2023年云安全报告(英).docx

上传人:夺命阿水 文档编号:1228969 上传时间:2024-04-07 格式:DOCX 页数:34 大小:519.21KB
返回 下载 相关 举报
2023年云安全报告(英).docx_第1页
第1页 / 共34页
2023年云安全报告(英).docx_第2页
第2页 / 共34页
2023年云安全报告(英).docx_第3页
第3页 / 共34页
2023年云安全报告(英).docx_第4页
第4页 / 共34页
2023年云安全报告(英).docx_第5页
第5页 / 共34页
点击查看更多>>
资源描述

《2023年云安全报告(英).docx》由会员分享,可在线阅读,更多相关《2023年云安全报告(英).docx(34页珍藏版)》请在课桌文档上搜索。

1、THESTATEOFCLQUfi-NATIVESECURITY2023REPORTTHEONLYCONSTANTISCHANGEFewcanrelatetotheadagelikecloudsecurityprofessionals.Cloudsecurityisdynamicandunpredictable,butthemovetohybridworkhasacceleratedchangeandincreasedthecomplexityOfapplicationsecurity.Ascloud-nativeapplicationdevelopmentevolves,sotoodoorga

2、nizations7cloudinfrastructure(80%Ofsurveyrespondentssaytheircloudinfrastructureisevolving).Whatzsmore,thecloudhaschangedtheapplicationslifecycle,withDevOpsnowdeliveringproductioncodeatwarpspeedandsecuritypersonnelstrugglingtokeeppace.Morethan75%ofrespondentsfromthisyearssurveyaredeployingneworupdate

3、dcodetoproductionweekly,andalmost40%arecommittingnewcodedaily.Addtothattheratiooftendevelopersforeverysecurityprofessional1,2andthepotentialforchallengesinscaleandcomplexityarenotdifficulttounderstand.Incontrasttoon-premenvironments,cloudcomputingfollowsasharedresponsibilitymodel.Responsibilityforth

4、einfrastructure(e.g.zcompute,networking,andstorage)isheldwiththecloudserviceprovider(CSP)andresponsibilityforsecurityissharedbetweentheCSPandtheircustomers.Butthesharingstopswhenitcomestoresponsibilityforcustomersapplications,data,andaccessmanagement.Organizationssecurityanddevelopmentteamsownthisre

5、sponsibilityandmustcollaboratetosuccessfullysecuretheircloudenvironments.Toequiptheseteamswiththeresourcestheyneed,itrsnecessarytounderstandthechallengestheyface(whetheremergentorperennial),thesolutionstheyuse,andtheeffectivenessofsolutionsinhelpingthemmeettheirresponsibilities.Howareorganizationsch

6、oosingsecuritytools,andhowarethosetoolsbeingoperationalized?Whichpracticesareproducingthebestsecurityoutcomes,andwhicharehamperingefforts?Weexploredthesequestionsandothersinourannualmulti-industrysurveyonthestateofcloud-nativesecurity.IOCBDabonalOMtlOokHandbOOkSofwarcDCVdoPCfQMaliwAauraccAndIYsts.an

7、dTctcr.BUrCdUOfLaborStatiSUCU2BUreaUOfLabOrStaUsties,QeCuPationalOUUaakHandbDak-InfafmatiOnSeCUfityAnalysts,BUreaUOfLabOrStatisticsWHATDIDWEFIND?Shift-left security is accelerating.Decisions on tooling have become clouded by complexity.Collaboration across teams is essential to better security outco

8、mes.Sinceunaddressedvulnerabilitiescanbeexploitedinproduction,itzscriticaltocatchandfixthesevulnerabilitiesearlyintheapplicationdevelopmentlifecycle.Oursurveyrevealedthatrisksintroducedearlyinapplicationdevelopmentarethe#1concern.Knownvulnerabilities,embeddedmalware,andsensitivedata,suchassecretsorc

9、onfigurationdata,aresomeexamplesofearlyrisks.Tocatchemergentthreatsupstream,securityteamsturntotoolssuchascodereposcanning,softwarecompositionanalysis(SCA)zandregistryscanning.Overwhelmedbytheproliferationofdiscretetoolingoptions,morethan75%ofrespondentsreportedthattheirorganizationstrugglestoidenti

10、fywhichsecuritytoolscanhelpthemmeettheirneeds.Thesheernumberandroleofeachdiscretetoolcanpresentoperationalheadachesandfurtherisolatesiloszoftencreatingblindspotsinanorganizationssecurityposture.Unliketraditionalsecurity,thecloudrequiresuserstounitedisparateteamsaroundacommongoal.Todothis,organizatio

