1. Sponsored by
Cloud computing has evolved over the years from a nice-to-have item on the IT wish list to a
core technology driving business initiatives. But despite widespread adoption, cloud-based
IT systems continue to be saddled with issues related to data security, privacy, and resilience.
Here’s an in-depth look at what IT teams are thinking and doing when it comes to the cloud.
State of the Cloud:
A Security Perspective
March 2022
2. State of the Cloud: A Security Perspective
March 2022 2
Dark Reading Reports
CONTENTS
TABLE OF
3
Sumo Logic Perspectives: Accelerate Your
Security Modernization Now
8 About the Author
9 Executive Summary
11 Research Synopsis
12 State of the Cloud: A Security Perspective
13 Security in Question
13 Something to Believe In
14 The Trials of Ownership
15 Strategies Vary Across the Board
16 Avoiding the Crowds
17 Who’s Keeping Watch
18 Backup Making Waves
19 Locked and Loaded
20 Scanning the Horizon
21 Conclusion
22 Appendix
Figures
Figure 1: Majority of Computing in the Cloud
Figure 2: Cloud Services in Use
Figure 3:
Biggest Concerns About Cloud
Computing
Figure 4: Cybersecurity Beliefs
Figure 5: Ransom Paid in Attack
Figure 6: Role of Data Privacy
Figure 7:
Number of Cloud Applications in
Use
Figure 8: Number of Cloud Service Providers
Figure 9:
Evaluating Security of Data in the
Cloud
Figure 10: Leading Incident Response Effort
Figure 11: Backing Up Data to the Cloud
Figure 12:
Percentage of Data Regularly
Backed Up to the Cloud
Figure 13: Backup Strategies
Figure 14: Main Cloud Backup Solution
Figure 15: Respondent Job Title
Figure 16: Respondent Company Size
Figure 17: Respondent Industry
3. March 2022 3
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
Accelerate your Security
Modernization Now
by Girish Bhat, VP, Security, Platform Marketing and Competitive Intel, Sumo Logic
SPONSORED CONTENT
Sumo Logic Perspectives
Introduction
Digital transformation continues to
revolutionize the way businesses operate,
providing a foundational shift in how they
meet market demands and deliver value to
customers. The result is a modern digital
footprint that now covers cloud, multicloud,
on-premises, and software-as-a-service
(SaaS) applications — not to mention third-
party supply chain and partner considerations.
This has created a shift toward the
convergence of security operations (SecOps)
and developer operations (DevOps), leading
IT and security leaders to rethink their people,
processes, and technologies to modernize
their applications and security. Modernization,
as a concept, has multiple interpretations.
At the core, the main aspect is that security
covers all of the components of a modern
enterprise. There are many vectors, and those
vectors are ever-changing, so the challenge is
for the tools and the people to keep up. Also,
how does the current drive toward automation
fit with the traditional analyst processes in the
SOC?
4. March 2022 4
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
SPONSORED CONTENT
Sumo Logic Perspectives
Challenges That Impede Efforts to Modernize Security
Undoubtedly, the ways companies conduct business have changed significantly in recent years. Does your security really need to be modernized?
In a recent survey, 59% of enterprises admitted experiencing a material or significant breach.1
Despite the fact that SOC team spend dominates an
organization’s cybersecurity budget, more than 50% were ineffective in protecting their organizations from attacks.2
With these validating numbers, yes, security operations are prime for an update, but what are the main challenges teams face today?
Cloud Security Gaps
While organizations embrace
digital transformation to advance
their businesses, security tools
and processes must evolve to
enable these initiatives securely.
But not all security tools are
designed to natively support the
cloud, which requires retooling.
Expanded Attack Surface
IDC predicts that 60% of IT
infrastructure spend will be
allocated to the cloud by
2025. This cloud adoption and
mobile-enabled everything
has introduced a much
greater attack surface for
cybercriminals.
Security teams need real-time,
prioritized insights into the
organization’s security posture
that enable rapid response to
attacks as they occur.
Operational Inefficiency and
Lack of Agility
With business operations spread
across multiple environments
and geographies, efficient
management becomes
exponentially harder.
Security teams are also unable
to act with agility when they
have incomplete visibility of the
distributed infrastructure.
Too Many Tools
One of the biggest trends in
cybersecurity over the last few
years is the rapid increase in
technology adoption, often
resulting in SecOps navigating
across 50+ tools.
This large volume of discrete
tools creates a complex security
environments that diminishes
efficiency and introduces
challenges to modernizing
security operations.
