Ermetic released the findings
of a research study conducted by Osterman Research on the cloud security
maturity level of organizations in North America. The survey found that
84% of respondents were at an entry level (one or two) in terms of
their cloud security capabilities and only 16% ranked at the top two
levels. Meanwhile, 80% of companies reported they lack a dedicated
security team responsible for protecting cloud resources from threats.
The survey also revealed the top five priorities that all highly mature
companies have in common when it comes to cloud security.
Osterman
Research surveyed 326 organizations in North America with 500 or more
employees and who spend a minimum of $1 million or more each year on
cloud infrastructure to establish an industry baseline against the Ermetic Cloud Security Model.
The model was designed to provide organizations with a lightweight
framework for determining their maturity level (1 - Ad Hoc, 2-
Opportunistic, 3- Repeatable, 4- Automated & Integrated) across
multiple domains, while allowing them to develop a specific, actionable
roadmap for advancing their capabilities.
"One
of the most unexpected findings that emerged from this study was the
lack of cloud security maturity among the largest enterprises surveyed,"
said Michael Sampson, senior analyst for Osterman Research and author
of the report. "Less than 10% of companies with more than 10,000
employees reported being at the top two maturity levels, while nearly
20% of smaller enterprises have achieved repeatable or automated &
integrated cloud security capabilities."
Other Report Highlights
- Demonstrable
ROI: 42% of companies investing more than 50 hours per week on cloud
security are achieving the highest levels of maturity (Levels 3 and 4)
- Bigger
not better: Only 7% of companies with more than 10,000 employees were
at level three or four in terms of maturity, compared with 18% for
companies with between 2,500 and 9,999 employees, and 24% for companies
with 500 to 2,499 employees
- Overall,
maturity is low: 84% of companies were at level one or two (41.5% Ad
Hoc and 42.5% Opportunistic) and only 16% at level three or four (11.1%
Repeatable and 4.9% Automated & Integrated)
- More
clouds doesn't equal more maturity: the percentage of companies that
ranked at the highest levels of maturity (3 & 4) decreased with
multicloud usage. For example, the number of organizations achieving
Repeatable or Automated & Integrated security capabilities dropped
nearly 50% when going from one (10%) to three (6%) cloud platforms
- Shared blindspot: 81% of organizations lack full visibility into all resources that are directly accessible from the Internet
"This
survey makes two things very clear. Without the right tools, spending
lots of time and resources on cloud security will not necessarily make
you more secure," said Shai Morag, CEO of Ermetic. "And, by focusing on
the right priorities you can achieve a very high level of security
maturity regardless of your organization's size."
Five Habits of Highly Mature Companies
Organizations that reported focusing on the five following security priorities achieved the highest levels (3 or 4) of maturity:
- Detecting general cloud misconfigurations (e.g., unencrypted resources, MFA)
- Achieving
the ability to track and investigate activities performed by human
users and applications/service accounts across the cloud infrastructure
- Establishing Just-in-Time (JIT) access for developers / DevOps / Cloud operations teams to cloud infrastructure environments
- Evaluating
and reporting on alignment with security best practices (e.g., AWS
well-architected, CIS) and compliance standards (e.g., NIST, ISO, SOC2,
PCI-DSS)
- Achieving least-privilege for identities in the cloud (both human identities and service accounts)
Resources
A full copy of the survey findings is available here.