11、nsneedtobeintentionalaboutbreakingdownsilos.Oursurveyshows81%ofenterpriseshaveembeddedsecurityprofessionalsintheirdevelopmentandoperationsteam.Fromhere,organizationsmuststayattunedtofrictionasitarisesanddevelopasecurityarchitecturethatinspiresconfidenceanddoesntslowDevOpsprocessesdown.TABLEOFCONTENT

12、SExecutiveSummaryKeyFindingsiiIntroduction1HowEnterprisesAreMigratingtotheCloud2ApplicationVelocityinCloud-NativeEnterprises6CloudComplexity7ImplicationsforSecurityTeams8HowEnterprisesAreApproachingSecurity12HowApplicationDevelopersAreShapingSecurity14ThePathForward15Recommendations17ThethirdannualS

13、tateofCloud-NativeSecurityReportexaminestheevolvingsecuritypractices,toolszandtechnologiesthatorganizationsaroundtheworldareemployingtotakeadvantageofcloudservicesandnewapplicationtechstacks.FieldedfromNovember21toDecember14z2022,thesurveygathereddatafrom2z500-plusrespondentsinsevencountries,includi

14、ngtheUnitedStates,Australia,Germany,France,Japan,Singapore,andtheUnitedKingdom. Allmajorindustrieswereincludedinthesample,withrepresentationfromconsumerproductsandservices,energyresourcesandindustrials,financialservices,healthcare,technology,media,andtelecommunications. Morethan50%ofthesamplecamefro

15、menterprise-sizedorganizations(over$1Binannualrevenue).oRespondentsweresplitevenlybetweenexecutiveleadershipandpractitioner-levelrolestounderstandsentimentsbroadlyacrossorganizations.Practitioner-Ievelrespondentswererestrictedtothosewhoworkindevelopment,ITorinformationsecurityfunctions. Allresponden

16、tsreportedthemselvesknowledgeableandfamiliarwiththeirorganizationscloudoperationsandcloudsecurityandweresourcedfromprofessionalsurveypanels.PaloAltoNetworkspartneredwithTheFoSSiCkerGroUD,amajoritywoman-owned,full-serviceresearchfirm,onallelementsofthisyearsreport,includingsurveydesign,fieldwork,anal

17、ysis,narrative,datavisualizations,andreportdesign.CLOUDMIGRATIONISSTILLGROWINGSimilartoyearspast,organizationsin2023haveshiftedtowardmorepublichostingoftheircloudworkloads.Fifty-threepercentofcloudworkloadsarehostedonpublicclouds,anincreaseof8%inthepastyear.Platformasaservice(PaaS)andserverlessweret

18、hedominantapplicationexecutionenvironments.Regionally,wedidnotidentifysignificantdifferencesincloudworkloadshostedpubliclyamongNorthAmerica(NAM),Asia,Pacific,andJapan(APJ)zandEurope,theMiddleEast,andAfrica(EMEA).Application Execution Environments18%ContainersFigure 1. oo Workload Distribution by Arc

19、hitecture Typer 2023Cloud Workloads Publicly Hosted by RegionPublicly Hosted5453%50%Figure 2. % Cloud Workloads Publicly Hosted by Region, 2023What drives organizations to expand to the cloud?The top reason is building new and expanding existing products and services, followed closely by the desire

20、to increase efficiency and agility.But security considerations continue to impede the ability and take advantage of the cloud.of enterprises toaddress risksTop Five Reasons for Expanding to the Cloudri Building new andexpanding existingproducts and services0 Increasingefficiency andagilityCreating n

21、ewprocesses andworkflowsMitigating business and regulatory riskExpanding into new marketsCLOUDMIGRATIONDOESNOTALWAYSEQUATEWITHCLOUD-NATIVEAPPLICATIONSCloudnativeandliftandshiftwerethetwomostusedmethodologiesforapplicationdeploymenttothecloudzbothpreferredbya10oomargintorefactororrebuild.Thisisthefir

22、sttimecloudnativeisattheforefrontinapplicationdevelopment.Deploymenttotheclouddifferedamongthethreeregions.NAMhadahigherproportionofcloud-nativedevelopmentcomparedtoAPJandEMEA.APJwassplitalmostevenlybetweenthethreemethodsandEMEAhadthehighestpercentageofliftandshiftamongtheregions.MethodforApplicatio

23、nDeploymenttotheCloudbyRegionLifted and Shifted(Migrated application to the ctoud as-is or with only minor modifications)Primary Method OfAppIication Deployment to the CloudFigure 3. Primary Method for Application Deployment to the Cloud, 2023Refactored or Rebuilt(Migrated application to the cloud w