1
EY Global Information Security Survey 2020
2
Ibid
5. March 2022 5
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
SPONSORED CONTENT
Sumo Logic Perspectives
Automation Unlocks the Keys to the
Modern Enterprise
Why is automation so important to the
modern enterprise? The answer lies in
knowing your attackers. A look at the direction
adversaries are headed provides the target for
where security operations need to go — and
automated attack engines that are offered
as a service.
The key is for the industry to accept some
hard truths. For example, the average
enterprise experiences perhaps a couple
dozen security incidents a year. Yet it must
manage thousands or tens of thousands of
alerts in a much shorter time frame. In other
words, while incidents and near misses are
quantitatively small in number, the time spent
managing alerts, triaging, and investigating
them is very high.
To counter this, enterprises must pursue
automation to scale and manage the volume
of what comes at analysts each day. For
enterprises, much of the work to cut through
the volume of alerts to detect the real threats
relies on a security monitoring solution or
analytics or security information and event
management (SIEM) solution. And a security
orchestration automation and response
(SOAR) solution will empower teams to create
essential “air gaps” to contain attacks, as well
as significantly accelerate their mean-time-to-
response (MTTR).
that’s automation. It’s too late to wait until an
incident occurs to react.
With cybercriminals building a framework
at scale to launch sophisticated attacks,
the future is likely to see adaptive and
6. March 2022 6
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
SPONSORED CONTENT
Sumo Logic Perspectives
How to Start Your Security Modernization
Security teams need to rethink their security strategies to keep up with the challenges of a
hybrid, on-premises and in-cloud infrastructure. Having the right tools, using them in tandem
with the right technologies, and leveraging automation to make sense of all that data is
foundational to a modern SOC.
Modernizing security operations means investing in technology and processes to make the most
of the organization’s tools and teams. That way they can keep up with the increasing frequency
and sophistication of cyberattacks.
Surface Threats Automatically
Uncovering threats is a volumes
game. Automation makes it
possible to uncover indicators
of early-stage threats that arise
from your expanded attack
surfaces.
Solve Security Complexity
The right solution should
empower you to consolidate
tools with a single cloud-native
platform that analyzes and
correlates threats across diverse
sources while also monitoring
and troubleshooting your logs,
metrics, and traces.
Quickly Respond with Agility
SecOps gains coordinated and
consistent processes across the
environment that lead to faster
response outcomes and less
strain on your security team.
Enable Digital Transformation
Securely
Security solutions that support
your broad environment
help you secure your digital
transformation initiatives
and manage your security
processes, holistically, across
your environment.
7. March 2022 7
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
SPONSORED CONTENT
Sumo Logic Perspectives
Make the Modern Secure Enterprise a Reality
We are of the firm belief that modernizing your security operations starts with a cloud-native
platform that supports and automates all of your security needs.
About the Author
Girish Bhat has been fortunate to have managed numerous cloud security solutions across the
entire product, GTM and customer lifecycle with leadership roles at several startups (successful
and failed) such as Splunk, Cisco, MobileIron, NetScout.
8 More posts by Girish Bhat
The Power of Automation
Unrestricted by processing
power, automate the threat
detection and incident
response process so you can
easily navigate alert triage,
investigation, and containment
of incidents.
Cloud-Native Architecture
Makes it fast and easy to
manage the security of your
environment—with multi-tenant
scale and elasticity delivered
efficiently, at any time, for all
your users.
Multiuse, Cloud Platform
Mitigate the overload of tools
with a cloud platform that serves
your many requirements—
including log management,
security monitoring, posture
management, workload
protection, SIEM, and SOAR.
Powerful Detection,
Fast Response
Leverage real-time threat
detection and orchestrated
response actions across
your on-premises, cloud, and
multicloud environments, giving
you best-in-class capabilities to
achieve cyber resiliency.
8. State of the Cloud: A Security Perspective
March 2022 8
Dark Reading Reports
Table of Contents
About the Author
Chris Gonsalves
Channelnomics
Chris Gonsalves is an award-winning author, researcher, and public speaker focused on the intersection
of secure, resilient informational technology and effective business strategy. Chris has spent two decades
researching and analyzing enterprise IT systems and the service providers that deliver them. A seasoned
technology journalist and a veteran U.S. Army technologist, Chris currently leads the research team
at business-strategy firm Channelnomics. He previously served as research director at the Institute for
Applied Network Security and as executive editor of TechTarget’s CIO and IT Strategy group. His work
has appeared in numerous publications, including The Wall Street Journal, eWEEK, Baseline Magazine,
Channel Insider, CRN, and VARBusiness.
