Three key takeaways from the Snyk State of Cloud Security 2022 report

Cloud computing has changed the IT industry more than any other factor in the last two decades. Cloud technologies enable businesses to build, deploy, and scale applications faster than ever before. However, cloud customers have been plagued by a variety of security events over the past year, with data breaches, data exfiltration, and environmental intrusions among the most serious issues.

Snyk recently surveyed over 400 cloud engineering and security professionals and leaders across different organization types and industries. The findings, produced in collaboration with Propeller Insights, Snyk State of Cloud Security 2022 report. This report takes a deep dive into the risks and challenges they face and where they are successfully managing those risks.

According to the State of Cloud Security 2022 Report, 80% of organizations suffered a major incident during the last year and 33% suffered a cloud data breach. to insight. In the resulting report, Snyk cloud security researchers combined analysis of survey data with observations from their own experience. There are three big points here.

The Cloud Native Application Case Brings New Security Challenges and Opportunities

The primary cloud use case is as a platform for hosting third-party applications or applications migrated from data centers. A quarter of his Snyk survey respondents said their primary use for cloud environments is to develop and run applications natively in the cloud.

Teams using the cloud as a platform have created many innovations, including: Infrastructure as Code (IaC)is the coding process that developers use to build and manage the cloud infrastructure along with their applications.

Additionally, developers leveraging the cloud are increasingly taking advantage of cloud-native approaches such as containers and serverless “functions as a service” architectures.

These changes have security implications. His 41% of teams adopting a cloud-native approach confirmed that it increased security complexity. A cloud-native approach also requires teams to add security expertise and introduce additional security training. Cloud native also requires the adoption of new security tools and methodologies, such as a “shift left” approach.

However, building and running applications in the cloud presents new security challenges, but teams using this approach experience fewer major security incidents. Two key takeaways from this report help explain why.

Developers are taking ownership of cloud security

Who owns cloud security? Depending on who you ask, you might get different answers. While IT departments own cloud security in about half of all organizations, 42% of his cloud engineers say their teams are primarily responsible for cloud security. However, only 19% of engineering security professionals agree that his team is doing the work.

This may be explained by the fact that cloud engineers put a lot of time and effort into cloud security tasks and are often looking for ways to automate and streamline these processes. The adoption of infrastructure as code for deploying and managing cloud environments gives engineers the opportunity to find and fix problems during development rather than after deployment, when fixes would require more time and resources. You can

Because the cloud is entirely software-defined, developers control the cloud computing infrastructure itself. When you build an application in the cloud, you are also building the infrastructure for your application, rather than buying lots of infrastructure and adding apps. It’s a coding process using Infrastructure as Code (IaC) and the developer owns the process.

Infrastructure as Code Security Delivers Big ROI

IaC security not only reduces the rate of misconfigurations, but also has significant benefits in improving engineering team productivity and speed of deployment. Inefficient cloud security processes are often the limiting factor in the speed at which teams move to the cloud, and IaC security can significantly improve speed and productivity.

Pre-deployment of IaC security resulted in a median 70% reduction in misconfiguration rates in running cloud environments. While IaC security cannot prevent all runtime misconfigurations, a 70% reduction is significant and can significantly lower your organization’s risk.

Reducing the number of misconfigurations also directly impacts cloud engineering productivity. These teams can spend less time managing and remediating issues, so they can spend more time building and adding value to their organization.

What an effective cloud security team does

clear majority cloud security Engineering professionals also believe that the risk of a cloud data breach for their organization will increase over the next year, with only 20% expecting the risk to decrease.

Effective cloud security must prevent misconfigurations and architectural design vulnerabilities that enable cloud attacks. To be successful, he must focus on five basic areas:

1. know your environmentMaintain complete contextual awareness of the configuration state of your cloud environment with applications running in the cloud environment and the SDLC used to develop, deploy, and manage them.

• Focus on prevention and safety designPrevent situations that enable cloud breaches, such as resource misconfigurations and architectural design flaws. You can’t rely on the ability to detect and prevent attacks in progress.

• Empower cloud developers to build and operate securelyWhen engineers develop secure infrastructure as code, they can deliver secure infrastructure faster while avoiding time-consuming fixes and rework.

• tune and automate Policy as Code (PaC): If security policies were only expressed in human language, they might not exist at all. A PaC allows policies to be expressed in a language that other programs can use to verify correctness. It also allows all stakeholders to coordinate and operate under a single authoritative source of security policy.

• measure what matters: Identify what matters most, such as reducing the incidence of misconfigurations, speeding up the approval process, and improving team productivity. Your security team should be ready to establish security baselines, set goals, measure progress, and demonstrate the security of your cloud environment.

By following these five steps, your security and engineering teams can work together to operationalize cloud security to reduce risk, accelerate innovation, and improve team productivity.