24、ith significant modifications)4034Cloud-Native(Netnewapplicationstatwerecompletelybuiltintecloud)34ooFigure4.PrimaryMethodforApplicationDeploymenttotheCloudbyRegion,2023OVERTWO-THIRDSREPORTEDHIGHERCloudtcothanEXPECTEDOnaverage,organizationsspentthelargestproportionoftheirtotalcostofownership(TCO)tow

25、ardapplicationmigrationcosts.Despitethis,allbutonerespondentsaidtheywillbeexpandingtheircloudinthefuture.Surveyrespondentsreporteda13%increaseofworkloadmovedtothecloudsincethepreviousyearandexpectafurtherincreaseof11%inthenext24months.Perhapsnotsurprisingly,agreaternumberofC-suiterespondentscalculat

26、eTCOashigherthanexpected(70%+)vspractitioner-levelrespondents(63%).Relatedtothis,almost60%ofC-suiterespondentsreportedhigherthanexpectedsecuritycostsascomparedtolessthan50%ofpractitioners.Percentage Workload in the Cloud40%Previous 12 MonthsFigure 5. Percentage Workload in the Cloudz 2023Inthenext24

27、months,respondentsexpectan11%increaseinworkloadmovedtothecloud.NOWTRENDING:#CLOUDMIGRATIONCloudmigrationisforecastedtocontinue,butwhatdoesthatreallymean?Itdependswhoyouask.Foracloudarchitect,cloudmigrationmeansutilizingamixofapplicationmigrationmethods,suchasliftandshift,refactoring,andcloud-natived

28、evelopment.Dependingontimelines,budget,underlyingtechnology,andcorporatecompliance,eachmethodcantakeadifferentpath.ThesearchitecturaldecisionsresultinamixOfworkloadtechnologiestoruntheapplications,suchasserverlesszcontainers(self-hostedormanaged),platformasaservice(PaaS)zandvirtualmachines(VMs).VMsa

29、restilladominantarchitectureforhostingworkloads,butserverlessandPaaSareexpectedtoexperiencefurthergrowth,as70+%ofrespondentsreportedanexpectedincreaseinusageoverthenext24months.Foradeveloper,migratingtothecloudisanopportunitytoadoptDevOpsandacceleratetheapplicationdevelopmentlifecycle.Infact,77%ared

30、eployingneworupdatedcodetoproductionweekly,and38%arecommittingnewcodedaily.Withrespondentsreportingthatdeploymentfrequencyhasincreasedby67%inthepasttwelvemonths,itzsclearthatthedrivefromcodetocloudisonlyaccelerating.Forasecurityprofessional,thechallengeinmigratingtothecloudisaboutmorethanthemigratio

31、nofappsanddata.Modernarchitecturesandtechstacksforbuilding,deployingandrunningapplicationsrequireanewapproachemployingapplication-awaretools,products,andmethodologies.Inviewoftheexpansiveattacksurface,securingcloudnativearchitecturesmustbethesecurityprofessionalsobjective.6PWISMACLOUDI%paloaltoAPPLI

32、CATIONVELOCITYINCLOUD-NATIVEENTERPRISESTwo-thirdsofallenterprisessaythatdeploymentfrequencyhasincreasedorsignificantlyincreasedoverthepastyearzand38ooofenterprisesdeploycodetoproductionorreleasetoenduserseveryday,with17oodeployingmultipletimesaday.Frequency of Deployment of CodeFigure 6. Frequency o

33、f Deployment of Code to Production or Release to End Users, 2023AthirdofenterprisesreportedoperatingwithinternalSLOs(servicelevelobjectives)oflessthanadayofleadtimeforchanges,and38%expectedservicerestorationswithinaday.Sixty-eightpercentofallsurveyrespondentsreportedincreaseddeploymentfrequency.What

34、,smore,64%alsoreportedincreasedleadtimeforchanges.Deploymentfrequencyandleadtimeforchangesmeasurevelocity.Soifenterprisesarenotachievingandsustainingtheirvelocityperformancegoals,itcanpointtoinefficienciesintheDevOpsprocess.Increasesinbotharenasmaysuggestthatpressurefacedbysecurityprofessionals(whoa

35、reoutnumberedbydevelopers10:1)istakingatollamidincreasesinapplicationvelocity.Wewentastepfurtherandlookedathownimbleenterpriseswererespondingtochangezspecificallydeploymentfrequencyandtheirleadtimeforchangeinthelast12months.Amongcloud-nativeenterprises,morethan60%reportedanincreaseindeploymentfreque

36、ncyinthepreviousyear.Forthatsameperiod,only48%reportedanincreaseinleadtimeforchange.ChangestoDeploymentFrequencyovertheLast12MonthsTotalCloud-NativeNon-Cloud-NativeIncreased68610/068VbStayedtheSame22()28o22oDecreased10%1171Q0oFigure7.ChangestoDeploymentFrequencyOvertheLast12Months,2023OBSTACLESTOCLO

