Snyk Report

State of cloud security 2022

An assessment of the complex cloud security risks and challenges that organizations face in 2022.

Part One

Cloud security risk is universal — and growing

80% of organizations experienced a serious cloud security incident during the last year

Cloud customers suffered a range of major security events within the past year, with data breaches, data leaks, and intrusions into their environment among the most serious. In addition, 25% worry that they’ve suffered a cloud data breach and aren’t aware of it. These incidents can carry a high cost, including fines for failed audits and compliance violations, cryptomining on the customer’s cloud bill, and loss of business due to system downtime resulting from misconfiguration and remediation errors.

Major incidents experienced in the past year

50%

40%

30%

20%

10%

0%

0%

10%

20%

30%

40%

50%

Cloud data breach

Cloud data leak

Environment intrusion

Cryptomining

Serious compliance violation

Failed audit

System downtime

Cloud data breach

Cloud data leak

Environment intrusion

Cryptomining

Serious compliance violation

Failed audit

System downtime

Public sector organizations (88%) and startups (89%) were most impacted

Cloud customers representing all organizations of all sizes and industry sectors were impacted by major cloud security events. Fast-growing startups fared the worst with 89% impacted, with public sector entities (i.e. government agencies and not-for-profit organizations) not far behind. Enterprise companies did better — perhaps the result of more cloud security investment and a bigger focus on infrastructure as code security. Small and mid-sized businesses reported faring the best, which might be due to smaller cloud scale, less infrastructure complexity, and fewer changes made to their environment — or due to lack of awareness of cloud security incidents that did occur.

Experienced a serious cloud security incident in the past year

All Organizations

Enterprises

Startups

Public sector

SMBs

0%

20%

40%

60%

80%

100%

58% of developers and security professionals predict increased risk over the next year

A clear majority of cloud security and engineering professionals believe that the risk of a cloud data breach at their organization will increase over the next year, with only 20% expecting risks to decrease. Security professionals are more pessimistic than cloud engineers, with 66% believing cloud risks will increase, as opposed to 55% of engineers. Roughly the same percentage of security and engineering professionals feel that risks will stay the same over the next year. 

Perceived future risk of a cloud breach or serious security incident

Engineer responses

Security responses

Decrease

Increase

Stay the same

0%

20%

40%

60%

80%

Part Two

Why cloud security challenges and failures are happening

45% of respondents agree that cloud security work takes up significant engineering resources

Inefficient cloud security processes can be the rate-limiting factor for how fast teams can go in the cloud — and how productive they can be. Respondents identified significant demands on cloud engineers as the top impact of poor cloud security processes. Cloud runtime misconfiguration incidents can demand significant security team resources: identifying, prioritizing, and routing misconfigurations to engineering teams is time-consuming. Long security and review processes can delay application and feature deployments, and time spent on manual security work and approvals can make it more difficult to hire and retain engineering talent.

Impact of inefficient cloud security efforts

60%

50%

40%

30%

20%

10%

0%

0%

10%

20%

30%

40%

50%

60%

Application deployment delays

Significant cloud engineering demands

Significant security team demands

Challenges in hiring + retaining engineers

Application deployment delays

Significant cloud engineering demands

Significant security team demands

Challenges in hiring + retaining engineers

77% of organizations cite problems with poor training and collaboration as a major challenge

Many cloud security failures result from a lack of effective cross-team collaboration and team training. When different teams use different tools or policy frameworks, reconciling work across those teams and ensuring consistent enforcement can be challenging. Insufficient tooling that produces false positives leads to alert fatigue within security teams, which itself contributes to human error when identifying critical issues that need to be addressed quickly. Issues with inconsistent policy interpretations and a lack of education may indicate the need for policy-as-code based tooling.

