《Thales:2023年全球版云安全调研报告(英文版)(18页).pdf》由会员分享,可在线阅读,更多相关《Thales:2023年全球版云安全调研报告(英文版)(18页).pdf(18页珍藏版)》请在三个皮匠报告上搜索。
1、GLOBAL EDITION2023 CLOUDSECURITYSTUDY#2023CloudSecuritySThe Challenges of Data Security and Sovereignty in a Multicloud WorldIntroductionIf theres a dominant theme that the data from the 2023 Thales Global Cloud Security Study conveys,its that the world has become cloud-first,multicloud and that its
2、 more complex to secure the cloud.The latest edition of the survey of nearly 3000 respondents in 18 countries explores challenges of security in cloud environments that have become a critical element in modern digital infrastructure and services.While there has been improvement in the overall cloud
3、security posture from the previous year,there is still work to be done to simplify and secure cloud operations,especially when it comes to addressing human error.Multicloud operations bring with them operational complexity,something that needs to be tamed to secure cloud environments efficiently and
4、 effectively.Source:2023 Cloud Security custom survey from S&P Global Market Intelligence,commissioned by Thales.Sponsored by2023 Cloud Security Report:Global Edition2ContentsKey findings 04Its a multicloud world 06The threat landscape for the cloud 08Cloud data concerns 09Impacts of data sovereignt
5、y 11Operational complexity in the cloud 13Pathways to better cloud security 14Moving ahead 16About this study #2023CloudSecurityReport3SaaS usage is growing.Dramatic increase in sensitive data reported in the cloud.The average number of cloud infrastructure providers is well above two(2.3).More than
6、 three quarters(79%)of this years respondents have more than one cloud provider.Securing data in the cloud is seen as becoming more complex.Multicloud is a reality.It has increased to 55%from 46%just two years ago.SaaS applications garnered the most votes as the leading targets for attackers(ranked
7、first as a target by 38%),followed closely by cloud-based storage(ranked first as a target by 36%).The reported use of SaaS applications has expanded,with the mean rising to 97 applications,increasing the number of points of use where data must be secured.of respondents report that 40%or more of the
8、ir data in the cloud is sensitive,up from 49%in 2021.38%9779%75%60%50%40%30%202120232023 Cloud Security Report:Global EditionKey findings4Were only human:Human error is the leading cause of cloud data breachesDigital sovereignty issues around cloud usage loom large on multiple fronts.Complex encrypt
9、ion key management creates security and operational risks.Levels of sensitive data encryption must be higher.of respondents chose human error as the leading cause of cloud data breaches,well ahead of exploitation of vulnerabilities,the second highest selection at 21%.Respondents report multiple key
10、management systems in use.of respondents report that 60%or more of their cloud data is encrypted.On average,only 45%of sensitive data is encrypted.Respondents report high use of cloud provider-dependent encryption key management,alongside growing concerns about sovereignty mandates.say they have fiv
11、e or more key management systems in place.say that they control all of their own encryption keys in cloud environments.55%83%62%22%14%ONLYare concerned about impacts of sovereignty on cloud deployments.ONLY#2023CloudSecurityReport5Source:S&P Global Market Intelligences 2021-2023 Cloud Security custo
12、m surveys202%2.550%240%1.530%120%0.510%0%0Multicloud is the rule,not the exception Of the following cloud Infrastructure as a Service(IaaS)providers,which does your organization use or plan to use in a production capacity?12345AVERAGE2023 Cloud Security Report:Global EditionIts a multiclo
13、ud worldThere are many reasons that could be pushing enterprises into expanding their portfolio of cloud providers.An interest in additional functionality,a move to diversify operations for greater resilience,partnerships,service availability and especially mergers and acquisitions are all possible
14、causes that may be behind the increasing numbers,but the study results are clear multicloud use continues to grow.Average number of cloud infrastructure providers(IaaS and PaaS)is up 35%over two years(from 1.68 to 2.26).With each additional cloud provider,there are new security controls and data pro
15、tection models to understand and implement.Cloud users have to extend their existing operating processes further,while understanding the constraints of the new environment.Growth in the number of cloud providers reported over the last two years35%6Source:S&P Global Market Intelligences 2021-2023 Clo
16、ud Security custom surveysSaaS diversity is trending higherHow many Software as a Service(SaaS)applications does your organization use?25%30%35%40%20%15%10%5%0%500+51-100101-50026-501 1-2021Growth reported in the mean number of SaaS applications41%While cloud usage is growing for infra
17、structure,SaaS use is growing as well.More respondents are using SaaS applications to replace on-premises application functionality.In 2021,16%of respondents reported their enterprises using 51-100 SaaS applications.That number increased to 22%for 2023 respondents.That translates into a shift in the
18、 mean number of applications reported in use from 69 in 2021 to 97 in 2023,a 41%increase,growing faster than regular cloud infrastructure.All of this expansion means that there is more to manage and secure,and that sensitive data is distributed to more locations.A majority of respondents(55%)note th
