An assessment of the complex cloud security risks and challenges that organizations face in 2022.
Part One
Cloud customers suffered a range of major security events within the past year, with data breaches, data leaks, and intrusions into their environment among the most serious. In addition, 25% worry that they’ve suffered a cloud data breach and aren’t aware of it. These incidents can carry a high cost, including fines for failed audits and compliance violations, cryptomining on the customer’s cloud bill, and loss of business due to system downtime resulting from misconfiguration and remediation errors.
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
Cloud data breach
Cloud data leak
Environment intrusion
Cryptomining
Serious compliance violation
Failed audit
System downtime
Cloud data breach
Cloud data leak
Environment intrusion
Cryptomining
Serious compliance violation
Failed audit
System downtime
Cloud customers representing all organizations of all sizes and industry sectors were impacted by major cloud security events. Fast-growing startups fared the worst with 89% impacted, with public sector entities (i.e. government agencies and not-for-profit organizations) not far behind. Enterprise companies did better — perhaps the result of more cloud security investment and a bigger focus on infrastructure as code security. Small and mid-sized businesses reported faring the best, which might be due to smaller cloud scale, less infrastructure complexity, and fewer changes made to their environment — or due to lack of awareness of cloud security incidents that did occur.
All Organizations
Enterprises
Startups
Public sector
SMBs
0%
20%
40%
60%
80%
100%
A clear majority of cloud security and engineering professionals believe that the risk of a cloud data breach at their organization will increase over the next year, with only 20% expecting risks to decrease. Security professionals are more pessimistic than cloud engineers, with 66% believing cloud risks will increase, as opposed to 55% of engineers. Roughly the same percentage of security and engineering professionals feel that risks will stay the same over the next year.
Engineer responses
Security responses
Decrease
Increase
Stay the same
0%
20%
40%
60%
80%
Part Two
Inefficient cloud security processes can be the rate-limiting factor for how fast teams can go in the cloud — and how productive they can be. Respondents identified significant demands on cloud engineers as the top impact of poor cloud security processes. Cloud runtime misconfiguration incidents can demand significant security team resources: identifying, prioritizing, and routing misconfigurations to engineering teams is time-consuming. Long security and review processes can delay application and feature deployments, and time spent on manual security work and approvals can make it more difficult to hire and retain engineering talent.
60%
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
60%
Application deployment delays
Significant cloud engineering demands
Significant security team demands
Challenges in hiring + retaining engineers
Application deployment delays
Significant cloud engineering demands
Significant security team demands
Challenges in hiring + retaining engineers
Many cloud security failures result from a lack of effective cross-team collaboration and team training. When different teams use different tools or policy frameworks, reconciling work across those teams and ensuring consistent enforcement can be challenging. Insufficient tooling that produces false positives leads to alert fatigue within security teams, which itself contributes to human error when identifying critical issues that need to be addressed quickly. Issues with inconsistent policy interpretations and a lack of education may indicate the need for policy-as-code based tooling.
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
Alert fatigue / false positives
Poor visibility into environment
Addressing issues pre-deployment
Insufficient securiy funding
Not enough education and training
Poor collaboration between teams
Inconsistent policy interpretations
Human error (identifying + remediating issues)
Use of different tools and frameworks across teams
Alert fatigue / false positives
Poor visibility into environment
Addressing issues pre-deployment
Insufficient securiy funding
Not enough education and training
Poor collaboration between teams
Inconsistent policy interpretations
Human error (identifying + remediating issues)
Use of different tools and frameworks across teams
The adoption of cloud-native services and architectures, such as container-based and “serverless” (i.e Functions as a Service), raises new security considerations and requirements. A cloud native approach can improve developer speed and agility, but 41% of respondents cited it as a major impact on their cloud security effort because it creates more complexity. To eliminate security issues pre-deployment, teams have to add specific expertise related to cloud native security, set up additional training and education, and shift left on cloud security. Only one fifth of respondents have managed to avoid a significant security impact due to cloud native adoption.
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
Increased security complexity
Additional security expertise needed
New training + education needed
New securing tooling needed
New methodologies needed (i.e. “Shift Left”; DevSecOps)
Increased security complexity
Additional security expertise needed
New training + education needed
New securing tooling needed
New methodologies needed (i.e. “Shift Left”; DevSecOps)
Part Three
The responsibility of cloud security consistently falls to IT in roughly half of organizations. Responses differ, however, depending on who you ask. 42% of cloud engineers say that their team is primarily responsible for cloud security, while only 19% of security professionals believe that to be the case. This may be explained by the increased adoption of infrastructure as code for deploying and managing cloud environments and the desire to find and fix issues in development rather than post-deployment, when remediations require more time and resources.
Engineer response
Security response
Cloud engineering team
Dedicated cloud security team
Central security team / Infosec
IT
0%
20%
40%
60%
80%
“(Cloud security) highlights the importance of having responsibilities well-understood but at the same time well-defined, in order to not have confusion when the company is working towards a common goal of keeping the company’s cloud environments safe from hackers.” ~ Ashish Rajan, Snyk Principal Cloud Security Advocate, on the Cloud Security Podcast
While the motivation to improve cloud security efforts is primarily driven by the desire to keep cloud environments secure, there are a number of other desired outcomes, including the ability to better demonstrate that cloud security is an organizational priority. Inefficient cloud security processes can be a significant drag on team productivity, and security professionals cite a desire to improve their own productivity as their top motivation. Among all respondents, cloud engineering productivity ranked just behind keeping their environment secure.
