A full 80% of 400 cloud engineering and security practitioners and leaders surveyed by market research firm Propeller Insights on behalf of Snyk experienced at least one major cloud security incident in the past year. The most common experiences were misconfigurations (34%) followed closely by an actual data breach (33%), an intrusion (27%) and a cloud data leak (26%).
More troubling still, well over half (58%) said they believed the risk of a cloud data breach at their organization would only increase over the next year. A quarter (25%) worried they’ve recently suffered a cloud data breach that they are unaware has occurred.
Nearly half (45%) cited demand for engineering resources as the biggest impact of inefficient cloud security.
Additionally, more than three quarters (77%) cited problems with poor training and collaboration as a major challenge.
Josh Stella, vice president and chief architect for Snyk, said it’s clear that as the number of workloads being deployed in the cloud steadily increases, more organizations are struggling to keep pace with security requirements. In fact, cloud security may soon become even more challenging as the next generation of cloud-native applications are deployed, he added. A full 41% of respondents said cloud-native services increase complexity, the survey found.
The long-term hope is that as more responsibility for security is shifted left toward application developers, there will be a general improvement in the security of cloud computing environments. The issue that organizations are struggling with today is that most cloud computing infrastructure is programmatically provisioned by developers that have little to no cybersecurity expertise. It’s easy for developers, as a consequence, to make mistakes.
Stella said the only way to address that issue is to embed more guardrails within the application development process to ensure those mistakes are not made. The goal should be to enable developers to deploy secure cloud applications without having to materially slow down the rate at which those applications are built, he said.
In fact, the survey found that nearly half (49%) of organizations found deployment is faster as a result of improved cloud security. That’s because developers are not being required to fix as many issues. Reliance on infrastructure-as-code (IaC) tools that have guardrails in place can deliver a 70% median reduction in cloud misconfigurations, the survey found.
Of course, the fewer cloud security issues there are the more time cybersecurity teams will have to focus on other issues. Nearly half the respondents (48%) said their security team can do more with the resources they have when cloud security is improved. A total of 44% said that security improvements have led to better collaboration among teams.
Collaboration is, naturally, critical. The trouble is, no one is quite sure who is in charge of cloud security. The survey found that cloud security responsibility falls to IT in roughly half of organizations. However, 42% of cloud engineers said that their team is primarily responsible for cloud security, while only 19% of security professionals believe that to be the case.
Regardless of who is ultimately accountable, the simple truth is that a decade or more after the rise of cloud computing, security is still a mess.