As software security comes under strain almost every day, it’s more important than ever that we take securing our programs and our clouds more seriously. But before we can do that, we need to know what isn’t safe today. This is where the security company Palo Alto Networks (PANW) arrives with its latest Cloud Native Security Report.
However, the main factor of the cloud and its security was beyond the control of any technology company. According to PANW, the Covid-19 pandemic represents one of the most profound global social and economic upheavals since World War II. The results were:
- The rapid shift to remote work, school, and healthcare is driving an increase in online collaboration and meeting tools.
- A sudden and acute demand for critical cloud-delivered applications
- A broad consumer shift towards low-contact online shopping and takeout.
- Increased demands for cloud infrastructure support for everything from social services to supply chain management.
Increased movement to the cloud
In terms of the numbers, organizations have increased their cloud usage during the pandemic by more than 25% overall. Additionally, today 69% of organizations host more than half of their workloads in the cloud, up from just 31% in 2020. It truly is a cloud computing world today.
Enterprises also spent more on platform as a service (PaaS) and serverless. This likely came with their rapid transition to the cloud. At the same time, containers and containers as a service (CaaS) saw more moderate growth. That last part surprised me. I would have guessed that the containers, largely because of Kubernetes, would have taken more funding.
Too bad they don’t spend as much to secure their new cloud services. Despite this strong growth, companies are paying less on average on their clouds. Now, this may be due to widespread budget cuts; reallocation of funds due to the pandemic; or it may simply reflect a “normalization” of cloud activities, with budgets.
Or, I guess, it’s companies saving money on their cloud deployments. And I think we all know that security gets the tightest budget when companies are in a rush to deploy new technologies.
Expand cloud security teams
That’s not what PANW found. It’s just my cynical guess that I’ve spent way too many years covering the technology. While blue chip cloud budgets have fallen, cloud security budgets have held steady. Indeed, PANW believes that while organizations have spent less money on the cloud overall, they haven’t let their security budgets waver. PANW has also seen companies expand their cloud security teams. Fifty-three percent of organizations said they had a security team of more than 30 people, up from 41% last year. I hope this means that everyone is really doing better at securing their clouds. I really do, but color me with cynicism.
Interestingly, those who did the best with their cloud moves tended to have the strongest security posture, with 81% ranking strong or very strong. However, those who were early adopters of the cloud and did a poor job of it generally had weak security. This leads me to believe that smart companies with successful deployments know that security is important, while those that have cloud issues also have issues with security. In other words, if you’re bad at deployment and migration, you’ll also be bad at security.
All of this would be more than enough of a challenge in itself. But as companies rushed to meet these unexpected new demands, they found themselves facing a global threat that rested squarely on their technological shoulders: cyberattacks.
So it’s as PANW noted “an explosion of security incidents” correlated with increased cloud spending by organizations from the first six months of the pandemic. The conclusion was that “the rapid evolution of the cloud and complexity without automated security checks built into the entire development pipeline is a toxic combination.”
Things haven’t improved. Thanks to Omicron, the pandemic is spreading. Organizations continue to push workloads to the cloud while striving to automate cloud security and mitigate cloud risk.
PANW is not looking to panic. Others have also noticed this persistent problem. the CNC Group pointed out how continuous integration/continuous delivery (CI/CD) pipeline attacks are gaining momentum. It’s all part of the growing assault on software supply chains.
Interestingly, companies with best-in-class security operations see the greatest benefits for their staff in terms of productivity and satisfaction. Eighty percent of those with a strong security posture reported an increase in workforce productivity.
Low Security Posture
Unfortunately, most organizations, 55%, report a weak security posture and believe they need to improve their underlying business. No kidding? Running insecure clouds today is just asking for disaster.
PANW also found that 80% of organizations that primarily use open source security tools have a weak or very weak security posture, compared to 26% of those that primarily use their cloud service provider and 52% of those that rely on third parties. . However, the problem is not open source security tools. It is that it is difficult to reconstruct a platform using disparate tools. In short, if you’re not skilled in using open source security tools, find someone who does. It’s a false economy to leave open source tools together if you don’t know how they fit together.
Companies seem to be learning this lesson. PANW found that nearly three-quarters of organizations now use 10 or fewer security tools. They also found a 27% increase over 2020 data in the number of organizations using only one to five security vendors. This suggests they are turning to fewer security vendors for more functionality.
Automation is key
PANW also found that the more groups automate security automation, the more likely they are to have strong security. Along with this, PANW has found that organizations, which have done a good job of adopting and implementing DevSecOps methodologies, tend to have best-in-class security. Specifically, organizations that tightly embed DevSecOps principles are more than seven times more likely to have a very strong security posture.
In conclusion, PANW believes that “Organizations that have made cloud infrastructure a strategic priority across the enterprise have been more successful. Additionally, cloud security is a clear enabler of business results. For any type of organization, anywhere in the world, security best practices are consistent and can be implemented as key drivers of cloud success.
Of course, better security, by itself, doesn’t mean everything will be fine on your cloud. “But having security under control – consolidating tools and vendors as well as using proven DevSecOps and security automation strategies – establishes a foundation that allows development teams to do their jobs better and enables organizations to succeed in their cloud transformations.”
Feature image via Pixabay.