State of Cloud Security 2021: More Aware Yet Very Exposed
Dan Yachin digs into our State of Cloud Security 2021 Report and shares his insight.
A key finding of the first Ermetic (Now Tenable Cloud Security) commissioned IDC cloud security survey, conducted at the end of 2019, was that the rapid shift to the cloud is exposing organizations to new and different types of risks from those they dealt with previously. It was surprising to learn that despite the endless debate about cloud infrastructure security, so many organizations were caught unprepared. Apparently, organizations have trouble fully understanding the magnitude of the threat upfront. It is often only after the fact, when damage is done, that organizations become aware of how vulnerable they really are.
A year and a half later, it is clear that, unfortunately, companies are now much more aware.
Companies Are As Vulnerable As the Size of Their Cloud Footprint
The most astonishing finding from this year's Ermetic-commissioned IDC state of cloud security survey, conducted in the first half of 2021, is that everyone is being hit. A staggering 98% of the companies surveyed experienced at least one cloud data breach in the past 18 months – a significant increase from 79% in the previous survey.
The surge in cloud data breaches can be explained by the rush to the cloud and work-from-home resulting from the COVID-19 pandemic. Over the last year and a half, organizations have been migrating critical systems and workloads to the cloud to continue normal operations. Many of them have learned the hard way that cloud infrastructure security is a whole new ballgame that requires a different approach.
According to the 2021 survey, IaaS has reached mainstream adoption: 67% of participants are already using IaaS while 25% are planning to. More so, investment in cloud infrastructure is skyrocketing. Nearly 31% of participants said they spend more than $50 million per year on cloud infrastructure. The results show that the larger the organization, the greater its spend on cloud infrastructure.
Cloud Infrastructure Spending by Company Size
Q. What is your cloud infrastructure spending per year?
Furthermore, there is a clear correlation between the size of a cloud footprint – reflected by the level of investment by an organization in its cloud infrastructure – and the degree of exposure to cloud security threats. For example, across the entire survey sample, 63% of participants said their organizations identified situations in which their sensitive data has been exposed in the cloud. This metric ballooned to 85% for larger cloud footprints – i.e., organizations that spend more than $50 million per year on cloud infrastructure.
Exposure to Sensitive Data Leaks by Cloud Footprint
Q. Have you identified any situations in which your sensitive data has been exposed in the cloud?
Watch Out for Those Third Parties
The expanding cloud footprint also ties in with the creation of digital ecosystems of applications and services that span an organization’s internal and external boundaries. These cloud-based environments facilitate cross-company business processes that enable the organization’s developers, business stakeholders, partners, customers and others to effectively connect and interact.
The rise of digital ecosystems can explain why insecure APIs, along with lack of visibility and inadequate network and IAM security were highlighted by respondents as top security threats to their cloud infrastructure. Without adequate visibility into these areas, organizations are left in the dark as to who has access to their digital ecosystems, what permissions they have and how they are used.
Organizations are also raising concerns over various other issues such as cloud compliance (regulatory), security governance, privacy and data protection surrounding their digital ecosystems. As described by one of the participants, a director in a government organization, “our API infrastructure evolves to offer quality support, but it also introduces security risks.” Another participant, a C-level executive in a large healthcare company, added that “ensuring third-party reliability and remote work is compromising on the privacy while dealing with the cloud.”
Concern over cloud compliance (regulatory), security governance and access tends to grow with the size of the cloud footprint. For example, 70% of the companies that spend more than $50 million per year on cloud infrastructure mentioned compliance monitoring as a top security priority compared with 51% across the entire survey sample. Access risk in the cloud was selected as a top priority by 36% of companies with larger cloud footprints compared to 32% among all respondents.
Top Cloud Security Priorities
Q. What are your organization's top 3 security priorities for the next 18 months?
Cloud Data Breaches Often Begin with Unauthorized Access
This year’s survey pointed to cloud access-related threats as a major cause of cloud data breaches. Of all participants, 83% said at least one of the cloud data breaches they experienced during the past 18 months was related to access. Around 50% of participants reported that at least 25% of the breaches were related to access.
The survey found a connection between a company’s size and its level of exposure to access-related cloud data breaches. While 22% of all participants reported that at least 50% of their cloud data breaches were related to access, this number increases by company size and reaches 38% for enterprises with more than 20,000 employees. This correlation makes sense as the greater the number of employees – and, consequently, the cloud resources they use – the greater the number of identities and access permissions to manage, and hence the exposure to related risks.
Share of Access-Related Cloud Data Breaches by Company Size
Q. Please estimate the percentage of cloud data breaches where the root cause was related to access.
The fact that so many companies report that their sensitive data has been exposed in the cloud and point to access as a major cause of cloud data breaches is further reflected in the main drivers for governing cloud infrastructure access permissions. Across the entire survey sample, organizations cited maintaining the confidentiality of sensitive data in the cloud against internal threats (selected by 58% of respondents) and against external attacks and unauthorized access (57%) as the main such drivers. Again, a connection was found between the size of the cloud footprint and the importance attributed to these drivers.
Top Drivers for Governing Cloud Infrastructure Access Permissions
Q. What are the main drivers for governing access permissions in your cloud infrastructure?
In addition, companies with larger cloud footprints attributed more importance to different use cases for managing identities and entitlements in their cloud infrastructure. Among them, human identities are still the main concern, while machine entities such as cloud resources, cloud machine identities and code are not far behind.
