《2023年云安全报告(英).docx》由会员分享,可在线阅读,更多相关《2023年云安全报告(英).docx(34页珍藏版)》请在课桌文档上搜索。
1、THESTATEOFCLQUfi-NATIVESECURITY2023REPORTTHEONLYCONSTANTISCHANGEFewcanrelatetotheadagelikecloudsecurityprofessionals.Cloudsecurityisdynamicandunpredictable,butthemovetohybridworkhasacceleratedchangeandincreasedthecomplexityOfapplicationsecurity.Ascloud-nativeapplicationdevelopmentevolves,sotoodoorga
2、nizations7cloudinfrastructure(80%Ofsurveyrespondentssaytheircloudinfrastructureisevolving).Whatzsmore,thecloudhaschangedtheapplicationslifecycle,withDevOpsnowdeliveringproductioncodeatwarpspeedandsecuritypersonnelstrugglingtokeeppace.Morethan75%ofrespondentsfromthisyearssurveyaredeployingneworupdate
3、dcodetoproductionweekly,andalmost40%arecommittingnewcodedaily.Addtothattheratiooftendevelopersforeverysecurityprofessional1,2andthepotentialforchallengesinscaleandcomplexityarenotdifficulttounderstand.Incontrasttoon-premenvironments,cloudcomputingfollowsasharedresponsibilitymodel.Responsibilityforth
4、einfrastructure(e.g.zcompute,networking,andstorage)isheldwiththecloudserviceprovider(CSP)andresponsibilityforsecurityissharedbetweentheCSPandtheircustomers.Butthesharingstopswhenitcomestoresponsibilityforcustomersapplications,data,andaccessmanagement.Organizationssecurityanddevelopmentteamsownthisre
5、sponsibilityandmustcollaboratetosuccessfullysecuretheircloudenvironments.Toequiptheseteamswiththeresourcestheyneed,itrsnecessarytounderstandthechallengestheyface(whetheremergentorperennial),thesolutionstheyuse,andtheeffectivenessofsolutionsinhelpingthemmeettheirresponsibilities.Howareorganizationsch
6、oosingsecuritytools,andhowarethosetoolsbeingoperationalized?Whichpracticesareproducingthebestsecurityoutcomes,andwhicharehamperingefforts?Weexploredthesequestionsandothersinourannualmulti-industrysurveyonthestateofcloud-nativesecurity.IOCBDabonalOMtlOokHandbOOkSofwarcDCVdoPCfQMaliwAauraccAndIYsts.an
7、dTctcr.BUrCdUOfLaborStatiSUCU2BUreaUOfLabOrStaUsties,QeCuPationalOUUaakHandbDak-InfafmatiOnSeCUfityAnalysts,BUreaUOfLabOrStatisticsWHATDIDWEFIND?Shift-left security is accelerating.Decisions on tooling have become clouded by complexity.Collaboration across teams is essential to better security outco
8、mes.Sinceunaddressedvulnerabilitiescanbeexploitedinproduction,itzscriticaltocatchandfixthesevulnerabilitiesearlyintheapplicationdevelopmentlifecycle.Oursurveyrevealedthatrisksintroducedearlyinapplicationdevelopmentarethe#1concern.Knownvulnerabilities,embeddedmalware,andsensitivedata,suchassecretsorc
9、onfigurationdata,aresomeexamplesofearlyrisks.Tocatchemergentthreatsupstream,securityteamsturntotoolssuchascodereposcanning,softwarecompositionanalysis(SCA)zandregistryscanning.Overwhelmedbytheproliferationofdiscretetoolingoptions,morethan75%ofrespondentsreportedthattheirorganizationstrugglestoidenti
10、fywhichsecuritytoolscanhelpthemmeettheirneeds.Thesheernumberandroleofeachdiscretetoolcanpresentoperationalheadachesandfurtherisolatesiloszoftencreatingblindspotsinanorganizationssecurityposture.Unliketraditionalsecurity,thecloudrequiresuserstounitedisparateteamsaroundacommongoal.Todothis,organizatio
11、nsneedtobeintentionalaboutbreakingdownsilos.Oursurveyshows81%ofenterpriseshaveembeddedsecurityprofessionalsintheirdevelopmentandoperationsteam.Fromhere,organizationsmuststayattunedtofrictionasitarisesanddevelopasecurityarchitecturethatinspiresconfidenceanddoesntslowDevOpsprocessesdown.TABLEOFCONTENT
12、SExecutiveSummaryKeyFindingsiiIntroduction1HowEnterprisesAreMigratingtotheCloud2ApplicationVelocityinCloud-NativeEnterprises6CloudComplexity7ImplicationsforSecurityTeams8HowEnterprisesAreApproachingSecurity12HowApplicationDevelopersAreShapingSecurity14ThePathForward15Recommendations17ThethirdannualS
