Half of the security decision makers (SDMs) in the study believe security risks are higher in the cloud than on premises, citing several issues that contribute to those risks. The most common cloud-related security incidents respondents have experienced are:

• Security incidents during runtime (47%)
• Unauthorised access (37%)
• Misconfigurations (41%)
• Major vulnerabilities that have not been remediated (27%)
• A failed audit (23%)

The key operational and security concerns that SDMs have in relation to moving to the cloud are:

• Hijacking of accounts, services or traffic (41%)
• Malware or ransomware (30%)
• Privacy/data access issues (33%)
• Unauthorised access (33%)
• Nation state attacks (18%)

"Attackers are now on board with business' shift to cloud computing," says Venafi vice president of security strategy and threat intelligence Kevin Bocek. "The ripest target of attack in the cloud is identity management, especially machine identities. Each of these cloud services, containers, Kubernetes clusters and microservices needs an authenticated machine identity – such as a TLS certificate – to communicate securely. If any of these identities is compromised or misconfigured, it dramatically increases security and operational risks."

The study also investigated how responsibility for securing cloud-based applications is currently assigned across internal teams. This varies widely across organisations, with operations teams responsible for cloud infrastructure (30%) the most likely to manage app security in the cloud. This is, followed by enterprise security teams (21%), a collaborative effort shared between multiple teams (22%), developers writing cloud applications (20%) and DevSecOps teams (4%). However, the number of security incidents indicates that none of these models are effective at reducing security incidents.

When asked who should be responsible for security cloud-based applications, again, there was no clear consensus. The most popular option shares responsibility between cloud infrastructure operations teams and enterprise security teams (24%). The next most popular options are share responsibility across multiple teams (23%), leaves responsibility with developers writing cloud applications (13%) and DevSecOps teams (19%).

The challenges connected with shared responsibility models is that security teams and development teams have very different goals and objectives. Developers need to move fast to accelerate innovation while security teams often do not have visibility into what development teams are doing. Without this visibility, security teams cannot evaluate how those controls stack up against security and governance policies.

"Security teams want to collaborate and share responsibility with the developers who are cloud experts, but all too often they're left out of cloud security decisions," continued Bocek. "Developers are making cloud-native tooling and architecture decisions that decide approaches to security without involving security teams. And now we can see the results of that approach: security incidents in the cloud are rapidly growing. We need to reset the approach to cloud security and create consistent, observable, controllable security services across clouds and applications. Architecting in a control plane for machine identity is a perfect example a new security model created specifically for cloud computing. This approach embeds security into developer processes and allows security teams to protect the business without slowing down engineers."

For more information about this research, please read the blog: https://www.venafi.com/blog/81-companies-have-had-had-cloud-security-incident-last-year-venafi-research.

About the research

Conducted by Sapio in July 2022, Venafi's study evaluated the opinions of 1,101 security decision makers across the United States, United Kingdom, France, Germany, Benelux (Belgium, Netherlands, Luxembourg) and Australia.

About Venafi

Venafi is the cybersecurity market leader in machine identity management. From the ground to the cloud, Venafi solutions manage and protect identities for all types of machines—from physical and IoT devices to software applications, APIs and containers. Venafi provides global visibility, lifecycle automation and actionable intelligence for all machine identity types and the security and reliability risks associated with them.

Jetstack, a Venafi company, is a cloud native products and strategic consulting company working with enterprises using Kubernetes and OpenShift.

An open source pioneer, Jetstack has achieved notable industry recognition as the creator of cert-manager, the open source industry standard for cloud native machine identity management. Jetstack's open source products and solutions protect the application environments and platform infrastructure of global banks, multinational retailing companies and defence organisations by providing enterprise platform and security teams the power to build, scale and security their cloud infrastructure.

With more than 30 patents, Venafi delivers innovative machine identity management solutions for the world's most demanding, security-conscious organisations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the four top accounting and consulting firms; four of the five top US retailers; and the top four banks in each of the following countries: the US, the UK, Australia and South Africa.

For more information visit www.venafi.com and www.jetstack.io.