If you’re like me, you might be getting a tad exhausted keeping up with the many flavors of “The State of” reports. And I’m only talking about the ones within cybersecurity — everything from SBOMs to open source to our very own Cloud-Native Security Report 2024.
Nevertheless, each report is filled with intrigue and takeaways that take the temperature of the ecosystem within which their investigation lies. Ours is no different. If you’re one of the many organizations with cloud investments surging — possibly investing more than $10 million annually in cloud services — this report is, in the least, filled with reassurances that you are not alone.
First, let’s address the boring but necessary credibility details.
The State of Cloud-Native Security Report 2024 presents survey data from over 2,800 respondents across 10 countries, from enterprise to small and medium organizations — with a fair mix of executive leadership and practitioner roles across development, IT, and security functions. Toilets are down the hall to the left and, in the event of a fire, please gather in parking lot E. All good? Time to move into the good stuff.
Anyone who writes code of any kind has already tried a prompt like:
“I am working on a Terraform project where I need to provision an AWS EC2 instance with specific requirements: It should be of type ‘t2.micro’ within the ‘us-east-1’ region and include tags for ‘Name’ as ‘MyInstance’ and ‘Environment’ as ‘Development’. Could you provide me with the Terraform code snippet that defines this resource?”
(Stolen from this great article on The New Stack.)
And, of course, it does a pretty good job of creating something that just might work! It doesn’t end there. The ability to generate code is developer candy rocket fuel directly feeding into how we incentivize them to behave. Time is a factor as is time to market for new competitive features.
It’s not at all surprising that while 100% of respondents have embraced AI-assisted application development (and security), such as the various co-pilots that are available, many are concerned about the security risks associated with AI-generated code. AI, particularly public LLMs, is a garbage-in-garbage-out machine. With secure coding examples being few and far between in the public domain, the industry has an obvious concern that developers might fall back on AI, inadvertently introducing more insecure defaults than might otherwise have eluded their code.
Despite recognized risks, this unanimous adoption suggests that (additional) oversight may be needed to balance an even faster pace of innovation and security.
Our relationship with AI doesn’t end here. Following last year's rise in attacks on the cloud-native ecosystem, nearly half of security professional respondents anticipate a rise in AI-driven supply chain attacks and just as many predict attacks will evade traditional detection techniques.
Organizations recognize the cognitive dissonance that AI brings as an enabler of innovation and a potential vector for attacks, underscoring the need to balance the pursuit of AI benefits with rigorous security measures.
Possible but unconfirmed if assisted by AI, data breaches were reported to be on the rise. Up over 60%, respondent organizations reported a substantial increase. In fact, 45% of organizations reported an increase in advanced persistent threats (APTs) and stealthy attacks that can go undetected for long periods. It’s not just proactive monitoring and advanced threat detection and response, which is required, it’s the critical need for robust data security measures in cloud environments.
Data is the crown jewels! While denial of service attacks (ransomware included) are still a real threat, it’s the data we harbor within our cloud-native walls that’s the target of many an attacker's efforts.
The walls have been built even higher — there be dragons at the door — and we have doubled the guards, bringing even more sophisticated observability throughout our castle. Yet, many organizations don’t actually know where the gold is.
It may seem hard to believe, but 50% of organizations still rely on manual reviews to identify and classify sensitive data in the cloud. There is a clear need for modernized solutions, especially when we consider that in addition to the data we know about from managed services, there are unmanaged data solutions and shadow data lurking within our cloudscape. A simple containerized database caching personally identifiable information (PII) lurking within a Kubernetes cluster requires discovery and classification, something that only automation can tackle to detect and secure our unknown unknowns,
Included in our known unknowns is the eyes-wide-open adoption of AI for internal solutions. We know this presents new and exciting challenges in data security — ensuring controlled access to the data that trains and represents our models and services, for instance. And this is in addition to building and monitoring inventories of AI-assisted applications deployed.
We’re not just talking about customer data/gold either. While only 38% of organizations reported difficulties with secrets management, a larger 43% said they experienced an increase in secrets exposure over the past year.
If you’ve never been a part of the CISO Series “Super Cyber Friday” events, I wholeheartedly recommend it. They are highly interactive and very fun interviews with cybersecurity gurus. Specifically, they have a “BAD IDEA” segment in which listeners can submit the worst solution for a given problem. “Solve it with tools” would be an ironic quality response for such a segment.
Organizations surveyed use an average of 16 cloud security tools, and yet 90% of respondents say the sprawling number of point tools used creates security blind spots. This reality is affecting their ability to prioritize risk and prevent threats damaging security effectiveness.
But the irony doesn’t end there. Almost all security professional respondents agreed that their organization needs a solution that automatically identifies vulnerabilities and misconfigurations with the highest potential for a successful attack AND provides immediate remediation steps. It sounds like they might need a CNAPP.
When exactly will DevSecOps happen? I have a crisp $100 on December 2037. The “better together” story has yet to play out between SecOps and DevOps teams, as over 80% of DevOps still see security as a gating factor. The reality is, gating is security’s job. They’re supposed to be a gating factor. It’s a necessary evil. The problems with gating are more likely the methods of integrating security into the developer environment — and, to an extent, the developer mind — aren’t as streamlined as they should be.
Empathy is in short supply on both sides of the struggle. Over 90% of security teams think developers should just produce secure code. Problem solved! The successful factor, in reality, is somewhere in between. It’ll be fascinating to learn whether AI will be the great DevSecOps emulsifier or if it will exacerbate the problems as it enables incredible improvements in development velocity.
As organizations navigate the complexities of cloud-native security, the report offers valuable recommendations to fortify their security postures:
Don’t miss this not-just-another State of Cloud-Native Security Report 2024. Download your copy today.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.