com/

Documents

INSIDERS CLOUD SECURITY REPORT - Synopsys · operations teams in securing their cloud data, systems, and services in this shared responsibility model. The results are a continuation