9. March 2022 9
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
SUMMARY
EXECUTIVE
In the fall of 2021, Dark Reading joined forces with four Informa Tech sister publications — InformationWeek, ITPro Today,
Network Computing, and Data Center Knowledge — to conduct a wide-ranging survey examining trends and issues related
to enterprise cloud computing. The research found that, despite widespread adoption, cloud-based IT systems continue to be
saddled with issues related to data security, privacy and resilience.
In an environment where security is the most pressing issue, business cloud users harbor specific concerns about resilience
against cyberattacks, assurances of data privacy, effectiveness of cloud backup and recovery, and the overall security posture
of the cloud service and platform providers themselves.
An organization’s relative comfort with cloud security and its approach to safeguarding data in the cloud depend on a handful of
factors, most notably their own experiences with breaches and data loss.
10. March 2022 10
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
Key Findings:
•
Security is, by far, the biggest cloud computing concern, ranked in the top three by 73% of survey respondents. Data availability issues, nestled
under the banner of cloud of reliability and performance, were close behind at 50%.
• Ninety percent of respondents feel attackers will target cloud service providers more than ever in the coming year.
•
Despite cautionary guidance from federal authorities, roughly one of every 12 organizations polled paid a ransom to cybercriminals in an effort
to recover compromised data.
•
A majority of respondents (62%) feel cloud application and service providers deliver better security capabilities than their own in-house security
teams.
•
A bare majority (55%) feel that keeping sensitive data on-premises rather than in the cloud is a good idea; 52% still believe that data is better
protected on-prem than in the cloud.
•
Virtually all respondents (97%) feel data privacy is an important consideration when evaluating cloud services; 56% say it is the single most
important criterion.
•
Two-thirds of those polled regularly back up their corporate data to the cloud. Among those that do, 42% put at least three-quarters of their
data in cloud business continuity and disaster recovery systems.
•
Only one in four respondents (25%) use cloud-based disaster-recovery-as-a-service (DRaaS); just 18% subscribe to a cloud-based security-as-
a-service (SECaaS) offering.
11. March 2022 11
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
SYNOPSIS
RESEARCH
Survey Name: 2021 State of the Cloud
Survey Date: September 2021
Number of Respondents: 339 decision-maker IT professionals whose organizations
use cloud computing. The margin of error for the total respondent base (N=339) is +/- 5.3
percentage points.
Methodology: The research queried decision-makers with IT job titles at organizations that
use cloud services. Respondents run the gamut of industries. While about one in five (22%)
hail from the technology and IT sectors, the remainder represent a broad swath of sectors,
including healthcare, financial services, manufacturing, education, and government.
Respondents are mostly evenly split among small, midsize, and large enterprises. Twenty-
nine percent represent large organizations of 10,000 employees or more, 26% are from
companies with between 1,000 and 9,999 employees, 19% are from companies with 100
to 999 employees, and 26% are from companies with fewer than 100 employees.
The online survey asked respondents about their organizations’ use of cloud computing.
Respondents were recruited via an email invitation containing an embedded link to the
survey. The email invitation was sent to a select group of Informa Tech’s qualified database;
Informa is the parent company of Dark Reading, InformationWeek, ITPro Today, Network
Computing, and Data Center Knowledge. Informa Tech was responsible for all survey
administration, data collection, and data analysis. These procedures were carried out in
strict accordance with standard market research practices and existing US privacy laws.
ABOUT US
Dark Reading Reports
offer original data and insights on
the latest trends and practices in
IT security. Compiled and written
by experts, Dark Reading Reports
illustrate the plans and directions
of the cybersecurity community
and provide advice on the steps
enterprises can take to protect their
most critical data.
Dark Reading Reports
12. March 2022 12
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
State of the Cloud: A Security
Perspective
Over the past decade, cloud computing
has evolved from a useful IT adjunct to a
core technology platform, delivering the
applications and infrastructure that drive the
majority of today’s businesses, regardless
of size or vertical industry. Lured by the
prospects of reduced costs, the advantages
of operational versus capital expenses, and
the speed of innovation-fueling, on-demand
capabilities, organizations adopted cloud
at scale. Two years of a global pandemic
— and the accompanying pressure on
businesses to support remote work, long-
distance collaboration, and expanded
e-commerce — pushed the cloud adoption
needle further and faster.
Informa Tech’s Dark Reading,
InformationWeek, ITPro Today, Network
Computing, and Data Center Knowledge
fielded this broad survey in an effort to shed
light on how organizations are navigating
their cloud transformation journeys and to
further examine how cloud strategies are
affected by matters of data security, privacy,
reliability, and resilience. In the survey,
one in four organizations now count on
cloud technologies for the majority of their
corporate computing (Figure 1). Another
38% say they’ll reach that threshold within
the next two years. The vast majority (80%)
use cloud-based applications procured
in a software-as-as-service (SaaS) model
(Figure 2). About half also leverage cloud
infrastructure and platform services (49%
and 47%, respectively).
