Image credit: Synk
Cloud computing has created a bigger shift in the IT industry during the last 20 years than any other factor. With cloud technology, companies can build, deploy, and scale their applications faster than ever. But as cloud computing becomes more widespread, new security challenges have emerged. Between the complexity of cloud infrastructure and the expansion of cloud-based services, attackers have access to a bigger attack surface than they did even a few years ago.
Snyk recently conducted research to take a closer look at the impact cloud security has on organisations and the challenges teams face as they try to secure cloud infrastructure while still deploying at scale. The findings from this research are summarised in the 2022 Snyk State of Cloud Security Report.
The report is based on a survey by Propeller Insights, asking for input from more than 400 cloud engineering and security practitioners and leaders across various organisation types and industries. In the resulting report, Snyk’s cloud security researchers combined their analysis of the survey data with observations from their own experience.
The report discusses the complex security risks resulting from the rapid adoption of cloud technology. It also examines how security professionals and cloud security engineers face the challenge of securing cloud applications and infrastructure while still deploying quickly.
Cloud security events are widespread
Some of the most interesting statistics from the report include the following:
- 80% of organisations have experienced at least one severe cloud security incident in the past year (such as data breaches, data leaks, and intrusions into their environment).
- 41% of respondents say cloud native services increase complexity, further complicating their security efforts.
- Nearly half (49%) of organisations find deployment is faster as a result of improved cloud security.
Organisations of varying sizes and industries reported being impacted by major cloud security events over the last 12 months, with startups (89%) and public sector organisations (88%) the most affected. Enterprise companies did better (most likely due to greater investment in cloud infrastructure), while small and mid-sized businesses reported faring the best (probably as result of a smaller cloud footprint and less infrastructure complexity).
Teams need clear security goals
Another key observation from the survey is that many teams lack clarity around who is responsible for cloud security at their organisation. Of survey respondents, 42% of cloud engineers say that their team is responsible for cloud security, but only 19% of security professionals believe that to be the case.
Securing cloud resources requires coordinated effort and awareness across teams — a practice that many organisations have not yet adopted. Cloud security highlights the importance of having responsibilities well-understood, but also well-defined. This helps companies maintain clarity when working towards the common goal of keeping their cloud environments safe from attacks.
Training teams on security, learning infrastructure as code
77% of organisations surveyed feel that many of today’s cloud security failures result from a lack of effective cross-team collaboration and training. When different teams use different tools or policy frameworks, reconciling work across those teams and ensuring consistent enforcement can be challenging. Moreover, insufficient tooling that produces false positives can lead to alert fatigue on security teams, contributing to human error when critical issues need to be identified and addressed.
Survey data also shows that 55% of organisations are leveraging infrastructure as code (IaC) to get security right pre-deployment. Using IaC ensures a software development life cycle for cloud infrastructure — and the opportunity to shift left on cloud security.
Not only does infrastructure as code help teams operate more efficiently and consistently at scale; it presents a great opportunity to shift left on cloud security before applications are deployed. The median reduction in cloud misconfiguration resulting from IaC is 70%.
By securing IaC with automated checks that use policy as code, cloud engineering teams can create development and testing environments that mirror production and all of its security controls.
Looking toward the future
Every day, more organisations leverage the cloud to develop and run their applications. In doing so, they are adopting more cloud native architectures, such as container-based and serverless environments. Developers and engineers working with cloud infrastructure are constantly building, iterating, and deploying. They rewrite code and make configuration changes often.
But many changes that occur during the software development lifecylce can open up a project to the risk of attack. Knowing the risks inherent to cloud infrastructure, and empowering teams with tools and policies to protect them from those risks, delivers measurable results.
Over time, as cloud computing continues to gain popularity, cloud security will only become more critical for any organisation in the digital landscape. A developer-first approach to cloud security helps organisations innovate faster and more securely, with benefits that extend far beyond just fixing vulnerabilities.
Catch our interview with Paul Down, Head of Sales at Intigriti.
