September 13, 20220 mins read
Cloud computing has created the most profound shift in information technology in recent memory. Leveraging cloud technology, companies can build, deploy, and scale their applications faster than ever. But the adoption of cloud native tools and processes also brings new security challenges. Between complex cloud infrastructure and the expansion of cloud-based services, malicious actors have access to a bigger attack surface than they did even a few years ago.
Snyk’s goal has always been to build developer-first security tools. With the addition of Snyk Cloud, our focus now includes cloud security. In alignment with our growing investment in helping teams secure their applications and the cloud environments that run them, we’re proud to present the 2022 Snyk State of Cloud Security Report. In the second quarter of 2022, Snyk conducted a targeted survey to understand the impact cloud security has on organizations, the challenges teams face, and where they’re finding success. To create this report, Snyk’s cloud security researchers combined their analysis of the survey data with observations from their own experience.
Cloud security events are widespread
The report details how security professionals and cloud security engineers grapple with the complex cloud security risks and challenges arising as a result of rapid cloud adoption and the increase of cloud native application development. Specifically, we found that:
Organizations of varying sizes and industries reported being impacted by major cloud security events over the last 12 months, with startups (89%) and public sector organizations (88%) the most affected. Enterprise companies did better (most likely due to greater investment in cloud infrastructure), while small and mid-sized businesses reported faring the best (probably as result of a smaller cloud footprint and less infrastructure complexity).
Teams need clear security goals
Another key observation from the survey is that many teams lack clarity around who is responsible for cloud security at their organization. Of survey respondents, 42% of cloud engineers say that their team is responsible for cloud security, but only 19% of security professionals believe that to be the case. Securing cloud resources requires coordinated effort and awareness across teams — a practice that many organizations have not yet adopted.
"(Cloud security) highlights the importance of having responsibilities well-understood but at the same time well-defined, in order to not have confusion when the company is working towards a common goal of keeping the company's cloud environments safe from hackers."
Ashish Rajan, Snyk Principal Cloud Security Advocate
Other essentials: better training, infrastructure as code
Data from the survey also reveals that many of today’s cloud security failures result from a lack of effective cross-team collaboration and training. When different teams use different tools or policy frameworks, reconciling work across those teams and ensuring consistent enforcement can be challenging. Moreover, insufficient tooling that produces false positives can lead to alert fatigue on security teams, contributing to human error when critical issues need to be identified and addressed.
Some organizations using the cloud are already using at least some infrastructure as code (IaC). Using IaC ensures a software development life cycle for cloud infrastructure — and the opportunity to shift left on cloud security. Not only does infrastructure as code help teams operate more efficiently and consistently at scale; it presents a great opportunity to shift left on cloud security before applications are deployed. By securing IaC with automated checks that use policy as code, cloud engineering teams can create development and testing environments that mirror production and all of its security controls.
Looking toward the future
Every day, more organizations leverage the cloud to develop and run their applications. In doing so, they are adopting more cloud native architectures, such as container-based and serverless environments. Knowing the risks inherent to cloud infrastructure, and empowering teams with tools and policies to protect them from those risks, delivers measurable results. When organizations improve their cloud security, they experience benefits reaching beyond incident mitigation alone.
About this project
This report is based on a survey of more than 400 cloud engineering and security practitioners and leaders across various organization types and industries. The survey was conducted in the second quarter of 2022 by Propeller Insights.