13、tateofCloud-NativeSecurityReportexaminestheevolvingsecuritypractices,toolszandtechnologiesthatorganizationsaroundtheworldareemployingtotakeadvantageofcloudservicesandnewapplicationtechstacks.FieldedfromNovember21toDecember14z2022,thesurveygathereddatafrom2z500-plusrespondentsinsevencountries,includi
14、ngtheUnitedStates,Australia,Germany,France,Japan,Singapore,andtheUnitedKingdom. Allmajorindustrieswereincludedinthesample,withrepresentationfromconsumerproductsandservices,energyresourcesandindustrials,financialservices,healthcare,technology,media,andtelecommunications. Morethan50%ofthesamplecamefro
15、menterprise-sizedorganizations(over$1Binannualrevenue).oRespondentsweresplitevenlybetweenexecutiveleadershipandpractitioner-levelrolestounderstandsentimentsbroadlyacrossorganizations.Practitioner-Ievelrespondentswererestrictedtothosewhoworkindevelopment,ITorinformationsecurityfunctions. Allresponden
16、tsreportedthemselvesknowledgeableandfamiliarwiththeirorganizationscloudoperationsandcloudsecurityandweresourcedfromprofessionalsurveypanels.PaloAltoNetworkspartneredwithTheFoSSiCkerGroUD,amajoritywoman-owned,full-serviceresearchfirm,onallelementsofthisyearsreport,includingsurveydesign,fieldwork,anal
17、ysis,narrative,datavisualizations,andreportdesign.CLOUDMIGRATIONISSTILLGROWINGSimilartoyearspast,organizationsin2023haveshiftedtowardmorepublichostingoftheircloudworkloads.Fifty-threepercentofcloudworkloadsarehostedonpublicclouds,anincreaseof8%inthepastyear.Platformasaservice(PaaS)andserverlessweret
18、hedominantapplicationexecutionenvironments.Regionally,wedidnotidentifysignificantdifferencesincloudworkloadshostedpubliclyamongNorthAmerica(NAM),Asia,Pacific,andJapan(APJ)zandEurope,theMiddleEast,andAfrica(EMEA).Application Execution Environments18%ContainersFigure 1. oo Workload Distribution by Arc
19、hitecture Typer 2023Cloud Workloads Publicly Hosted by RegionPublicly Hosted5453%50%Figure 2. % Cloud Workloads Publicly Hosted by Region, 2023What drives organizations to expand to the cloud?The top reason is building new and expanding existing products and services, followed closely by the desire
20、to increase efficiency and agility.But security considerations continue to impede the ability and take advantage of the cloud.of enterprises toaddress risksTop Five Reasons for Expanding to the Cloudri Building new andexpanding existingproducts and services0 Increasingefficiency andagilityCreating n
21、ewprocesses andworkflowsMitigating business and regulatory riskExpanding into new marketsCLOUDMIGRATIONDOESNOTALWAYSEQUATEWITHCLOUD-NATIVEAPPLICATIONSCloudnativeandliftandshiftwerethetwomostusedmethodologiesforapplicationdeploymenttothecloudzbothpreferredbya10oomargintorefactororrebuild.Thisisthefir
22、sttimecloudnativeisattheforefrontinapplicationdevelopment.Deploymenttotheclouddifferedamongthethreeregions.NAMhadahigherproportionofcloud-nativedevelopmentcomparedtoAPJandEMEA.APJwassplitalmostevenlybetweenthethreemethodsandEMEAhadthehighestpercentageofliftandshiftamongtheregions.MethodforApplicatio
23、nDeploymenttotheCloudbyRegionLifted and Shifted(Migrated application to the ctoud as-is or with only minor modifications)Primary Method OfAppIication Deployment to the CloudFigure 3. Primary Method for Application Deployment to the Cloud, 2023Refactored or Rebuilt(Migrated application to the cloud w
24、ith significant modifications)4034Cloud-Native(Netnewapplicationstatwerecompletelybuiltintecloud)34ooFigure4.PrimaryMethodforApplicationDeploymenttotheCloudbyRegion,2023OVERTWO-THIRDSREPORTEDHIGHERCloudtcothanEXPECTEDOnaverage,organizationsspentthelargestproportionoftheirtotalcostofownership(TCO)tow
