How Far Have IT Security Practitioners Come in Learning How to Better Secure Cloud Assets?

by Paula Musich, Research Director, Enterprise Management Associates


If IT executives and security practitioners gave the people responsible for securing their organizations’ digital assets in the cloud a report card on their progress, what would it look like? Would they give their peers a passing grade in their efforts to secure sensitive data stored in the cloud? Would they give them a failing grade? Or, would they give them straight As? In a late 2020 research project, Enterprise Management Associates sought to answer those questions and gauge how far IT security practitioners have come in learning how to better secure cloud assets.

Over the last several years, as IT continued to lose control over data stored in the cloud via shadow IT initiatives, IT security teams experimented with different approaches to securing cloud-based data, workloads, and applications. No longer the department of no, IT security teams have embraced the need to adapt their security practices to better align with line of business users to access a variety of different cloud services and work with application development teams to ensure the security of cloud-native code. With the acceleration of cloud migrations and digital transformation initiatives brought on by the global pandemic, it is even more urgent for IT security teams to understand the unique requirements of cloud security.

How far have they come? Overall, their colleagues gave them high marks for achieving consistent security parity across the various cloud providers their organizations use (44% very well and 51% well), their level of knowledge of cloud security requirements (37% extremely knowledgeable and 50% very knowledgeable), and their understanding of the shared responsibility model (55% very well, 39% well). The survey respondents, who mostly had some level of involvement in acquiring and using cloud security tools, also placed great confidence in their colleagues’ awareness of all cloud usage in their organizations (41% extremely confident and 49% very confident) and in their knowledge and categorization of all data stored in the cloud (40% extremely confident and 47% very confident).

However, in diving deeper into specific types of cloud usage, some cracks appeared below the surface. For example, when asked to rate the security team’s level of visibility into their organization’s SaaS usage on a scale of one to five, with one being the highest level of visibility, only 18% of respondents gave it a one and only 27% gave it a two. Another 27% gave it a four. These percentages improved ever so slightly for rating PaaS usage visibility, then slightly again for visibility into IaaS usage.

When respondents were asked to demonstrate their own level of knowledge of the shared responsibility model that describes what the cloud provider is responsible for securing and what the cloud customer is responsible for, the cracks deepened. When asked about who is responsible for securing virtual machines, applications, and users accessing cloud data and applications, about half of the respondents erroneously indicated it was the cloud provider’s responsibility. Sixty-three percent erroneously said that the cloud provider was responsible for securing virtual network connections. Just under half of the respondents also incorrectly said that the cloud customer is responsible for securing the cloud provider’s physical data center and physical data center networks.

These respondents were not necessarily responsible for securing their organizations’ cloud-based data, applications, and workloads, and it’s possible that more detailed knowledge is embedded in those charged with becoming subject matter experts in cloud security. In addition, it’s not always the security operations team’s responsibility to secure cloud-based assets. The research found that 46% of respondents indicated security operations had that responsibility, followed by 28% indicating a cloud operations group had that responsibility. The rest were spread out across different groups, including network operations, development operations, and infrastructure teams. In some cases, that responsibility is shared between two different groups.

The mass adoption of cloud computing in all its forms created a broad and expanding attack surface that attracts bad actors who are happy to exploit a lack of understanding about how cloud services are architected. Headlines blare out the latest dangerous misconfiguration mistakes. Enterprises will have to devote more resources to building up their level of knowledge and expertise in securing cloud assets. There has been real, albeit hard-won, progress in the quest to achieve better and more flexible cloud security, but it is still a work in progress.

Get more research highlights when you attend my free research webinar, Securing Cloud Assets: How Security Pros Grade Their Own Progress, on February 23.