Cloud security challenges

40%

30%

20%

10%

0%

0%

10%

20%

30%

40%

Alert fatigue / false positives

Poor visibility into environment

Addressing issues pre-deployment

Insufficient securiy funding

Not enough education and training

Poor collaboration between teams

Inconsistent policy interpretations

Human error (identifying + remediating issues)

Use of different tools and frameworks across teams

Alert fatigue / false positives

Poor visibility into environment

Addressing issues pre-deployment

Insufficient securiy funding

Not enough education and training

Poor collaboration between teams

Inconsistent policy interpretations

Human error (identifying + remediating issues)

Use of different tools and frameworks across teams

Cloud native teams need more expertise, different tooling, and new approaches

The adoption of cloud-native services and architectures, such as container-based and “serverless” (i.e Functions as a Service), raises new security considerations and requirements. A cloud native approach can improve developer speed and agility, but 41% of respondents cited it as a major impact on their cloud security effort because it creates more complexity. To eliminate security issues pre-deployment, teams have to add specific expertise related to cloud native security, set up additional training and education, and shift left on cloud security. Only one fifth of respondents have managed to avoid a significant security impact due to cloud native adoption.

Impact of cloud native adoption on security

50%

40%

30%

20%

10%

0%

0%

10%

20%

30%

40%

50%

Increased security complexity

Additional security expertise needed

New training + education needed

New securing tooling needed

New methodologies needed (i.e. “Shift Left”; DevSecOps)

Increased security complexity

Additional security expertise needed

New training + education needed

New securing tooling needed

New methodologies needed (i.e. “Shift Left”; DevSecOps)

Part Three

Defining cloud security goals

IT manages cloud security in half of all organizations… but not everyone thinks so

The responsibility of cloud security consistently falls to IT in roughly half of organizations. Responses differ, however, depending on who you ask. 42% of cloud engineers say that their team is primarily responsible for cloud security, while only 19% of security professionals believe that to be the case. This may be explained by the increased adoption of infrastructure as code for deploying and managing cloud environments and the desire to find and fix issues in development rather than post-deployment, when remediations require more time and resources.

Who's Responsible for Cloud Security?

Engineer response

Security response

Cloud engineering team

Dedicated cloud security team

Central security team / Infosec

IT

0%

20%

40%

60%

80%

Security is a team sport

“(Cloud security) highlights the importance of having responsibilities well-understood but at the same time well-defined, in order to not have confusion when the company is working towards a common goal of keeping the company’s cloud environments safe from hackers.” ~ Ashish Rajan, Snyk Principal Cloud Security Advocate, on the Cloud Security Podcast

Both engineers and security experts want to prioritize cloud security, but for different reasons

While the motivation to improve cloud security efforts is primarily driven by the desire to keep cloud environments secure, there are a number of other desired outcomes, including the ability to better demonstrate that cloud security is an organizational priority. Inefficient cloud security processes can be a significant drag on team productivity, and security professionals cite a desire to improve their own productivity as their top motivation. Among all respondents, cloud engineering productivity ranked just behind keeping their environment secure.

Motivations for improving cloud security

Engineer response

Security response

6

5

4

3

2

1

0

0

1

2

3

4

5

6

Keep our environment secure

Demonstrate cloud security

Security team productivity

Cloud engineering productivity

Faster app + feature delivery

Enterprise organizations prioritize securing environments, but small businesses are more interested in faster review cycles

Every organization is pursuing a number of cloud security objectives, but priorities differ considerably depending on the organization type. Enterprises are focused on preventing cloud misconfiguration pre-deployment, while minimizing reviews and approvals ranks lowest for them. Small and mid-sized businesses, however, are very interested in speeding up approval times, while pre-deployment security ranks lowest for them. Public sector organizations are focused on designing secure environments and bringing existing ones into compliance, while startups are equally focused on getting better security visibility and streamlining security processes.

Cloud Security Objectives

Organization type:

Enterprise

Startup

Public Sector

SMB

7

6

5

4

3

2

1

0

0

1

2

3

4

5

6

7

Gaining better security visibility

Bringing environment into compliance

Streamlining cloud security process

Preventing issues pre-deployment

Designing secure environments

Minimizing review + approval times

Snyk

"Cloud engineers are taking more ownership of cloud security, and our research shows why. Shifting cloud security left helps them keep their infrastructure as code secure pre-deployment, improving security and saving them and the security team from wasting time running down and remediating misconfigurations. Everyone gets to move faster and more securely."

