ESG recently surveyed 371 IT and cybersecurity professionals with responsibility for cloud programs at organizations in North America to get their input on how their data protection and security standards are evolving due to the composition of their cloud applications. To learn more and understand the results found from this study, VMblog spoke with Doug Dooley, chief operating officer at Data Theorem.
VMblog: Industry analyst firm Enterprise
Strategy Group (ESG) recently conducted an independent study. What does
the study cover and why was this data important to discover?
Doug Dooley: ESG completed this study to
discover the composition of cloud-native applications, their challenges, and
future priorities for securing cloud-native applications. Those participating
in the study were from organizations that are mature
cloud users in terms of public cloud services and/or container usage across a
wide range of industries, and it was important to see
what organizations are doing when it comes to securing their cloud-native apps,
particularly with DevSecOps. This is because fundamental changes to application
architectures and the infrastructure platforms that host them are antiquating
existing cybersecurity technologies and challenging traditional approaches to
protecting business-critical workloads.
VMblog: Before we jump into highlights of
ESG's study, for those readers who are interested in much more of the results
than we can cover today, where can they go to access the results for
themselves?
Dooley: Yes, that is a good idea. Readers can access the
full set of results we have available at https://www.datatheorem.com/resources/reports/esg-security-for-devops.
VMblog: What interested you the most
about the findings and why?
Dooley: New applications and APIs are
seeing explosive growth in the public cloud and mainstream acceptance appears
to be accelerating. The ESG report results surprised us on the breadth and
depth of enterprise adoption of cloud-native features only found in public
cloud.
VMblog: What were the most important
findings from the study?
Dooley: The most important findings were related to API security,
serverless adoption, and the state of security automation for DevOps. For
example, more than half of respondents indicated
their organization's software developers are already using serverless functions
to some extent, with another 44 percent either evaluating or planning to start
using serverless within the next two years.
VMblog: What are some of the biggest
revelations that were uncovered by this?
Dooley: The biggest revelation was
revealed in the numbers on serverless application adoption. DevOps teams in the enterprise are building
globally scalable apps simpler and cheaper but securing them has become more
challenging. Security automation for DevOps or DevSecOps is another area that
has shown some adoption but only the top 8 percent of enterprise organizations
are using it to secure the majority of their cloud-native applications today.
That number is far too small. The security industry will need to address this
lack of security automation as more companies build apps and API services
natively in the cloud.
VMblog: What results surprised you the
most?
Dooley: We were surprised that API
security was the highest ranked category for current or projected incremental
spend. We hear so much about many of the other areas of security, such as malware
prevention, data encryption, CSPM, CWPP, and container security. However, it
was surprising to see API security as the clear #1 area where enterprises are
focusing their energy and investments due to the enormity of data passing
through APIs in the public cloud.
VMblog: How does the insight provided by the
respondents underscore what your company offers?
Dooley: Our customers have been telling
us for the past few years that API-driven microservices, serverless
applications, modern web (SPA), and mobile applications are the bulk of their
cloud-native application development growth. These areas are where Data Theorem
has been investing in building our differentiated AppSec product portfolio to
align with our customers' strategic direction in the cloud. The ESG report
encourages us that we remain closely aligned with our enterprise customers and
gives us an added sense of urgency because so many customers will need our help
over the coming years.
VMblog: Did the ESG study reveal anything that
impacts your market strategy?
Dooley: It's clear no single cloud
provider can deliver the breadth of security controls necessary for most DevOps
teams. And most DevOps teams have two or more public cloud providers for their
business-critical apps. The ESG report highlights that we will need to deepen
our partnerships with many of the top cloud providers to build better security
capabilities and controls that work across multi-cloud environments that are
increasingly mainstream.
VMblog: What are the top three takeaways you
want readers to understand from ESG's results?
Dooley: The top three takeaways are: (a) API security in the cloud,
(b) DevSecOps automation, and (c) serverless adoption. API security is arguably
the #1 area of incremental investment for DevOps to reduce the impact of a
massive data breach. Automation has been a common practice that enables DevOps
speed and scale. Security teams need to take advantage of similar automation techniques
to keep pace with those application teams using CI/CD and DevOps practices.
Serverless adoption is growing faster than most would have expected. The
majority of companies are already using it today and it will significantly grow
over the next 24 months. The architecture of serverless applications is so new
and innovative that most traditional security tools do not interoperate due to no
operating system (OS) nor container access. Serverless apps require a new
approach to conduct security analysis and protection.
##