37、UDADOPTIONANDEXPANSIONOver-toolingleadstoanoverlycomplexcloudenvironment.Althoughapplicationandworkloadcloudmigrationishigh,thegrowthrateisslightlylowerthanlastyear.Someofthiscanbeattributedtocurrentmacroeconomicconditions.Whenaskedaboutthechallengestheyhavefacedinmovingtothecloud,thetopfiveresponse

38、sgivenbyorganizationswerenotfinanciallyrelated.Infact,budgetonlyincreasedasaconcernby2pointsfrom2020.Comparedtothreeyearsago,thegreatestchangecameinreportingonthelackoftalent/*whichincreasedby11points.Interestingly,thetopfiveconcernsareinextricablylinkedtothetop-rankedconcerntechnicalcomplexity.Comp

39、lexenvironmentsrequirehigherlevelsoftalentandadaptivenesstochangingtechnology,aremoredifficulttosecurecomprehensively,moredifficulttogainvisibilityacross,andresultingreatercompliancechallenges.WhenlookingatC-suiteandnon-C-Suiteresponses,theC-suiteratedlackoftalentorconsultingservicesasabiggerchallen

40、gethannon-C-suiterespondents(aka,thoselikelytobeimplementers)whoviewedtechnicalcomplexityasagreaterchallengetocloudmigration.Onaverage,organizationsrelyon30+toolsforoverallsecurityandsixtotentoolsdedicatedtocloudsecurity. VVhats NeXt In Cvber. PaIQ AltO NetWOrkSUpwardsof75%ofourStateofCloud-NativeSe

41、curitysurveyrespondentsreportedthatthenumberofcloudsecuritytoolstheyusecreatesblindspotsthataffecttheirabilitytoprioritizeriskandpreventthreats.Whyaresomanytoolsbeingutilized?It,stellingthat77%oforganizationsstruggletoidentifywhatsecuritytoolsarenecessarytoachievetheirobjectives.Top 5 Challenges in

42、Moving to the CloudTechnical complexityLack Oftalent and/or consulting servicesMaintaining comprehensive securityLack Ofvisibility across services and providersMeeting compliance requirements77cof organizations struggle toidentify what security toolsare necessary to achieve theirobjectives.76c)of re

43、spondents say thenumber of cloud securitytools they use create blindspots.Complexity,itseems,isimpedingsecurity,andthat,saproblem.Greaterthan60%oforganizationssurveyedhavebeenoperatinginacloudenvironmentforthreeormoreyears,buttechnicalcomplexitiesandmaintainingcomprehensivesecuritystillhampertheircl

44、oudmigrationefforts.IMPLICATIONSFORSECURITYTEAMSAsvulnerabilitiesandmisconfigurationsmoveupstream,newapplicationlevelrisksareemerging.Ofthefivesecuritymetricsweanalyzed,lessthanaquarterofrespondentssawoutcomessimilartolastyear.Overtheprevious12months,keysecuritymetricsworsened.Ninetypercentofrespond

45、entssaytheirorganizationcannotdetect,contain,andresolvethreatswithinanhour.Regardingvisibilityintovulnerabilitiesacrosscloudresources,morethan30%ofrespondentsindicatedthatlackofvisibilitycreatedachallengetoensuringcomprehensivesecurity.Whilecomplianceviolationswereatthebottomofthelist,25%oforganizat

46、ionsstillexperiencedasignificantcomplianceviolation.Top5SecurityIncidentsRiskintroducedearlyinapplicationdevelopmentWorkloadimageswithvulnerabilitiesormalwareVulnerablewebapplicationsandAPIsUnrestrictednetworkaccessbetweenworkloadsDowntimeduetomisconfigurationFiveKeySecurityMetricsMeantimetodetectMe

47、antimetoremediateNumberofbreachesNumberofintrusionattemptsUnplanneddowntimeoforganizationscannotdetect,contain,andresolvecyberthreatswithinanhour.There,salimit,though,tohowmuchshift-leftresponsibilitydeveloperscanandwanttohandle.Morethan75%ofrespondentssaidthatdevelopersareheldaccountableforwritinginsecurecodezandmorethan80%saidtheyunderstandtheirresponsibilitytodeliversecurityacrossthedevelopmentlifecycle.Securityisnottheirprimaryresponsibility.Securityteamsshouldprovidedevelopmentteamswiththetoolstheyneed,accordingto80%ofsurveyrespondents.Organizationshavelargelydistributedresponsibility

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 在线阅读 > 生活休闲


备案号:宁ICP备20000045号-1

经营许可证:宁B2-20210002

宁公网安备 64010402000986号