Investment in cloud security increases alongside perception of improved cloud security

451 Research’s Information Security, Cloud Security 2022 study examines how enterprise information security programs are approaching securing the cloud, including cloud-specific security pain points and investments in information security tools to address those issues. It also looks at implementation plans specifically for cloud-native security offerings.

The take

The percentage of information security budgets specifically applied to securing cloud infrastructure was cited at 22% in 2018. It rose to 26% in 2020, and security managers reported it at 33% for 2022. A couple of factors are at work here. First, enterprise IT continues to grow more dependent on cloud provider offerings. Second, along with this increasing dependence, enterprises continue to invest more in securing data and infrastructure placed in the cloud. Perceptions of cloud security continue to improve alongside increased investment. Two in five enterprises (41%) say they are willing to use the cloud for any application regardless of whether the application is considered “high risk” — for example, those that use or store sensitive data. This is up from 27% in 2015. More than half (59%) of security managers surveyed say their security monitoring in the cloud would be the first indication of a data breach, up from 40% saying the same in 2015, which indicates continued improvement in the shared responsibility model inherent in leveraging cloud services.

Summary of findings

Security leaders responding to the study cite a variety of pain points, led by the complexity of managing cloud configurations (22%), identity management and authorization in the cloud (20%), and compliance-related issues including control over third-party requests (19%). A lack of cloud security expertise (16%) mirrors findings in our recent research on organizational behavior and the labor market. Additional common pain points are data residency issues (15%), which are generally country-level regulatory/compliance concerns, and the ease of conducting vulnerability assessments against cloud resources (16%). Difficulty delineating the bounds of shared responsibility (12%) — i.e., determining which security details a cloud provider is responsible for versus what responsibilities fall on the customer — remains an issue, but is down significantly from 2021’s 21%, indicating improved understanding of this model on the part of cloud services consumers.

To address these concerns, security practitioners must find the right mix of security tooling (from the cloud providers themselves and third-party security offerings) to reduce risk to an acceptable posture for their enterprises. Currently, 50% of security respondents say they actively leverage default security tools from cloud providers (theoretically 100% have access to such tooling), 54% say they are paying for premium security offerings from cloud providers, and 40% are paying for third-party security products. Looking to 2023, 43% plan on acquiring additional premium security tooling or products from their cloud providers, and 32% plan to acquire additional third-party vendor tools and services for the cloud.

What is an AI Datacenter?

While fundamentally different than IaaS, SaaS security is a separate issue that many security managers must consider as large parts of the application footprint of large enterprises are entirely dependent on SaaS applications. While part of the security picture necessarily depends on the security implemented by those SaaS providers themselves, there are also security products that allow for security monitoring and protection across SaaS applications. When asked what features most influence the purchase of such SaaS security products, the three most cited features are data leakage prevention (24%), malware detection (22%) and encryption (18%). Multifactor authentication is also noted as a key feature by 18%, and single sign-on is cited by 16%.

Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.