19、at they find it more complex to secure data in the cloud,and the increasing number of cloud providers could be driving that #2023CloudSecurityReport72023 Cloud Security Report:Global EditionThe threat landscape for the cloudWith the increasing use of cloud-based resources,its important to understand
20、 perceptions of the threat landscape and the experiences that respondents have had in defending cloud resources.The study asked respondents to rank a set of attack targets by likelihood of attack.Garnering the most votes,more than a third(38%)of respondents say SaaS apps are the top target for cyber
21、attacks,with 36%identifying cloud storage.Its an indication of the level of concern that exists for cloud-based resources.And its not a concern that is unfounded.Organizations identify the potential exposure of applications and data stored in the cloud as a risk.In fact,about half(46%)say they have
22、experienced a data breach in their cloud environment.The number experiencing a data breach in the last year is up 4 percentage points(from 35%to 39%)from last years report.As attackers target cloud-based resources,theres a greater need for organizations to improve their security posture.As the data
23、indicates,that task is all the more difficult when there are more cloud providers to secure,which could be contributing to the reported increase in successful attacks.With a larger number of platforms to secure,the opportunity for operational errors grows,increasing the attack surface with each erro
24、r.Organizations either have to dedicate separate teams to specialize in each platform or expect their security teams to become well-versed in multiple platforms at the same time.Respondents say that human error is the leading cause of cloud data breaches,which might be an indication that the strateg
25、y theyre using for platform management is not working well enough.As organizations are embracing cloud,the attacker community is increasing its presence and skill level in those same environments.That means that the threat landscape in the cloud will continue to become more hostile and require incre
26、asing effort to secure.This pressure,combined with increasing cloud environments,puts a greater emphasis on the ability of security teams to become more efficient in security operations.rank SaaS apps as the top target for cyberattacks38%of respondents experienced a data breach in the last year39%8C
27、loud data concernsThe study results confirm that there are more workloads and data residing in the cloud,with those with 60%or more of their workloads and data in the cloud increasing from 23%to 27%in the last year.That mirrors larger industry trends as cloud becomes a more common path for new appli
28、cations.There is a bigger story around sensitive data.The study looked both at the amount of an organizations sensitive data that is stored in the cloud and the amount of data in the cloud that is sensitive.There is a notable increase in both areas.There has been a dramatic increase in the amount of
29、 an organizations sensitive data in the cloud.In 2022,52%of respondents reported that more than 40%of their sensitive data was in the cloud.This year,this amount dramatically increased to 64%.Thats most likely due to larger numbers of core applications running in the cloud,applications that are brin
30、ging the critical data that they handle with them.The number of respondents saying that 40%or more of their data in the cloud is sensitive increased in a similar fashion moving from 49%in 2021 up to 75%in 2023.That increase of more than 50%,combined with an increase in the number of cloud platforms,
31、could be another factor leading to challenges in managing cloud data security.Point data protection controls alone cannot keep up with the volume and diversity of sensitive data growth.Even though more data is in the cloud and more of that data is considered sensitive,there is still much that is not
32、 encrypted.More sensitive data is being encrypted,but levels are still low.Only 22%of respondents report that more than 60%of their sensitive data in the cloud is encrypted,with the average being 45%of data being encrypted.This is a marked improvement from previous years.In 2021,only 17%reported tha
33、t more than 50%of sensitive data was encrypted.This year,that number is 40%.Only 2%report 100%encryption of sensitive data in the cloud this year.report that 40%or more of their data in the cloud is sensitive75%report 100%encryption of sensitive data in the cloud2%ONLY#2023CloudSecurityReport9Source
34、:S&P Global Market Intelligences 2023 Cloud Security custom surveySignificant amounts of sensitive data are unencryptedWhat percentage of your organizations sensitive data in the cloud is encrypted?50%60%40%30%20%10%0%0-2551-7526-5076-100AVERAGE=45%2023 Cloud Security Report:Global Editionreport tha
35、t more than 60%of their sensitive data in the cloud is encrypted22%There are clearly many factors at work that limit the use of encryption to these levels,but it raises serious questions about approaches to data security when such significant volumes of data identified as sensitive arent encrypted.A