25、ardapplicationmigrationcosts.Despitethis,allbutonerespondentsaidtheywillbeexpandingtheircloudinthefuture.Surveyrespondentsreporteda13%increaseofworkloadmovedtothecloudsincethepreviousyearandexpectafurtherincreaseof11%inthenext24months.Perhapsnotsurprisingly,agreaternumberofC-suiterespondentscalculat
26、eTCOashigherthanexpected(70%+)vspractitioner-levelrespondents(63%).Relatedtothis,almost60%ofC-suiterespondentsreportedhigherthanexpectedsecuritycostsascomparedtolessthan50%ofpractitioners.Percentage Workload in the Cloud40%Previous 12 MonthsFigure 5. Percentage Workload in the Cloudz 2023Inthenext24
27、months,respondentsexpectan11%increaseinworkloadmovedtothecloud.NOWTRENDING:#CLOUDMIGRATIONCloudmigrationisforecastedtocontinue,butwhatdoesthatreallymean?Itdependswhoyouask.Foracloudarchitect,cloudmigrationmeansutilizingamixofapplicationmigrationmethods,suchasliftandshift,refactoring,andcloud-natived
28、evelopment.Dependingontimelines,budget,underlyingtechnology,andcorporatecompliance,eachmethodcantakeadifferentpath.ThesearchitecturaldecisionsresultinamixOfworkloadtechnologiestoruntheapplications,suchasserverlesszcontainers(self-hostedormanaged),platformasaservice(PaaS)zandvirtualmachines(VMs).VMsa
29、restilladominantarchitectureforhostingworkloads,butserverlessandPaaSareexpectedtoexperiencefurthergrowth,as70+%ofrespondentsreportedanexpectedincreaseinusageoverthenext24months.Foradeveloper,migratingtothecloudisanopportunitytoadoptDevOpsandacceleratetheapplicationdevelopmentlifecycle.Infact,77%ared
30、eployingneworupdatedcodetoproductionweekly,and38%arecommittingnewcodedaily.Withrespondentsreportingthatdeploymentfrequencyhasincreasedby67%inthepasttwelvemonths,itzsclearthatthedrivefromcodetocloudisonlyaccelerating.Forasecurityprofessional,thechallengeinmigratingtothecloudisaboutmorethanthemigratio
31、nofappsanddata.Modernarchitecturesandtechstacksforbuilding,deployingandrunningapplicationsrequireanewapproachemployingapplication-awaretools,products,andmethodologies.Inviewoftheexpansiveattacksurface,securingcloudnativearchitecturesmustbethesecurityprofessionalsobjective.6PWISMACLOUDI%paloaltoAPPLI
32、CATIONVELOCITYINCLOUD-NATIVEENTERPRISESTwo-thirdsofallenterprisessaythatdeploymentfrequencyhasincreasedorsignificantlyincreasedoverthepastyearzand38ooofenterprisesdeploycodetoproductionorreleasetoenduserseveryday,with17oodeployingmultipletimesaday.Frequency of Deployment of CodeFigure 6. Frequency o
33、f Deployment of Code to Production or Release to End Users, 2023AthirdofenterprisesreportedoperatingwithinternalSLOs(servicelevelobjectives)oflessthanadayofleadtimeforchanges,and38%expectedservicerestorationswithinaday.Sixty-eightpercentofallsurveyrespondentsreportedincreaseddeploymentfrequency.What
34、,smore,64%alsoreportedincreasedleadtimeforchanges.Deploymentfrequencyandleadtimeforchangesmeasurevelocity.Soifenterprisesarenotachievingandsustainingtheirvelocityperformancegoals,itcanpointtoinefficienciesintheDevOpsprocess.Increasesinbotharenasmaysuggestthatpressurefacedbysecurityprofessionals(whoa
35、reoutnumberedbydevelopers10:1)istakingatollamidincreasesinapplicationvelocity.Wewentastepfurtherandlookedathownimbleenterpriseswererespondingtochangezspecificallydeploymentfrequencyandtheirleadtimeforchangeinthelast12months.Amongcloud-nativeenterprises,morethan60%reportedanincreaseindeploymentfreque
36、ncyinthepreviousyear.Forthatsameperiod,only48%reportedanincreaseinleadtimeforchange.ChangestoDeploymentFrequencyovertheLast12MonthsTotalCloud-NativeNon-Cloud-NativeIncreased68610/068VbStayedtheSame22()28o22oDecreased10%1171Q0oFigure7.ChangestoDeploymentFrequencyOvertheLast12Months,2023OBSTACLESTOCLO