Guy Podjarny

Founder, Snyk

Part Four

Improving cloud security delivers strategic results

49% of organizations find that deployment happens faster as a result of improved cloud security

Organizations and teams each have their own cloud security objectives and motivations for improving their effort, and success delivers real results across the board. 49% of respondents said that cloud security improvements resulted in faster application and feature deployments, and 48% said their security team is able to do more with the resources they have. 44% said that security improvements have led to better collaboration between teams, and 41% said it’s now easier to attract and retain cloud engineering talent. When cloud security improvements result in fewer misconfiguration issues to remediate, engineering teams can reinvest their time in building value, and 40% said they’ve been able to do so.

The ROI of infrastructure as code security

Misconfiguration Reduction

Engineering Productivity

Faster Deployments

30%

25%

20%

15%

10%

5%

0%

0%

5%

10%

15%

20%

25%

30%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

The Five Fundamentals of Cloud Security

Traditional security practices don’t fully cover the cloud. Read about the five fundamentals of cloud security and help your team get security right.

Infrastructure as code security reduces misconfiguration by 70%

A significant factor in improving cloud security efforts is infrastructure as code (IaC) security done pre-deployment, during development and CI/CD. The adoption of IaC means there’s a software development life cycle for cloud infrastructure — and the opportunity to shift left on cloud security. The median reduction in cloud misconfiguration resulting from IaC is 70%. Nearly a quarter of respondents claimed productivity improved by 80% for engineers responsible for cloud security tasks such as remediations. And 70% was the median increase in deployment speed due to IaC security checks, which largely results in automated approvals and less rework required.

Results of Improving Cloud Security Efforts

Enterprise

Startup

SMB

Public Sector

80%

60%

40%

20%

0%

0%

20%

40%

60%

80%

Faster app and feature deployments

Re-invest cloud engineering resources

Security team is able to do more

Improved collaboration between teams

Easier to attract and retain engineering talent

Enterprises lead the way in using Infrastructure as Code

The adoption rate of IaC is not distributed evenly, with enterprises out in front in leveraging the technology — and the ability to get security right pre-deployment. This may be because enterprises focus more on planning, and are increasingly making IaC a requirement for cloud deployments due to its speed and efficiency benefits. This may also explain why preventing security issues pre-deployment is the top enterprise cloud security objective. On the other hand, startups tend to build fast and experiment, and this may result in a failure to use IaC from the beginning. Public sector organizations lag all other categories when it comes to adopting IaC.

Infrastructure as Code Adoption

dataset

Enterprises

Startups

Public Sector

SMB

0%

20%

40%

60%

80%

Snyk

"Control plane compromise plays a leading role in every major cloud breach we see, and the best way to prevent these attacks is by designing cloud environments to be inherently secure against them. Engineering and security teams alike are prioritizing secure cloud design — and empowering engineers to design securely when developing infrastructure as code."

Josh Stella

Part Five

Recommendations

Know your environment

Maintain awareness of every resource running in your cloud environment, how they’re configured, and how they relate to each other. Know the applications associated with your cloud infrastructure, and understand the data involved and how it’s used. Maintain visibility over the software development lifecycle (SDLC) for your cloud infrastructure, including any infrastructure as code in development and any CI/CD pipelines used.

Empower cloud developers to build and operate securely

As infrastructure as code adoption goes mainstream, cloud engineers need tools to get security right in design and development phases of the SDLC. When engineers can develop secure infrastructure as code, they can catch and correct issues early, avoid time-consuming remediations and rework later, and deliver secure infrastructure faster. Build security guardrails into CI/CD pipelines to ensure that misconfiguration vulnerabilities aren’t deployed to running environments.

Align and automate with policy as code (PaC)

When security policies are expressed solely in human language and exist in PDF documents, they might as well not exist at all. PaC allows for rules to be expressed in a language that other tools and applications can use to validate the correctness of code and configurations. PaC eliminates differences in interpretation, implementation, and enforcement, and it makes it possible for cloud security teams to scale their effort without having to scale up headcount.

Measure what matters and operationalize cloud security

Cloud security is about operational discipline and getting the right processes in place. Successful security teams identify what matters the most, be it reducing the rate of misconfiguration, speeding up approval processes, or re-allocating resources to higher-value work. They establish their baselines, set goals, and then work diligently toward achieving them. And they’re able to demonstrate the security posture of their environment—and their progress—at any time.

About this report

This report is based on a survey of more than 400 cloud engineering and security practitioners and leaders across various organization types and industries. The survey was conducted in the second quarter of 2022 by Propeller Insights.

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo