The only given in cloud is that technology and services are evolving at a rapid pace. Organizations are embracing a wide diversity in technologies, but securing this complexity can be challenging. Current approaches are not sustainable. Leaders need to envision a different future for cloud security.
This is what we have learned as we launch the results from our first annual State of Cloud Native Security Report. Conducted by Palo Alto Networks and sponsored by Accenture Security, it is the largest and most globally expansive market research dataset on cloud native security to date.
Let's unravel the cloud native security genome as it stands today.
Cloud Is Multi-Everything and Will Stay That Way
When it comes to cloud, no one size fits all. Organizations are designing their cloud environments to be multi- and hybrid-cloud, to support multiple architectures, and to comply with multiple regulatory jurisdictions.
Organizations have opted for hybrid environments.
Most organizations (57%) have a fairly even mix – with a 60/40 split either way between public and private. But on average, 52% of workloads are hosted on public cloud servers and 48% on private.
Multi-cloud is clearly the standard operating model.
Using more than one type of cloud platform is the standard – 94% of all organizations use more than one type of cloud platform. A majority – 60% – use between two and five.
Within those environments, workloads run on multiple compute options.
Almost all respondents, 93%, reported using multiple compute architectures simultaneously. Respondents primarily rely on modern, cloud native architectures: platform-as-a-service, containers or containers-as-a-service account for 67% of all workloads. But virtual machines, often representing the lift-and-shift of monolithic applications to the cloud, still constitute the single largest compute category, accounting for 30% of workloads.
Change is the only constant.
Eighty percent of the respondents say their company’s cloud is constantly evolving. This is not surprising since the workloads that move to the cloud tend to be the most dynamic; cloud architectures are designed to be elastic and ephemeral; cloud technologies are still rapidly evolving; and the regulatory environments that govern cloud operations are still fluid.
Enterprises have geared for multiple regulatory jurisdictions.
The need to comply with local laws is directly influencing companies’ cloud environments. For example, a large professional services firm might operate on a private cloud in Pakistan, likely a sub-scale operation, to comply with the banking regulations in that country. Organizations are actively designing their clouds so they are not caught flat-footed as they expand into new countries or as the countries they currently operate in create new regulations.
The Current State of Cloud Security Is Unsustainable
Security is among the top three stated reasons slowing down the shift to the cloud. Technical complexity and compliance being the other two. Security was listed as the top challenge in moving to the cloud for 39% percent of the respondents.
In spite of security being so critical to the digital transformation journey of an organization, only 18% of organizations are well prepared to deal with the security needs of the cloud by our measures. Unless cloud security practices become more efficient, digital transformation efforts will never reach their desired end-states.
Security threats are only increasing and becoming more complex.
Threats are outpacing cloud security tools and solutions for 75% of our respondents. The cloud can’t be made secure by addressing any single threat. Organizations are aware they need to focus on multiple threat vectors. Not surprisingly, our survey respondents ranked eight different threats nearly equally when asked to pick the top three. This includes threats across data, identity, access privileges, applications, APIs and configurations.
Organizations have one too many tools.
A majority of respondents – 57% – use more than five cloud security tools to manage their cloud environments. Sixty-five percent of the organizations use security tools provided by the cloud service provider, but 73% of companies struggle to clearly delineate between their CSP's security responsibilities and their own. This likely results in duplication and overlap in the tools customers rely on, since the vast majority of these organizations also use open-source or commercial third-party tools.
Cloud security team structures are still in transition.
The good news is that 77% of companies have invested in specialized cloud security teams. Just as most companies are going through an evolution in their approach to DevOps, moving from batch to continuous releases, in the same way, companies are going through an evolution in how they approach cloud security. Almost half of respondents (47%) have both a centralized cloud security team and security experts embedded in delivery teams. Nearly a third have only centralized teams, and 22% have completely decentralized structures.
Security spend is already high and growing disproportionately with cloud spend.
Two-thirds of surveyed organizations invested more than 10% of their 2019 cloud budget in securing their cloud estates. The spend on cloud security seems to grow with cloud spend. Of companies that spend more than $100 million on cloud, 34% reported that 16% of their cloud spend goes to security. This is clearly not sustainable. Security tends to be only 5–10% of the IT spend in traditional data center environments. In the cloud, we should be targeting a sub-5% spend, given that CSPs like AWS, Azure and Google Cloud take care of the infrastructure security of their stacks.
CISOs Need to Think About Cloud Security Differently
For successful security operations, leaders must take a different approach than the status quo suggested by our data. Below are five main takeaways based on practices common to companies with the highest security preparedness rankings. Details on how rankings were developed are available in the survey.
1. Every company in the cloud is in the software business.
Cloud native app development requires faster delivery methods like DevOps, and those practices must be supported by automation to remain secure.
2. Cloud security is a partnership between security and DevOps teams.
In order to secure cloud native applications and cloud environments, security needs to be addressed before deployment. Investments should prioritize tools that can integrate with existing development tools and that quickly pass feedback to the development teams to address security issues before deployment.
3. The cloud is complex. Managing it requires simplicity.
Build toward managing the diversity by streamlining. At highly prepared companies with 11 or more security tools, 52% of employees said a high number of tools made it more difficult to prioritize risks and prevent threats. Then consider that a little over half of companies investing more than $100 million in cloud use just five or fewer cloud security tools.
4. Embed security across the application lifecycle.
Almost half of highly prepared companies (45%) have embedded security into DevOps workflows. The results – more security control and more secure code – speak for themselves, and show that organizations can speed up their response rate to events with shift-left security.
5. Build toward a consolidated platform early and avoid tool sprawl.
Not every cloud platform, process or computing model needs its own tool. There is an increasing industry trend to consolidate security functions into single platforms. At organizations with the highest level of security preparedness, 51% said that using a single, comprehensive cloud native security solution would improve their security posture.
Additional Insights into the Cloud Native Security Genome
In today's world of rapidly evolving cloud environments, CISOs and IT leaders need as much insight as possible to envision new ways to manage cloud security. The Palo Alto Networks 2020 State of Cloud Native Security Report is a great starting point for those new ways of thinking.
I am interested to know if these stats align with your experiences with cloud security. Please feel free to share your views on Linkedin or ping me directly.