The survey of 300 cloud professionals found that 36% of organizations suffered a serious cloud security data leak or a breach in the past 12 months, and eight out of ten are worried that they’re vulnerable to a major data breach related to cloud misconfiguration. 64% say the problem will get worse, or remain unchanged over the next year.
As cloud adoption accelerates and the scale of cloud environments grows, engineering and security teams say that risks—and the costs of addressing them—are increasing. The findings are part of the State of Cloud Security 2021 survey conducted by developer tools company Sonatype and cloud security and compliance automation firm Fugue.
The survey of 300 cloud professionals found that 36% of organizations suffered a serious cloud security data leak or a breach in the past 12 months, and eight out of ten are worried that they’re vulnerable to a major data breach related to cloud misconfiguration. 64% say the problem will get worse, or remain unchanged over the next year.
Cloud misconfiguration mistakes: a major insider threat
The primary causes of cloud misconfiguration cited are too many APIs and interfaces to govern (32%), a lack of controls and oversight (31%), a lack of policy awareness (27%), and negligence (23%). 21% said they are not checking Infrastructure as Code (IaC) prior to deployment, and 20% aren’t adequately monitoring their cloud environment for misconfiguration.
“The adoption of IaC is a double-edged sword, it puts cloud infrastructure into the hands of developers, but also opens organizations to serious risk associated with misconfiguration.” said Matt Howard, Executive Vice President at Sonatype.
“The survey results highlight the need to empower developers with advanced security guardrails and rapid feedback to ensure that cloud infrastructure is secure and complies with relevant regulations and defined policies.”
Traditional security challenges play a significant role in cloud security, such as alert fatigue (cited by 21%) and false positives (27%), and human error (38%). The demand for cloud security expertise continues to outpace supply; 36% cite challenges in hiring and retaining the cloud security experts and 35% cite challenges sufficiently training their cloud teams on security.
Cloud security challenges and what professionals say they need
The lack of policies that work across the cloud development lifecycle (CDLC) from IaC through the runtime was cited as a significant issue, with 96% saying such a unified policy framework would be valuable. 47% said they need better visibility into their environments, and 43% said automated compliance audits and approvals would help.