But wholesale transformation to the cloud
is not without its perils. Business units
can spin up SaaS applications and their
associated data stores on an ad-hoc
basis, far removed from formal IT and
security oversight. Development teams can
configure cloud platforms with little regard
for established corporate security policies.
Cloud infrastructures, available to any line-
of-business user with a credit card, require
radically different approaches to common
security controls used to ensure data
protection and compliance.
Analyzing the survey data reveals three key
cloud security themes. These are the top-of-
mind cloud issues for IT leaders and security
practitioners — the factors that will ultimately
determine how committed organizations
remain to the cause of cloud transformation
and how safe their critical digital assets will
be when they choose an as-a-service option
to run their businesses.
Figure 1.
Majority of Computing in the Cloud
When will your organization reach a point where
the majority of its computing is done via cloud
technology, infrastructure, or services?
Data: Informa Tech survey of 339 cloud computing users, September 2021
25%
9%
11%
18%
15%
12%
10%
We are already there
Within the next 6 months
Within the next 6 to 12
months
Within the next two
years
More than two years
from now
We don’t plan to move
to a majority-cloud
computing environment
Don’t know
13. March 2022 13
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
When it comes to the cloud:
1. Security questions abound.
2. Tactics and strategies differ by experience.
3.
Backup and recovery carry significant
weight.
leader when it comes to worries about cloud
computing in a business setting. Nearly three
out of four of those polled (73%) tap security
specifically among their top three cloud
concerns, 15 points ahead of their second
top concern: the overall cost of cloud
services (Figure 3). Half of respondents
(50%) list reliability and performance as
their third most prevalent concern, which
suggests they are feeling uneasy about cloud
data protection.
When security practitioners talk about the
“CIA triad” — confidentiality, integrity, and
availability — it’s data confidentiality and
integrity that get most of the attention.
Availability, however, is an equally important
third leg of the stool, and one that deserves
diligent consideration in cloud environments
where many aspects of system resilience are
outside the data owner’s control. That puts
basic reliability and performance in the same
league as more explicit security issues, like
access controls and network protections.
Respondents appear to agree, as security
and reliability/performance show up among
the top three cloud concerns. No other issues
score as highly as this particular combination.
Figure 2.
Cloud Services in Use
Which of the following cloud services do you
currently use?
Note: Multiple responses allowed
Data: Informa Tech survey of 339 cloud computing users, September 2021
Software as a service (SaaS)
................. 80%
Desktop as a service (DaaS)
........................................................................19%
Platform as a service (PaaS)
...............................................47%
Containers as a service
............................................................................14%
Infrastructure as a service (IaaS)
............................................ 49%
Security as a service (SECaaS)
.........................................................................18%
Disaster recovery as a service (DRaaS)
................................................................. 25%
Secure access service edge (SASE)
................................................................................10%
Something to Believe In
The general uneasiness around cloud security
is rooted in a handful of specific beliefs —
some real, some imagined — surrounding
the cloud’s overall defensive posture and
practices. In the realm of the provably true,
Figure 3.
Biggest Concerns About Cloud
Computing
Looking ahead, what are your biggest concerns
about your company’s use of cloud computing?
Note: Maximum of three responses allowed
Data: Informa Tech survey of 339 cloud computing users, September 2021
Security
...................... 73%
Inadequate functionality or limitations
to cloud computing
................................................................................10%
Reliability/performance
............................................ 50%
Our service level agreement(s) currently
do not adequately cover our needs
.................................................................................... 6%
We have no concerns; we’re happy
with the services we use
........................................................................................ 2%
Cost
.................................... 58%
Too much of our core data is in the cloud
................................................................................10%
Our staff’s skillset on dealing with cloud computing
................................................................. 26%
Our provider(s) too often are trying
to migrate us to additional cloud services
.................................................................................... 6%
Other
........................................................................................ 2%
Security in Question
The many benefits of cloud computing —
among them, speed, agility, efficiency, and
predictable costs — come with their own
set of concerns. Security is the faraway
14. March 2022 14
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
for example, a whopping 90% say they
somewhat or strongly agree that attackers
will target cloud service providers more than
ever in the coming year (Figure 4). Given the
heightened state of geo-political turmoil in
hacker-rich environments such as Russia and
Ukraine, even that grim response might now
be a shade too optimistic for 2022.
A solid majority of the survey respondents
(62%) also believe that cloud application
and service providers deliver better security
than their organizations could implement on
their own. Most security experts would agree
wholeheartedly with that assessment.
That finding is countered, however, by
misperceptions and security urban legend. A
slim majority of those polled feel that keeping
sensitive data on-premises rather than in the
cloud is a good idea (55%) and that data is
more secure on-premises than in the cloud
(52%). The responses can be seen as a sharp
rebuke of conventional security wisdom,
which posits that cloud security providers
— with their bigger budgets, massive
staff dedicated to security, and hardened,
redundant global infrastructure — provide a
level of data protection far beyond the reach
of most individual businesses. There is clearly
a disconnect between what the experts say
and what these practitioners think regarding
the security of data in the cloud.
Figure 4.
5
Strongly
agree
4
Agree
somewhat
3
Neutral
2
Disagree
somewhat
1
Strongly
disagree
I believe cyberattackers will target cloud
service providers more than ever in the
coming year.
58% 32% 9% 1% 0%
In general, it is a good idea to keep my
organization’s most sensitive data in on-
premises systems, rather than in the cloud.
24% 31% 29% 11% 5%
My organization’s data is more secure
on-prem.
21% 31% 29% 12% 7%
I believe my cloud application and services
providers deliver better security than my
organization could implement by itself.
20% 42% 31% 6% 1%
The global pandemic has caused my
organization to put more sensitive and
mission-critical data into the cloud than ever
before.
18% 28% 28% 18% 8%
The more my organization implements cloud
services and applications, the less secure
my enterprise data will be.
13% 30% 30% 21% 6%
Cybersecurity Beliefs
Please indicate your agreement with the following statements.
Data: Informa Tech survey of 339 cloud computing users, September 2021
The Trials of Ownership
People are largely products of their
experiences, and IT and security leaders are no
exception. If there’s one experience that truly
shapes attitudes about information security, it’s
15. March 2022 15
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
suffering a devastating cyberattack. While only
a small share of respondents in our sample of
active cloud users (8%) indicate they’d paid
a ransom to recover data compromised in an
attack, that still represents dozens of actual
victims doling out significant sums of money to
criminals in an attempt to recover critical digital
assets (Figure 5).
Being the victim of a ransomware attack
can serve as a proxy for the organization’s
overall security health and maturity.
Organizations that have been compromised
— whether by a ransomware attack, a
phishing campaign, or purloined user
credentials, to name a few — often exhibit
deficiencies in many information security
fundamentals, such as access control,
systems segmentation, vulnerability
management, alert monitoring, and security
awareness training.
Taking a deeper look at the data, Dark
Reading considered the list of top cloud
concerns segmented by respondents
affected by a ransomware attack who
paid a ransom. Keeping in mind that the
base of those who have paid a ransom to
recover files encrypted in a ransomware
attack is small (25 respondents), this data
reveals notable variations in perception.
Security is still a top issue (52%) for the
25 victims who have paid ransom, but it
is far lower than the overwhelming nod
non-payers gave to the same question
(73%). Ransomware victims, meanwhile,
are more concerned with items such as
product functionality and service-level
agreements than their non-victim peers.
Figure 5.
Ransom Paid in Attack
Has your company paid a ransom to recover
files encrypted in a ransomware attack?
Yes No Don’t know
Data: Informa Tech survey of 339 cloud computing users, September 2021
Suffering an attack also colors a victim’s
judgment going forward in several areas
that impact cloud implementation: product
selection, solutions deployment, vendor
choices, and incident response, to name
a few. For victim organizations, security
is no longer an academic exercise; it’s a
pursuit fueled by a painful experience —
one they hope never to revisit.
This report highlights other areas where
this important security proxy impacts the
views and choices IT leaders make when
it comes to the cloud. The analysis gives
insight into some of the cloud’s most
persistent trouble spots.
Strategies Vary Across the Board
Cloud initiatives are intentional; they
don’t just spring up in an organization
organically. Business and IT leaders
decide that cloud-based applications and
hosted infrastructure hold value for the
organization, usually by reducing costs,
powering innovation, or reducing time-
to-market for products and services. IT
decision-makers are doing their part to
ensure the cloud choices their organizations
8%
12%
80%
16. March 2022 16
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
make are responsible and safe. One
area getting ample attention in the era of
increased consumer and regulatory scrutiny
is data privacy.
The vast majority of those polled (97%) say
privacy is an important consideration when
evaluating cloud services (Figure 6). More
than half (56%) say it is singularly the most
important criterion.
While that prepurchase sensibility is
encouraging, the fact remains that most
high-level concerns about the overall
security of cloud implementations come
long after contracts have been signed and
solutions implemented. Rare is the business
that truly considers the risks of cloud-based
application development in the weeks or
months prior to developers busily spinning
up new products and pushing services into
production, for example. Cloud security
relies heavily on hindsight.
