Not Just Another State of [Cloud-Native Security] Report

May 30, 2024
7 minutes
... views

If you’re like me, you might be getting a tad exhausted keeping up with the many flavors of “The State of” reports. And I’m only talking about the ones within cybersecurity — everything from SBOMs to open source to our very own Cloud-Native Security Report 2024.

Nevertheless, each report is filled with intrigue and takeaways that take the temperature of the ecosystem within which their investigation lies. Ours is no different. If you’re one of the many organizations with cloud investments surging — possibly investing more than $10 million annually in cloud services — this report is, in the least, filled with reassurances that you are not alone.

First, let’s address the boring but necessary credibility details.

The State of Cloud-Native Security Report 2024 presents survey data from over 2,800 respondents across 10 countries, from enterprise to small and medium organizations — with a fair mix of executive leadership and practitioner roles across development, IT, and security functions. Toilets are down the hall to the left and, in the event of a fire, please gather in parking lot E. All good? Time to move into the good stuff.

Our Love/Hate Relationship with AI

Anyone who writes code of any kind has already tried a prompt like:

“I am working on a Terraform project where I need to provision an AWS EC2 instance with specific requirements: It should be of type ‘t2.micro’ within the ‘us-east-1’ region and include tags for ‘Name’ as ‘MyInstance’ and ‘Environment’ as ‘Development’. Could you provide me with the Terraform code snippet that defines this resource?”

(Stolen from this great article on The New Stack.)

And, of course, it does a pretty good job of creating something that just might work! It doesn’t end there. The ability to generate code is developer candy rocket fuel directly feeding into how we incentivize them to behave. Time is a factor as is time to market for new competitive features.

It’s not at all surprising that while 100% of respondents have embraced AI-assisted application development (and security), such as the various co-pilots that are available, many are concerned about the security risks associated with AI-generated code. AI, particularly public LLMs, is a garbage-in-garbage-out machine. With secure coding examples being few and far between in the public domain, the industry has an obvious concern that developers might fall back on AI, inadvertently introducing more insecure defaults than might otherwise have eluded their code.

Despite recognized risks, this unanimous adoption suggests that (additional) oversight may be needed to balance an even faster pace of innovation and security.

Our relationship with AI doesn’t end here. Following last year's rise in attacks on the cloud-native ecosystem, nearly half of security professional respondents anticipate a rise in AI-driven supply chain attacks and just as many predict attacks will evade traditional detection techniques.

Organizations recognize the cognitive dissonance that AI brings as an enabler of innovation and a potential vector for attacks, underscoring the need to balance the pursuit of AI benefits with rigorous security measures.

Where’s My Data?

Possible but unconfirmed if assisted by AI, data breaches were reported to be on the rise. Up over 60%, respondent organizations reported a substantial increase. In fact, 45% of organizations reported an increase in advanced persistent threats (APTs) and stealthy attacks that can go undetected for long periods. It’s not just proactive monitoring and advanced threat detection and response, which is required, it’s the critical need for robust data security measures in cloud environments.

Data is the crown jewels! While denial of service attacks (ransomware included) are still a real threat, it’s the data we harbor within our cloud-native walls that’s the target of many an attacker's efforts.

The walls have been built even higher — there be dragons at the door — and we have doubled the guards, bringing even more sophisticated observability throughout our castle. Yet, many organizations don’t actually know where the gold is.

It may seem hard to believe, but 50% of organizations still rely on manual reviews to identify and classify sensitive data in the cloud. There is a clear need for modernized solutions, especially when we consider that in addition to the data we know about from managed services, there are unmanaged data solutions and shadow data lurking within our cloudscape. A simple containerized database caching personally identifiable information (PII) lurking within a Kubernetes cluster requires discovery and classification, something that only automation can tackle to detect and secure our unknown unknowns,

Included in our known unknowns is the eyes-wide-open adoption of AI for internal solutions. We know this presents new and exciting challenges in data security — ensuring controlled access to the data that trains and represents our models and services, for instance. And this is in addition to building and monitoring inventories of AI-assisted applications deployed.

We’re not just talking about customer data/gold either. While only 38% of organizations reported difficulties with secrets management, a larger 43% said they experienced an increase in secrets exposure over the past year.

Solve It with Tools!

If you’ve never been a part of the CISO Series “Super Cyber Friday” events, I wholeheartedly recommend it. They are highly interactive and very fun interviews with cybersecurity gurus. Specifically, they have a “BAD IDEA” segment in which listeners can submit the worst solution for a given problem. “Solve it with tools” would be an ironic quality response for such a segment.

Organizations surveyed use an average of 16 cloud security tools, and yet 90% of respondents say the sprawling number of point tools used creates security blind spots. This reality is affecting their ability to prioritize risk and prevent threats damaging security effectiveness.

But the irony doesn’t end there. Almost all security professional respondents agreed that their organization needs a solution that automatically identifies vulnerabilities and misconfigurations with the highest potential for a successful attack AND provides immediate remediation steps. It sounds like they might need a CNAPP.

Let’s Talk About Threats, Baby! Let’s Talk About You and Me!

When exactly will DevSecOps happen? I have a crisp $100 on December 2037. The “better together” story has yet to play out between SecOps and DevOps teams, as over 80% of DevOps still see security as a gating factor. The reality is, gating is security’s job. They’re supposed to be a gating factor. It’s a necessary evil. The problems with gating are more likely the methods of integrating security into the developer environment — and, to an extent, the developer mind — aren’t as streamlined as they should be.

Empathy is in short supply on both sides of the struggle. Over 90% of security teams think developers should just produce secure code. Problem solved! The successful factor, in reality, is somewhere in between. It’ll be fascinating to learn whether AI will be the great DevSecOps emulsifier or if it will exacerbate the problems as it enables incredible improvements in development velocity.

The Path Forward

As organizations navigate the complexities of cloud-native security, the report offers valuable recommendations to fortify their security postures:

  • Prioritize security from the onset of cloud migration initiatives, embedding it into the overall strategy to avoid vulnerabilities, data breaches, and noncompliance penalties.
  • Thoroughly research tools and vendors, evaluating options that best fit organizational needs, budgets, and strategic goals, given the complexity and diversity of the cloud services market.
  • Foster collaboration between development and security teams, aligning priorities and streamlining processes to mitigate conflicts and ensure efficient, secure application deployments.
  • The sprawl of resources and data within cloud native applications is real. Moving from manual to modern is an essential path for organizations of all sizes.
  • As the cloud continues to reshape the digital landscape, organizations must remain vigilant and proactive in their security strategies. By embracing innovation while fortifying their defenses, organizations can navigate the complexities of the cloud-native era and unlock its full potential for growth and transformation.

Learn More

Don’t miss this not-just-another State of Cloud-Native Security Report 2024. Download your copy today.





Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.