In the last 12 months, more than a third of organizations have had a major cloud security data leak or breach, with 83 percent worrying that their company is at danger, according to the recently conducted ‘State of Cloud Security 2021 study’ by Fugue (a cloud security and compliance automation provider), and Sonatype (a provider of developer tools for software supply chain automation and security).

The engineering and security teams surveyed warn that as cloud adoption accelerates and the scale of cloud systems rises, risks – and the expense of mitigating them – are growing.

The survey of 300 cloud professionals – including cloud engineers; security engineers; DevOps; architects – found that 36% of organizations suffered a serious cloud security data leak or a breach in the last 12 months, and eight out of ten are concerned that they’re vulnerable to a major data breach related to cloud misconfiguration. 64% say the problem will worsen or stay the same in the coming year.

“This year’s survey reveals that the complexities and dynamism of at-scale cloud environments outpace the ability of teams to keep them secure,” said Josh Stella, co-founder and CEO of Fugue. “Engineering and security teams continue to ramp up the time and resources they invest in cloud security, but say they still lack the visibility and automation they need.”

Cloud Misconfiguration Mistakes – a Major Insider Threat

Photo Josh Stella, co-founder and CEO of Fugue
“Engineering and security teams continue to ramp up the time and resources they invest in cloud security, but say they still lack the visibility and automation they need,” said Josh Stella, co-founder and CEO of Fugue.

The primary causes of cloud misconfiguration cited are too many APIs and interfaces to govern (32%), a lack of controls and oversight (31%), a lack of policy awareness (27%), and negligence (23%). 21% said they are not checking Infrastructure as Code (IaC) prior to deployment, and 20% aren’t adequately monitoring their cloud environment for misconfiguration.

“The adoption of IaC is a double-edged sword, it puts cloud infrastructure into the hands of developers, but also opens organizations to serious risk associated with misconfiguration.” said Matt Howard, Executive Vice President at Sonatype. “The survey results highlight the need to empower developers with advanced security guardrails and rapid feedback to ensure that cloud infrastructure is secure and complies with relevant regulations and defined policies.”

Cloud and Infrastructure as Code Security – a People Problem

Traditional security challenges would play a significant role in cloud security, such as alert fatigue (cited by 21%) and false positives (27%), and human error (38%). The demand for cloud security expertise continues to outpace supply; 36% cite challenges in hiring and retaining the cloud security experts and 35% cite challenges sufficiently training their cloud teams on security.

Securing Infrastructure as Code and Cloud is Costly

With half of the teams surveyed devoting 50+ engineering hours per week on IaC security, the adoption of IaC would provide cloud teams with the chance to review settings prior to deployment. They devote the same amount of work to protecting cloud systems that are already up and operating.The lack of policies that work across the cloud development lifecycle (CDLC) from IaC through the runtime was cited as a significant issue, with 96% saying such a unified policy framework would be valuable. 47% said they need better visibility into their environments, and 43% said automated compliance audits and approvals would help.

The State of Cloud Security 2021 Report is available for free download here.