The cloud is swiftly becoming a non-negotiable part of a company’s technology stack, which means cloud security is paramount. At a recent European cloud expo, Aqua Security surveyed attendees to gain insights into the current state of cloud-native security. Let’s look at the key findings from the survey and what it means for cloud CTOs and technical professionals who must address evolving cybersecurity risks.
See also: Understanding Unified Security in a Cloud World
Increasing concerns over the software supply chain
The study reveals a rise in the perceived risk associated with the software supply chain as compared to the previous year’s survey. 36.9% of respondents identified supply chain security as the most significant threat to their company, up from 18.6%. As companies shift operations to the cloud, this opens them up to new vulnerabilities across the cloud environment, especially if they’re still using legacy security strategies.
Open-source vulnerabilities were identified as the primary concern. As more companies look to open-source resources to build, maintain, and launch new technology initiatives, an increase in security-first approaches is critical. Companies need proactive measures to mitigate the risks associated with using open-source tools, which could present a burden for small to medium businesses without the resources or expertise.
Progress in cloud-native security strategies
The study shows encouraging progress in the adoption of cloud-native security strategies, however. 34% of organizations have already implemented a dedicated cloud-native security strategy, up from 21.2% last year. This is heartening because it shows a growing awareness of the importance of securing cloud-native environments.
Even more, there seems to be a positive shift in responsibility for this security posture. IT Security teams and DevOps seem to be sharing more responsibility. There’s a strong need for collaboration between these functions as companies deploy in the cloud because a security-first approach that’s also cloud-native requires a clear strategy from both departments.
Not just awareness but understanding of cloud-native security
The study seems to support the idea that companies are moving from simply knowing about cloud-native security to understanding it. Cloud-native applications require a unique approach to security, something that tripped up companies in the past. However, this year’s survey shows a remarkable uptick in understanding, with nearly half of respondents citing familiarity with CNAAP or “Cloud Native Application Protection Platform. This term, introduced originally by analyst firm Gartner, wasn’t nearly as well known last year. But with the evolving security landscape, it’s no wonder more companies are paying attention.
Addressing continued barriers and challenges
While progress has been made in awareness and implementation, several barriers continue to hinder companies as they seek to adopt cloud-native security. For one, budget limitations were a challenge for almost 39% of respondents, echoing a likely scenario for many tech deployments. Organizations will need to prioritize funds and resource allocation to ensure the continued security of cloud investments.
Security also means closely examining what aligns with the company’s specific risk profile and ensuring that sufficient resources are allocated to protect those investments. Not all companies will have the same risk profile, with certain sectors, such as healthcare dealing with more sensitive data.
Perception is another significant barrier. 29.1% of participants perceived that Cloud Native Security was complicated or difficult to implement. While companies must do more to educate employees and upskill them to prepare for these challenges, they also need to simply security frameworks and promote user-friendly solutions—easier said than done.
See also: Data Masking Methods for Data Centric Security
To streamline cloud-native security practices, companies can leverage the following:
- Automation: Implementing automation tools and processes streamlines cloud-native security implementation. Developers can integrate these scans, vulnerability assessments, and threat intelligence directly into the development and deployment pipelines. This improves consistency and removes human error for continuous monitoring.
- Security as code principles: Security measures must be integral components of an application development process. Administrators can define and manage these configurations as code, which enables consistent and—more importantly—scalable security implementations. This ensures security is built in right from the start.
- Integration with DevOps pipeline: Security checks and measures must also be an integral part of the software development lifecycle. Embedding security practices like code analysis, vulnerability scanning, and compliance checks enables earlier detection and response. Plus, it fosters collaboration for faster remediation and reduces the likelihood of gaps.
Mitigating cloud-native security risks
Organizations need to be proactive about addressing the evolving landscape of cloud-native security, and the survey seems to back this up. Here is a quick checklist for companies looking to get started.
- Implement end-to-end security solutions: Cloud-native security is a comprehensive approach. These should cover the entire software supply chain and includes the integration directly into DevOps.
- Adopt defense-in-depth: Multiple layers of security equal a robust defense mechanism. Companies can incorporate secure software development practices like code reviews, static and dynamic analysis, and secure coding guidelines. Continuous monitoring through automation also ensures quick detection of malicious activities or unauthorized access.
- Increase knowledge: Upskilling those involved in cloud operations helps foster a culture of shared responsibility. This is a company’s best chance to ensure the expertise needed to operate with a security-first approach.
- Address budget constraints: Costs will always factor into cloud deployments, but companies can prioritize security implementations by conducting risk assessments. These identify crucial assets and allocate resources accordingly. Even better, align security investments with business objectives and risk profiles for more informed decisions.
- Stay compliant: Keep up-to-date with new regulations and standards, such as Executive Order 14028 in the U.S. Compliance with these regulations mitigates security risks and enhances customer trust and reputation.
Looking forward
Mitigating security risks requires a proactive, multi-faceted approach. Cloud-native security specifically must be a top priority for organizations. Thanks to this survey’s findings, we know that companies are making progress but still have some challenges to overcome. It’s put to CTOs and other decision-makers to build robust security strategies and collaborate with both DevOps and IT security teams to ensure the integrity and resilience of the cloud-native environment. This helps pave the way for a secure and successful future in the cloud.
Elizabeth Wallace is a Nashville-based freelance writer with a soft spot for data science and AI and a background in linguistics. She spent 13 years teaching language in higher ed and now helps startups and other organizations explain – clearly – what it is they do.