Nowhere is this dynamic more evident
than in the cloud services audit, when
business, finance, and IT decision-makers
are confronted with the size of their cloud
footprint. Almost always there are surprises.
Almost never are they good ones.
Avoiding the Crowds
Thinking about cloud exposure through
this rear-facing lens, our ransomware proxy
again uncovers stark disconnects between
perception and action. While types and
use cases for cloud apps, platforms, and
infrastructure vary very little between the
different cohorts, the willingness to engage
with multiple cloud partners for applications
and platforms differs greatly. The average
(mean) range of cloud applications in use
within a typical organization was five to nine
(Figure 7).
Any organization using more than 100
cloud applications could be considered
“security promiscuous” when it comes to
SaaS. In fact, more than one out of five
ransomware victims polled (a small base
of 25 respondents) say they use more than
100 applications in their environments.
That’s more than five times higher than
those respondents who have never paid
a ransom and use more than 100 cloud
applications.
A similar dynamic plays out when it comes
to cloud platform and infrastructure
providers. The average range is two to three
cloud service providers per organization
among all respondents (Figure 8). Among
the 25 past ransomware victims, however,
the average jumps to four to five. An
impressive one in five (19%) is juggling 10 or
more cloud provider relationships.
Figure 6.
Role of Data Privacy
What role does data privacy currently play in
your selection of a cloud provider?
It is the most important consideration
It is somewhat important
It has no impact on our decision
Data: Informa Tech survey of 339 cloud computing users, September 2021
56%
41%
3%
17. March 2022 17
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
Securing data and systems in the cloud is
challenging enough. Piling cloud providers
on with few limits adds complexity that
can quickly overwhelm a company’s
security policies and outstrip its defensive
capabilities. That less security-mature
organizations exhibit a larger appetite
for cloud relationships isn’t surprising.
Nevertheless, this finding is instructive.
Businesses would be wise to constrain their
cloud aspirations to a manageable number of
partners, a limit that takes into account their
current ability to craft data classification and
protection policy, control access, monitor
systems, and react to incidents in meaningful
and appropriate ways.
Who’s Keeping Watch
Responsibility for keeping tabs on activity and
behavior in cloud environments remains fairly
evenly distributed among cloud providers, in-
house security teams, or some combination
thereof (Figure 9).
The ratios remain similar between
ransomware victims and non-victims,
although it’s notable that significantly fewer
ransom payers (19%) opt for the more mature
blend of vendor and in-house telemetry than
their non-victim peers (27%).
When bad things inevitably do happen in the
cloud, a plurality of organizations (40%) rely
on their internal incident response team to
take the lead (Figure 10). Roughly a third
(29%) use a combination of local and vendor
incident response teams. Far fewer rely on the
cloud service providers entirely to respond.
That calculus changes radically when looking
at the 25 respondents from organizations that
have been compromised and paid a ransom.
A whopping 44% of those who have paid
a ransom say they depend exclusively on
the cloud provider for incident response.
Figure 8.
Number of Cloud Service Providers
How many cloud service providers does your
organization employ?
Data: Informa Tech survey of 339 cloud computing users, September 2021
6%
19%
43%
14%
7%
3% 8%
1
2 to 3
4 to 5
6 to 7
8 to 9
10 or more
Don’t know
Figure 7.
Number of Cloud Applications in Use
How many cloud applications does your
organization use, either from a third-party
provider or internally?
Data: Informa Tech survey of 339 cloud computing users, September 2021
9%
30%
21%
16%
6%
3%
2%
5%
8%
1
2 to 4
5 to 9
10 to 19
20 to 29
30 to 49
50 to 99
100 or more
Don’t know
18. March 2022 18
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
Just 19% say they’re able to join forces with
the cloud providers for a joint response, 10
points lower than the total sample and 14
percentage points shy of their non-victim
peers. Keep in mind the base of those who
have paid a ransom is small, but directional
data is telling.
Backup Making Waves
When it comes to securing critical assets
in an as-a-service IT environment, there’s
a dichotomy: protecting data in the cloud
and safeguarding data with the cloud.
The former, as we’ve seen throughout this
report, is top of mind for the vast majority
of organizations. The latter, however,
remains mostly a niche concept: Only one
in four respondents (25%) use cloud-based
DRaaS to handle their business continuity
and data backup chores. Even fewer (18%)
subscribe to a SECaaS offering.
However, the cloud does make a
significant impact on data protection as
an increasingly foundational platform for
backup and recovery.