37、UDADOPTIONANDEXPANSIONOver-toolingleadstoanoverlycomplexcloudenvironment.Althoughapplicationandworkloadcloudmigrationishigh,thegrowthrateisslightlylowerthanlastyear.Someofthiscanbeattributedtocurrentmacroeconomicconditions.Whenaskedaboutthechallengestheyhavefacedinmovingtothecloud,thetopfiveresponse
38、sgivenbyorganizationswerenotfinanciallyrelated.Infact,budgetonlyincreasedasaconcernby2pointsfrom2020.Comparedtothreeyearsago,thegreatestchangecameinreportingonthelackoftalent/*whichincreasedby11points.Interestingly,thetopfiveconcernsareinextricablylinkedtothetop-rankedconcerntechnicalcomplexity.Comp
39、lexenvironmentsrequirehigherlevelsoftalentandadaptivenesstochangingtechnology,aremoredifficulttosecurecomprehensively,moredifficulttogainvisibilityacross,andresultingreatercompliancechallenges.WhenlookingatC-suiteandnon-C-Suiteresponses,theC-suiteratedlackoftalentorconsultingservicesasabiggerchallen
40、gethannon-C-suiterespondents(aka,thoselikelytobeimplementers)whoviewedtechnicalcomplexityasagreaterchallengetocloudmigration.Onaverage,organizationsrelyon30+toolsforoverallsecurityandsixtotentoolsdedicatedtocloudsecurity. VVhats NeXt In Cvber. PaIQ AltO NetWOrkSUpwardsof75%ofourStateofCloud-NativeSe
41、curitysurveyrespondentsreportedthatthenumberofcloudsecuritytoolstheyusecreatesblindspotsthataffecttheirabilitytoprioritizeriskandpreventthreats.Whyaresomanytoolsbeingutilized?It,stellingthat77%oforganizationsstruggletoidentifywhatsecuritytoolsarenecessarytoachievetheirobjectives.Top 5 Challenges in
42、Moving to the CloudTechnical complexityLack Oftalent and/or consulting servicesMaintaining comprehensive securityLack Ofvisibility across services and providersMeeting compliance requirements77cof organizations struggle toidentify what security toolsare necessary to achieve theirobjectives.76c)of re
43、spondents say thenumber of cloud securitytools they use create blindspots.Complexity,itseems,isimpedingsecurity,andthat,saproblem.Greaterthan60%oforganizationssurveyedhavebeenoperatinginacloudenvironmentforthreeormoreyears,buttechnicalcomplexitiesandmaintainingcomprehensivesecuritystillhampertheircl
44、oudmigrationefforts.IMPLICATIONSFORSECURITYTEAMSAsvulnerabilitiesandmisconfigurationsmoveupstream,newapplicationlevelrisksareemerging.Ofthefivesecuritymetricsweanalyzed,lessthanaquarterofrespondentssawoutcomessimilartolastyear.Overtheprevious12months,keysecuritymetricsworsened.Ninetypercentofrespond
45、entssaytheirorganizationcannotdetect,contain,andresolvethreatswithinanhour.Regardingvisibilityintovulnerabilitiesacrosscloudresources,morethan30%ofrespondentsindicatedthatlackofvisibilitycreatedachallengetoensuringcomprehensivesecurity.Whilecomplianceviolationswereatthebottomofthelist,25%oforganizat
46、ionsstillexperiencedasignificantcomplianceviolation.Top5SecurityIncidentsRiskintroducedearlyinapplicationdevelopmentWorkloadimageswithvulnerabilitiesormalwareVulnerablewebapplicationsandAPIsUnrestrictednetworkaccessbetweenworkloadsDowntimeduetomisconfigurationFiveKeySecurityMetricsMeantimetodetectMe
47、antimetoremediateNumberofbreachesNumberofintrusionattemptsUnplanneddowntimeoforganizationscannotdetect,contain,andresolvecyberthreatswithinanhour.There,salimit,though,tohowmuchshift-leftresponsibilitydeveloperscanandwanttohandle.Morethan75%ofrespondentssaidthatdevelopersareheldaccountableforwritinginsecurecodezandmorethan80%saidtheyunderstandtheirresponsibilitytodeliversecurityacrossthedevelopmentlifecycle.Securityisnottheirprimaryresponsibility.Securityteamsshouldprovidedevelopmentteamswiththetoolstheyneed,accordingto80%ofsurveyrespondents.Organizationshavelargelydistributedresponsibility