Engineer response
Security response
6
5
4
3
2
1
0
0
1
2
3
4
5
6
Keep our environment secure
Demonstrate cloud security
Security team productivity
Cloud engineering productivity
Faster app + feature delivery
Every organization is pursuing a number of cloud security objectives, but priorities differ considerably depending on the organization type. Enterprises are focused on preventing cloud misconfiguration pre-deployment, while minimizing reviews and approvals ranks lowest for them. Small and mid-sized businesses, however, are very interested in speeding up approval times, while pre-deployment security ranks lowest for them. Public sector organizations are focused on designing secure environments and bringing existing ones into compliance, while startups are equally focused on getting better security visibility and streamlining security processes.
Organization type:
Enterprise
Startup
Public Sector
SMB
7
6
5
4
3
2
1
0
0
1
2
3
4
5
6
7
Gaining better security visibility
Bringing environment into compliance
Streamlining cloud security process
Preventing issues pre-deployment
Designing secure environments
Minimizing review + approval times
"Cloud engineers are taking more ownership of cloud security, and our research shows why. Shifting cloud security left helps them keep their infrastructure as code secure pre-deployment, improving security and saving them and the security team from wasting time running down and remediating misconfigurations. Everyone gets to move faster and more securely."
Guy Podjarny
Founder, Snyk
Part Four
Organizations and teams each have their own cloud security objectives and motivations for improving their effort, and success delivers real results across the board. 49% of respondents said that cloud security improvements resulted in faster application and feature deployments, and 48% said their security team is able to do more with the resources they have. 44% said that security improvements have led to better collaboration between teams, and 41% said it’s now easier to attract and retain cloud engineering talent. When cloud security improvements result in fewer misconfiguration issues to remediate, engineering teams can reinvest their time in building value, and 40% said they’ve been able to do so.
Misconfiguration Reduction
Engineering Productivity
Faster Deployments
30%
25%
20%
15%
10%
5%
0%
0%
5%
10%
15%
20%
25%
30%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Traditional security practices don’t fully cover the cloud. Read about the five fundamentals of cloud security and help your team get security right.
A significant factor in improving cloud security efforts is infrastructure as code (IaC) security done pre-deployment, during development and CI/CD. The adoption of IaC means there’s a software development life cycle for cloud infrastructure — and the opportunity to shift left on cloud security. The median reduction in cloud misconfiguration resulting from IaC is 70%. Nearly a quarter of respondents claimed productivity improved by 80% for engineers responsible for cloud security tasks such as remediations. And 70% was the median increase in deployment speed due to IaC security checks, which largely results in automated approvals and less rework required.
Enterprise
Startup
SMB
Public Sector
80%
60%
40%
20%
0%
0%
20%
40%
60%
80%
Faster app and feature deployments
Re-invest cloud engineering resources
Security team is able to do more
Improved collaboration between teams
Easier to attract and retain engineering talent
The adoption rate of IaC is not distributed evenly, with enterprises out in front in leveraging the technology — and the ability to get security right pre-deployment. This may be because enterprises focus more on planning, and are increasingly making IaC a requirement for cloud deployments due to its speed and efficiency benefits. This may also explain why preventing security issues pre-deployment is the top enterprise cloud security objective. On the other hand, startups tend to build fast and experiment, and this may result in a failure to use IaC from the beginning. Public sector organizations lag all other categories when it comes to adopting IaC.
dataset
Enterprises
Startups
Public Sector
SMB
0%
20%
40%
60%
80%
"Control plane compromise plays a leading role in every major cloud breach we see, and the best way to prevent these attacks is by designing cloud environments to be inherently secure against them. Engineering and security teams alike are prioritizing secure cloud design — and empowering engineers to design securely when developing infrastructure as code."
Josh Stella
Part Five
Know your environment
Maintain awareness of every resource running in your cloud environment, how they’re configured, and how they relate to each other. Know the applications associated with your cloud infrastructure, and understand the data involved and how it’s used. Maintain visibility over the software development lifecycle (SDLC) for your cloud infrastructure, including any infrastructure as code in development and any CI/CD pipelines used.
Empower cloud developers to build and operate securely
As infrastructure as code adoption goes mainstream, cloud engineers need tools to get security right in design and development phases of the SDLC. When engineers can develop secure infrastructure as code, they can catch and correct issues early, avoid time-consuming remediations and rework later, and deliver secure infrastructure faster. Build security guardrails into CI/CD pipelines to ensure that misconfiguration vulnerabilities aren’t deployed to running environments.
Align and automate with policy as code (PaC)
When security policies are expressed solely in human language and exist in PDF documents, they might as well not exist at all. PaC allows for rules to be expressed in a language that other tools and applications can use to validate the correctness of code and configurations. PaC eliminates differences in interpretation, implementation, and enforcement, and it makes it possible for cloud security teams to scale their effort without having to scale up headcount.
Measure what matters and operationalize cloud security
Cloud security is about operational discipline and getting the right processes in place. Successful security teams identify what matters the most, be it reducing the rate of misconfiguration, speeding up approval processes, or re-allocating resources to higher-value work. They establish their baselines, set goals, and then work diligently toward achieving them. And they’re able to demonstrate the security posture of their environment—and their progress—at any time.
This report is based on a survey of more than 400 cloud engineering and security practitioners and leaders across various organization types and industries. The survey was conducted in the second quarter of 2022 by Propeller Insights.
Read Snyk’s full report on the state of cloud security in 2022 for a deeper dive into the risks native to cloud infrastructure, and how to help developers mitigate them quickly and effectively.
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.
Product
Resources
Company