Top Use Cases for Managing Cloud Identities and Entitlements
Q. How important are the following use cases for managing cloud identities and entitlements in your cloud infrastructure?
Why You Spend So Much Time on Cloud Access Management
The 2021 finding of how much time organizations spend on cloud identities and access is in line with the results of our previous survey, which pointed to the difficulty of governing access permissions (namely, keeping track, evaluating risk, and defining policies and permissions) for a multitude of machine and human identities. The conclusion was that unless access policies are frequently adjusted through smart automation and advanced analytics, the potential for human error will increase sharply.
In accordance, 70% of organizations in the 2021 – and nearly 100% of companies with more than 10,000 employees – reported spending more than 25 hours weekly managing cloud IAM in their cloud infrastructure. At an estimated $100 an hour, that adds up to a budget drain of at least $130,000 yearly.
Again, a correlation was found between the time spent dealing with cloud IAM and the size of the cloud footprint. The larger the cloud footprint, the greater the time spent, with 79% of companies that invest more than $50 million per year on cloud infrastructure reporting they allocate more than 50 hours weekly to managing cloud IAM.
Time Spent Dealing with Cloud IAM by Size of Cloud Footprint
Q. How much time does your company spend dealing with IAM in your cloud infrastructure?
So why do companies spend so much time (and, consequently, money) managing identities and entitlements? The reason is that traditional security approaches and solutions fall short in providing adequate visibility and control for cloud infrastructures, including over access and entitlements. As cloud environments continue to expand, identifying and mitigating cloud access and other risks at scale – let alone in a timely manner – becomes a major challenge. As evidence, respondents expressed mixed satisfaction regarding their cloud security posture and around 43% of them could not say they are satisfied with their current cloud security posture.
Shared Responsibility– Is It Really Working?
To gain a better understanding of companies’ cloud security postures, respondents were asked about the cloud security solutions they use or plan to use. Apparently, almost all of them use the commercial solutions or free security tools offered by public cloud providers.
The fact that so many organizations rely directly on their cloud providers for security, coupled with the low satisfaction with cloud security posture and universally high instances of cloud breaches, suggests that the shared responsibility model for cloud security is not working well. Indeed, 58% of respondents mentioned the difficulty of setting a shared security model between their organization and their cloud vendor as a major challenge. According to one participant, an executive at a utility company, “clarity regarding system security responsibility with cloud vendors and support is a big concern.”
This lack of clarity is exacerbated by the fact that multi-cloud is now the de-facto infrastructure standard. Accordingly, when asked to identify the top challenges in managing cloud infrastructure identities and permissions, organizations highlighted uniformly managing access across multiple clouds (64%), followed by lack of visibility into cloud infrastructure (63%).
The Pains of Implementing Least Privilege
The clear awareness of the high chance of being attacked, with access risk a main cause, likely explains why so many organizations are pursuing least privilege access best practice. The survey found that 92% of those surveyed have least privilege implementation in their sights: 66% have tried or are trying it, and 26% plan to in the next 12 months. However, limiting every user or application to the exact permissions needed to complete legitimate work activities requires an ongoing, contextual understanding of the relationships between human and machine identities that is difficult to achieve using legacy solutions. As evidence, our survey found that of large organizations that tried to implement least privilege, 50% failed. All organizations cited multi-cloud complexity, lack of visibility into cloud infrastructure and implementation difficulty as main barriers, among others, to least privilege implementation success.
Top Barriers to Implementing Least Privilege Access
Q. How significant a barrier is each of the following to implementing least-privilege access to your cloud infrastructure?
(combined % of respondents who chose “moderately”, “very significant” and “extremely significant”)
Where Do We Go from Here?
The Ermetic-commissioned IDC State of Cloud Security 2021 Survey results indicate the need for more effective solutions that go deep into understanding identity and security risk in cloud infrastructure. As they continue to grow their cloud footprint, businesses struggle to gain visibility and control over access in their cloud infrastructure, and to implement least privilege at scale. They spend much time dealing with cloud IAM but remain highly exposed to access-related cloud data breaches.
Addressing these challenges is a major undertaking, as organizations are reliant on multiple point products, each focused on protecting a specific security category or cloud vendor environment. It is no wonder that 63% of participants mentioned the difficulty of integrating disparate security solutions as a top challenge that impacts their ability to govern identities and manage permissions in their cloud infrastructure. Further, the surprisingly high reliance of organizations on commercial or free security solutions by cloud service providers, and shortcomings of the shared responsibility model, are failing to deliver adequate risk protection in so complex an environment.
As the number of human and machine identities continues to increase with the accelerated expansion of companies’ cloud footprints, so does the potential for access-related cloud data breaches. Achieving unified, comprehensive visibility and control over cloud identities, network, data and compute resources – and across security/IT stakeholders -- is therefore an urgent necessity for any organization that seeks to capitalize on the undeniably huge benefits of multi-cloud infrastructure and cloud-enabled digital ecosystems.
Ready for More?
In 2022, Ermetic commissioned Osterman Research for a survey on cloud security maturity across more than 300 organizations. Download the State of Cloud Security Maturity 2022 Survey Report.
Dan Yachin is an independent market strategy consultant and IT Analyst, and former head of Emerging Technologies at IDC.