As most practitioners well know, judicious
use of backup as a part of business
continuity and disaster recovery (BCDR) is
a key component of a sound, all-around
security strategy — so much so that the
concepts of performing, securing, and
regularly testing backup protocols warrant
their own, distinct sections in popular
security frameworks, such as the NIST
Cybersecurity Framework and the CIS
Critical Security Controls.
Over the past several years, cloud-based
backup solutions brought the scale
and heft of enterprise-grade BCDR to
organizations of all sizes. Little surprise,
Figure 10.
Leading Incident Response Effort
If a cloud service breach compromised your
organization’s systems or data, who would lead
the incident response effort?
My organization’s incident response team
The cloud service provider
The service provider and my internal team would equally
share the effort
Don’t know
Data: Informa Tech survey of 339 cloud computing users, September 2021
Figure 9.
Evaluating Security of Data in the
Cloud
Where does your organization get the telemetry
it needs to evaluate the security of its data
residing in the cloud?
Mostly from the cloud service/application providers
We collect most of the data ourselves
It’s an even mix of our own data and data from the
service provider
Don’t know
Data: Informa Tech survey of 339 cloud computing users, September 2021
19%
13%
40%
18%
29%
30%
26%
25%
19. March 2022 19
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
Regular cloud backup is nearly unanimous
among ransom payers (92%), while non-
victims are closer to the average, at
69%. About a quarter of non-victims do
not regularly back up data to the cloud,
20 percentage points higher than their
victimized peers.
What the data doesn’t reveal is the when:
When did organizations embark on their
cloud backup strategy? Before or after an
attack?
The numbers suggest that the horrible
experience of data compromise and
the wretched expense of forking over
cryptocurrency to a criminal gang likely
sent IT leaders scurrying for better — and
quickly implementable — data backup and
recovery solutions. Cloud-based BCDR fits
that bill nicely.
Locked and Loaded
Among all cloud backup users, most
employ rudimentary file-level backups
(64%), while a bare majority employ more
comprehensive (albeit more cumbersome)
image-based and/or differential backups,
which are limited to just those items that
have changed since the last save (53% and
50%, respectively) (Figure 13).
Cloud backup users also gravitate to large,
comprehensive BCDR solutions. Nearly
half (45%) choose offerings from major
cloud platform vendors, such as Amazon or
Figure 11.
Backing Up Data to the Cloud
Does your organization regularly back up its
data to the cloud?
Yes No Don’t know
Data: Informa Tech survey of 339 cloud computing users, September 2021
then, that backing up data in the cloud is
a matter of routine for two-thirds of survey
participants (Figure 11). Among those
that use cloud backup, 42% put at least
three-quarters of their data in cloud BCDR
systems (Figure 12).
Interestingly, and perhaps for very different
reasons than outlined earlier, cloud backup
use differs between past ransomware
victims and those that have not been
forced to pay a ransom.
Figure 12.
Percentage of Data Regularly Backed
Up to the Cloud
Approximately how much of your company’s
data is regularly backed up to the cloud?
Base: 220 respondents who back up data to the cloud
Data: Informa Tech survey of 339 cloud computing users, September 2021
42%
14%
23%
20%
1%
None
Less than 25%
25% to 49%
50% to 74%
75% or more
66%
22%
12%
20. March 2022 20
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
Microsoft’s Azure. About one in three uses a
purpose-built, third-party backup platform,
such as Acronis, Carbonite, MSP360, or
SolarWinds (Figure 14).
Few organizations (18%) say they prefer to
roll their own backup solutions, and fewer
still (5%) turn over responsibility for backups
to a managed IT service provider. The
roster makes sense when considering how
complex and difficult high-quality backup can
be. BCDR solutions need to be more than
quick and intuitive in order to be considered
enterprise-grade; they also need to be
updated, resilient, and testable. And they
need to support tough-to-manage features,
like robust encryption at rest and in transit.
When considered alongside the prevalent
attitudes about cloud reliability noted
earlier, the choices IT leaders are making
with regard to backup show businesses are
serious about turning over responsibility for
their critical digital assets to providers they
feel they can trust to do the hard work.
Scanning the Horizon
Changing workforces, disrupted business
models, economic challenges, and
innovation imperatives: All will conspire to
keep fervent cloud computing adoption
continuing apace. What’s less certain is
how well organizations will deal with the
unique demands cloud computing puts
upon security practitioners tasked with
keeping cloud data and systems safe,
resilient, and available.
As part of the survey, respondents were
asked, “As your organization moves more
data and applications into the cloud, what
is your greatest cybersecurity concern?”
Most filled in the blank with one of a handful
of usual suspects. About 15% singled out
ransomware, while another 10% referred to
some sort of data breach or loss. A smaller
number talked about internal threats and
human error.