36、 lack of understanding of specific cloud encryption operations might be a contributor because cloud environments typically operate differently than traditional on-premises systems.Concerns about limiting developer productivity might weigh on some organizations.It could also be that organizations are
37、 carrying the traditional practice of relying on application-based data protection into clouds,where it is clearly not sufficient to address third-party risk.Whatever the cause,organizations need to do more,especially in light of regulatory requirements that are taking on a larger role in data prote
38、ction.10say theyre concerned about digital sovereignty impacts on cloud deployments83%Impacts of data sovereigntyDigital sovereignty is a global strategic initiative,and privacy compliance represents opportunities for enterprises to mature their data management capabilities.Its a critical functional
39、ity because concerns about digital sovereignty can hinder digital transformation if organizations cant effectively manage the data that fuels their businesses.It can present challenges with requirements to control and manage where data is stored and used and who has access to it.When asked about dig
40、ital sovereignty,83%of respondents worldwide say they are“somewhat”or”very”concerned about impacts on cloud deployments.The foundation of digital sovereignty is not the cloud provider but the data management capability of the infrastructure that supports the workloads and applications under the data
41、 custodians control.The use of cloud-based resources introduces a third party that legacy data management strategies may not have addressed.Those leveraging cloud need to ensure not only that the data being secured is protected from disclosure but also that it is delivered only to those environments
42、 where it should be used.Multicloud environments can help address digital sovereignty requirements as organizations leverage different cloud environments for regional coverage.However,that potential benefit could add complexity if organizations arent able to simplify the way they manage the various
43、clouds that make up their #2023CloudSecurityReport1 1Regarding expectations for meeting digital sovereignty requirements,96%of respondents believe that designating or changing the location and jurisdiction or the use of full data encryption are acceptable measures to achieve various levels of digita
44、l sovereignty.Only the remaining 4%are not concerned about the location of data with respect to sovereignty mandates.More than a third(35%)believe that location is important for all workloads.This reflects both the concern about regulations that use the physical location of data as a means of protec
45、tion and the growing interest in cryptographic protections as a sufficient means of protection.With the latter,data encryption provides the isolation required and ensures that no matter where the data is located,it is protected from disclosure to unauthorized parties.Its an approach that has many ad
46、vantages and is under active exploration by a number of regulatory bodies.Organizations need to understand that the core elements of digital sovereignty will become a requirement for all.While it may seem that those operating within a single region could remain exempt,providing highly available digi
47、tal customer experiences will eventually require the same level of data protection.By building in better data protection capabilities today,theyll be prepared for whatever requirements regulators,either local or global,put forward in the future.2023 Cloud Security Report:Global Edition12The operatio
48、nal realities of multicloud environments have raised concerns for many organizations.More than half(55%)of study respondents indicate that it is more complex to manage data in the cloud than it is in on-premises environments.While most have been honing their operational capabilities in the cloud,its
49、 still seen as an operational concern.Growing numbers of cloud providers could certainly be adding to this complexity.The study looked at operational aspects of data protection and management in the cloud,and the results offer some insights into what may be driving the complexity.Only 14%of responde
50、nts say that they control all of their encryption keys in their cloud environments.This means that most organizations are working with multiple cloud environments,and they manage their data encryption keys in different ways across those environments.A further confirmation of the complexity in data p
51、rotection management comes from a question on the number of key management systems in use.Almost two-thirds(62%)say they have five or more key management systems in place across their operational infrastructure.That means that there are independent realms in which data protection must be managed.Mor
52、e than a quarter of respondents(27%)say their cloud provider controls all of their keys.As with other aspects of multicloud security management,organizations will either have to have dedicated teams for each cloud or expect their teams to be skilled in key management operations for all of their prov
53、iders at the same time.With this situation,its not surprising that respondents report human error as the leading cause of cloud data breaches(55%),well ahead of the second cause,exploitation of vulnerabilities(21%).Complex operational environments are all too susceptible to human failings.This is an
