April 24, 2024

451 Research: Highlights on Multicloud Security from Voice of the Enterprise

Download a PDF copy of the whitepaper

Multicloud multiplies the pain for information security – Highlights from Voice of the Enterprise: Information Security

Analysts - Daniel Kennedy

Publication date: Thursday, February 29 2024

Introduction

The 2023 VotE: Information Security, Cloud Security study explores the evolution of cloud security practices in enterprises, the mix of security solutions in place, the projected growth of specific cloud- native security technologies, and the key pain points identified in securing the cloud.

The Take

The most cited pain point in our latest Cloud Security 2023 study is difficulty in using the proprietary security stack at each cloud provider (21%). Our cloud-specific VotE studies have identified that the majority of organizations have two or more cloud providers in use; while many of these have a primary cloud vendor, a significant percentage of usage resides with secondary and tertiary providers.

That presents a challenge to enterprise information security professionals, who have a hand in selecting and operating the right mix of both default and premium security capabilities from the cloud provider's stack, as well as third-party cloud security tools. One only has to imagine the difficulty in managing a security operations center, which requires an AWS security expert, another for Azure and still another for Google Cloud Platform amid the general difficulty with security staffing, as well as a specific difficulty with staffing for cloud security skill sets alongside the issue of less than half of meaningful alerts not being investigated already, to realize the difficulties with this situation.

While information security teams should not govern decisions over cloud provider selection (that selection is best made by matching business requirements with the specific cloud provider that best meets them), the security team is nonetheless faced with this problem. One could view "above the cloud" third-party security as part of the answer, and it is a significant part of security cloud footprints (42%), but only 49% of these third-party tools are usable across multiple clouds in a multicloud scenario.

Summary of findings

As discussed above, the most commonly cited pain point with cloud security is the inherent complexity in managing security stacks and each major cloud provider. One practitioner laid out the challenge of maintaining the varying expertise required as follows:

“There is a significant investment and level of effort to deploy a multicloud infrastructure. As much as everybody likes to look at AWS or Azure and say, hey, at its core it's compute, networking and storage, there are hundreds of idiosyncrasies with each of these components and services. And so, if you embarked on a multicloud strategy, you are implicitly embarking down a road where you need subject matter experts in both clouds.”

- Midlevel management, 500-999 employees, $25 million-$49.99 million revenue, energy/utilities.

The average percentage of budgets allocated to securing cloud infrastructure rises to 40% in this study. This is up from 33% in 2022, and part of a larger pattern, as the percentage was 26% in 2020 and 22% in 2018. As organizations move deeper into leveraging the cloud for more workloads over time, the corresponding security spending as a percentage of all security spending continues to increase.

There is evidence that this increased cloud-targeted spending is making a meaningful difference in both the perception of cloud security itself, as well as the operational capabilities of security teams with cloud-hosted infrastructure. In 2015, only 27% of respondents said the public cloud could be used to support any project regardless of security requirements, even if considered "high risk." In 2023, that percentage was 51%. In terms of security posture maturity, in 2015, 40% of respondents said the first sign of a data breach would be triggered in their security monitoring as applied to the cloud (as opposed to answers that indicated a lack of understanding of the shared responsibility model, such as thinking the cloud provider would "tell them"). In 2023, the percentage of respondents noting the first sign of trouble would be triggered by their own security monitoring as applied to the cloud was 61%.

Enterprises note that it is a mix of security capabilities that allows them to maintain that security posture, with 52% leveraging default security tools from cloud providers, 44% paying for additional premium security capabilities from hyperscalers and 42% using third-party security tools in the cloud. Some 39% report future plans to leverage premium cloud security services, and 38% note additional third-party security tools will be part of their plans in the next year. In terms of specific cloud security offerings, 37% report plans around cloud-native application protection platforms, and 24% note plans around cloud infrastructure entitlement management in the next 12 months.

When it comes to offerings that secure an enterprise's estate of SaaS applications, identity concerns dominate the features enterprise practitioners are most interested in. This includes implementation of multi-factor authentication (cited by 32%), identity governance (22%) and privileged account management (22%).

Figure 1: Top security pain points in providing cloud security

451 Research Voice of the Enterprise Information Security Cloud Security 2023

Source: 451 Research's Voice of the Enterprise: Information Security, Cloud Security 2023.
Q. What are the top pain points with securing your organization's cloud infrastructure? Select up to three. Base: Respondents whose organization uses off-premises cloud architectures, abbreviated fielding (n=159). © 2024 S&P Global.