Figure 13.
Backup Strategies
Which of the following backup strategies do you
currently use for your cloud data?
Base: 220 respondents who back up data to the cloud
Note: Multiple responses allowed
Data: Informa Tech survey of 339 cloud computing users, September 2021
File-level backup
...............................64%
Differential backup
......................................... 50%
Image-based backup
....................................... 53%
Backup of data to local or on-premises media
..................................................... 36%
Backup of data to another cloud
........................................................34%
Figure 14.
Main Cloud Backup Solution
Which of the following best describes your main
cloud backup solution?
Cloud backup service provided by a cloud vendor
Third-party backup platform
Custom tooling
We outsource our backup needs to a managed
service provider
Data: Informa Tech survey of 339 cloud computing users, September 2021
5%
45%
32%
18%
21. March 2022 21
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
Others, however, were more thoughtful —
and more specific — when considering
the security ramifications of ongoing cloud
transformation initiatives. For many, it’s a
development issue.
“Third parties have no experience with
Kubernetes, cluster, node, pod, [or] image
security and have absolutely no [continuous
integration and continuous delivery] pipeline,”
said one senior IT project leader at a midsize
insurance firm. “They do not embrace the
cloud-native techniques; they do not follow
any OWASP security practices. They will
expose us to all the traditional OWASP-type
attacks. They think DevOps is getting it out
there no matter the risk.”
Others expressed concerned about increasing
interoperability among systems that users
have little visibility into. “The [concern] is
interconnectivity and integrations,” an IT
consulting executive said. “APIs are better
and more secure than ever, but not all
APIs are built equally. Even using the same
standards, each vendor must create and
secure how their APIs are accessed and how
data is protected between them.”
And in a ripped-from-the headlines comment,
one IT channel services executive gave a nod
to ongoing supply-chain angst: “There’s too
many vendors and layers in the supply chain
for a given application,” the channel CEO
said. “It only takes one idiot at one level for
a breach. Not sure I trust any vendor using
offshore resources. Also, I can’t tell if they do.”
Conclusions
Cloud adoption will continue to grow in
leaps and bounds, and cloud computing
will be a key business driver for enterprises
as they grapple with the challenges of
distributed work, new business models,
and financial constraints. While a high
percentage of IT and security professionals
say they are concerned about security in the
cloud, there are still misperceptions about
how that translates into reality. However,
several challenges remain, including
managing multiple cloud service provider
relationships and developing effective
disaster recovery plans. The state of the
cloud is continuing to evolve, and enterprise
IT will need to consider security at every
stage of the decision-making process
involving cloud computing.
22. March 2022 22
Dark Reading Reports
Table of Contents
State of the Cloud: A Security Perspective
APPENDIX Figure 15. Figure 16.
Respondent Job Title
Which of the following best describes your job title?
Respondent Company Size
How many employees are in your company
in total?
Director/manager IT
CEO/president/other corporate executive
Engineer/software engineer
CIO/CTO/other IT executive
IT staff
Director/manager security/cybersecurity
Cybersecurity/security staff
Consultant
Network/system administrator
Chief security officer/chief privacy officer
Vice president IT
Software developer
Vice president security
Other
20,000 or more
10,000 to 19,999
5,000 to 9,999
1,000 to 4,999
100 to 999
Fewer than 100
Data: Informa Tech survey of 339 cloud computing users, September 2021
Data: Informa Tech survey of 339 cloud computing users, September 2021
5%
4%
1%
2%
7%
3%
3%
4%
23%
9%
13%
10%
9%
7%
7%
26%
19%
19%
20%
9%
23. March 2022 23
Dark Reading Reports
State of the Cloud: A Security Perspective
Table of Contents
Like this report?
Share it!
Tweet
Tweet Follow
Follow
Share
Share
Figure 17.
Respondent Industry
What is your organization’s primary industry?
Consulting and business services (computer-related)
Computer or technology manufacturer/IT vendor
Financial services/banking/securities and investments
Healthcare/medical
Government (federal, state, local, or military)
Manufacturing process (non-computer)
Education
Solutions provider/VAR
Media/marketing/advertising/PR
Communications carrier/service provider
Consulting and business services (noncomputer-related)
Telecommunications/ISPs
Legal
Insurance/HMOs
Energy/utilities
Aerospace
Construction/architecture/engineering
Travel/hospitality/recreation/entertainment
Wholesale/trade/distribution/retail
Other
Data: Informa Tech survey of 339 cloud computing users, September 2021
8%
12%
10%
9%
9%
8%
7%
2%
2%
2%
2%
2%
2%
3%
3%
3%
4%
5%
5%
2%