54、other area where organizations have to simplify their security management to become more effective.say that its more complex to manage data in the cloud55%Operational complexity in the cloudof respondents say that they control all of their encryption keys in their cloud environments14%ONLY#2023Cloud
55、SecurityReport132023 Cloud Security Report:Global Editionreport deploying MFA to secure cloud data access65%Pathways to better cloud securityThe study results clearly illustrate the challenges faced by organizations as they work to secure their cloud-based infrastructure,but they also offer some ind
56、ications of pathways to improving cloud security.Identity and access management has been identified as a top mitigating control for data breaches,and there has been progress from previous study results.Strong MFA adoption increased to 65%,but thats still not good enough.With a third of respondents y
57、et to implement this important control,there is significant cloud infrastructure at riskAnother key point taken from the study results is that data security has to be improved.Centralizing encryption management is mandatory.In a multicloud world,organizations have to be able to centrally manage keys
58、 that are used across their infrastructure on premises as well as in the cloud.That management skill not only reduces operational complexity but can also give organizations the flexibility to secure new environments as business needs dictate,whether thats to take on a new partnership or merge busine
59、sses.14Source:S&P Global Market Intelligences 2023 Cloud Security custom surveyZero trust use is improving,but more neededHow does your organization use zero trust practices?45%50%40%35%30%25%20%15%10%5%0%Remote access systems Cloud networksCloud infrastructureInternal networksServer managementNot i
60、mplementedIts also an improvement that can address the leading cause of cloud data breaches:human error.Making security operations more efficient can make them more effective.Building security management systems that can leverage automation and span the full range of an organizations infrastructure
61、is a critical goal.Improving operational architectures is another area to improve security posture.Getting to a zero-trust footing in the cloud can build a better foundation for operational security.Only 41%have zero-trust controls on cloud infrastructure,and even fewer(38%)use zero-trust controls i
62、n cloud #2023CloudSecurityReport152023 Cloud Security Report:Global EditionMoving ahead The study results point to a set of challenges that organizations are facing in securing data in the cloud environments.Theyre living in a multicloud world and need to be able to secure it effectively and efficie
63、ntly.They need to overcome the complexity that working across cloud infrastructure and SaaS environments presents.Data protection in the cloud must become simpler to manage to overcome issues with human error and misconfiguration.The results of the study indicate specific areas that need improvement
64、.Key management consolidation.Greater use of data encryption.Gaining control of encryption keys.Achieving great efficiency through security automation.Key management environments need to be consolidated.Doing so can deliver the operational control thats needed to scale up the use of encryption in wa
65、ys existing security teams can handle.At the same time,organizations need to take advantage of the force-multiplying power of automation.It is underutilized in security,more so than in other technological disciplines,and is another tool to reduce the risk of human error alongside the efficiency gain
66、s it provides.These improvements can also bolster digital sovereignty compliance efforts with the necessary controls to ensure data is where it needs to be and is well protected.The most effective way to improve cloud data security is to ensure that cloud environments can be treated as an extension
67、of existing infrastructure,not a special case.Thats a mandate for technologies that can span the multiple environments that organizations find themselves in with a common security management environment.Its a pathway to making all of an organizations data protections more effective and efficient.16R
68、evenue$100m to$249.9m 91$250m to$499.9m 749$500m to$749.9m 796$750m to$999.9m 748$1Bn to$1.49Bn 229$1.5Bn to$1.99Bn 134$2Bn or more 142Industry SectorRetail 158Manufacturing 148Financial services 140Healthcare 139Federal government 125Public sector 122Technology 117Automotive 114Pharmaceuticals 108T
69、elecommunications 101About this study This research was based on a global survey of 2,889 respondents that was fielded in November and December 2022 via web survey with targeted populations for each country,aimed at professionals in security and IT management.In addition to criteria about the level
70、of knowledge on the general topic of the survey,the screening criteria for the survey excluded those respondents who indicated an affiliation with organizations with annual revenue of less than US$100 million and with US$100 million-$250 million in selected countries.This research was conducted as a
71、n observational study and makes no causal claims.Australia1 10Brazil100Mexico106Canada107France257Germany252Italy105Netherlands100Hong Kong105India204Japan205New Zealand53Singapore109UK260USA508Sweden104UAE102South K#2023CloudSecurityR all office locations and contact information,please visit Thales-June 2023 RMv12