Cloud computing has created a bigger shift in the IT industry during the last 20 years than any other factor. With cloud technology, companies can build, deploy, and scale their applications faster than ever. However, cloud customers have been suffering a wide range of security events within the past year, with data breaches, data leaks, and intrusions into their environments among the most serious.
Snyk recently surveyed more than 400 cloud engineering and security professionals and leaders across various organisation types and industries. Created in partnership with Propeller Insights, the findings are summarised in the Snyk State of Cloud Security 2022 report. The report takes a deep dive into the risks and challenges they face, and where they’re successfully addressing those risks.
According to the State of Cloud Security 2022 Report, 80% of organisations suffered a serious incident within the last year, and 33% suffered a cloud data breach.The shift to developers building and running apps natively in the cloud is changing cloud security, according to insights. In the resulting report, Snyk’s cloud security researchers combined their analysis of the survey data with observations from their own experience. Here are the three big takeaways.
Cloud native applications cases bring new security challenges — and opportunities
The predominant cloud use case has been as a platform for hosting third-party applications or applications migrated out of their data centers. A quarter of Snyk’s survey respondents indicated that the primary use for cloud environments is developing and running applications natively in the cloud.
Teams using the cloud as a platform have produced a number of innovations, including Infrastructure as Code (IaC), the coding process developers use to build and manage cloud infrastructure alongside their applications.
Additionally, developers leveraging the cloud are making increasing use of cloud native approaches, such as containers and serverless “functions as a service” architectures.
These changes have implications for security. 41% of teams adopting cloud native approaches confirmed that doing so has increased their security complexity. Cloud native approaches also require teams to add additional security expertise and introduce additional security training. Cloud native also necessitates the adoption of new security tooling and methodologies, such as a “Shift Left” approach.
But while building and running applications in the cloud brings new security challenges, teams using this approach are experiencing fewer serious security incidents. The next two big takeaways from the report help explain why.
Developers are taking ownership of cloud security
Who owns cloud security? Depending on who you ask, you’re likely to get a different answer. While IT owns cloud security in roughly half of all organisations, 42% of cloud engineers say that their team is primarily responsible for cloud security. However, only 19% of security professionals agree that engineering teams are doing that work.
This may be explained by the fact that cloud engineers are investing significant time and effort into cloud security tasks, and they’re often looking for ways to automate and streamline these processes. The adoption of infrastructure as code for deploying and managing cloud environments provides engineers with the opportunity to find and fix issues in development rather than post-deployment, when remediations require more time and resources.
Developers control the cloud computing infrastructure itself because the cloud is fully software-defined. When they build applications in the cloud, they’re also building the infrastructure for applications instead of buying a pile of infrastructure and adding apps. That is a coding process using Infrastructure as Code (IaC), and developers own that process.
Infrastructure as code security delivers a big ROI
IaC security is a huge win — not just for reducing the rate of misconfiguration, but for improving engineering team productivity and speed of deployments. Inefficient cloud security processes often become the rate-limiting factor for how fast teams can go in the cloud, and IaC security delivers significant improvements in speed and productivity.
The median reduction in the rate of misconfiguration in running cloud environments resulting from IaC security pre-deployment is 70%. While IaC security can’t prevent all runtime misconfigurations, a 70% drop is significant, and can lower the risk for organisations substantially.
That decrease in the number of misconfigurations also has a direct impact on cloud engineering productivity. Because these teams can reduce the amount of time they need to invest in managing and remediating problems, they can spend more time building and adding value to the organisation.
What effective cloud security teams are doing
A clear majority of cloud security and engineering professionals believe that the risk of a cloud data breach at their organisation will increase over the next year, with only 20% expecting risks to decrease.
Effective cloud security requires preventing misconfigurations and architectural design vulnerabilities that make cloud attacks possible. Success requires focusing on these five fundamental areas:
- Know your environment. Maintain awareness of the configuration state of your cloud environment in full context with the applications it runs and the SDLC used to develop, deploy, and manage it.
- Focus on prevention and secure design. Prevent the conditions that make cloud breaches possible, including resource misconfigurations and architectural design flaws. You can’t rely on the ability to detect and prevent attacks in progress.
- Empower cloud developers to build and operate securely. When engineers develop secure infrastructure as code, they can avoid time-consuming remediations and rework later, while delivering secure infrastructure faster.
- Align and automate with policy as code (PaC): If your security policies are expressed only in human language, they might as well not exist at all. With PaC, you can express policies in a language other programs can use to validate correctness, and you’ll align all stakeholders to operate under a single source of trust on security policy.
- Measure what matters: identify what matters the most, be it reducing the rate of misconfiguration, speeding up approval processes, or improving team productivity. Security teams should establish security baselines, set goals, measure progress, and be ready to demonstrate the security of their cloud environment at any time.
Following these five steps enables security and engineering teams to work together to operationalise cloud security, which reduces risk, accelerates innovation, and improves team productivity.