Too many identities, systems and cooks in the kitchen cloud an already complex mandate.
More than two thirds of cloud decision-makers (68%) say their cloud deployments — particularly public and hybrid instances — are their organization’s greatest area of exposure risk. And, managing who has access to these systems poses a significant challenge.
These are the findings from a commissioned survey including 262 IT and security professionals who have the final decision-making authority for their organization’s cloud infrastructure. The survey, conducted in 2023 by Forrester Consulting on behalf of Tenable, reveals four key areas cloud decision-makers say represent their greatest areas of exposure risk:
- Misconfigurations in the cloud infrastructure and services used throughout my organization (68%)
- Flaws in any business/IT software used throughout my organization (62%)
- Misconfigurations in the tools my organization uses to manage user privileges and access (60%)
- Flaws in any operational technology software used throughout my organization (46%)
When it comes to evaluating risk exposure, the cloud far outranks other areas of IT infrastructure as a cause for concern among cloud decision-makers.
In which of the following areas is your risk exposure the highest?
Technology | % respondents |
Public cloud infrastructure1 | 29% |
Multi-cloud / hybrid infrastructure2 | 28% |
Internet of things (IoT) | 15% |
Private cloud infrastructure | 11% |
Cloud container management tools | 9% |
On-premises infrastructure | 5% |
Operational technology/industrial control system (ICS)/Supervisory Control and Data Acquisition (SCADA) | 3% |
1 Public cloud can be a single public cloud provider, such as Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure
2 Multi-cloud / hybrid is a combination of two or more public and/or private clouds
Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture
Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable
Where are cloud decision-makers investing in the year ahead?
A wide array of cloud-based infrastructure and business systems is currently in use at most organizations, including virtual machines and containers as well as customer relationship management (CRM) and human resources management systems.
When it comes to areas of investment related to deploying technology in the cloud, respondents identified serverless functions, virtual machines and containers as the top three technology types where they plan to expand adoption in the next 12 months.
Which of the following cloud infrastructural technologies does your organization currently use?
Technology | Not interested in cloud | Interested but no plans to implement in cloud | Planning to implement in the cloud in the next 12 months | Implemented in cloud but not expanding/upgrading | Expanding or upgrading cloud usage | Decreasing or removing cloud usage |
Serverless functions | 8% | 21% | 39% | 24% | 7% | 0% |
Virtual machines | 3% | 14% | 33% | 34% | 13% | 3% |
Containers | 2% | 11% | 32% | 35% | 16% | 3% |
HR management | 2% | 12% | 26% | 40% | 18% | 2% |
2% | 5% | 25% | 35% | 26% | 7% | |
Financial | 3% | 11% | 25% | 32% | 24% | 6% |
IT service management (ITSM) | 0% | 5% | 24% | 34% | 30% | 8% |
Enterprise resource planning (ERP) | 1% | 4% | 17% | 37% | 32% | 9% |
Customer relationship management (CRM) | 0% | 6% | 14% | 42% | 28% | 10% |
Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture
Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable
Too much data, too many silos, too many stakeholders
Given the complex cloud-based ecosystem in place at most organizations, it’s no surprise that cloud findings top the list of data sources that cloud decision-makers use to determine overall risk exposure. But, cloud findings are hardly the only source. Threat intelligence feeds, vulnerability disclosures and incident-readiness assessment findings are also among the sources upon which data cloud decision-makers rely.
Which of the following data sources does your organization use to identify overall risk exposure?
Data source | % respondents |
Cloud findings | 69% |
Threat intelligence feeds | 55% |
Vulnerability disclosures | 52% |
Incident-readiness assessment findings | 52% |
Penetration test findings | 47% |
External attack-surface findings | 42% |
User profiles and privileges | 35% |
Operational technology findings | 31% |
Asset inventories | 26% |
Multiple responses allowed
Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture
Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable
Aggregating all this data from multiple siloed systems is time-consuming and complicated. In fact, organizational silos, a lack of data hygiene and a focus on reactive rather than preventive cybersecurity all play a role in making cloud security a challenge. In particular:
- Seven in 10 (70%) cloud decision-makers say their organization’s siloed systems form a barrier for obtaining user data
- Half say their organization lacks an effective way to integrate user data into vulnerability management practices
- More than half (55%) say the lack of hygiene in both their organization's user data and its vulnerability management systems prevents them from drawing quality data to help employees make prioritization decisions
- Six in 10 (58%) say the cybersecurity team is too busy fighting critical incidents to take a preventive approach to reducing their organization’s exposure
- Nearly three quarters (74%) say their organization would be more successful at defending against cyberattacks if it devoted more resources to preventive cybersecurity
Further complicating matters, the responsibility for overseeing identity and access management systems appears to be a team sport involving professionals in IT and security operations, risk and compliance and governance. A large majority of respondents (67%) have three or more identity and access management systems in place and there can be five different types of teams involved in managing these systems: IT operations (77%), security operations (61%), ID and access (53%), risk and compliance (36%), and governance (32%).
Who manages the identity and privilege management systems used at your organization?
Team | % respondents |
IT operations | 77% |
Security operations | 61% |
ID and access team | 53% |
Risk and compliance | 36% |
Governance | 32% |
My organization does not have identity and privilege management systems | 2% |
Other | 1% |
Multiple responses allowed
Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture
Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable
In addition, most of the cloud decision-makers surveyed wear multiple hats, identifying themselves as the final decision-makers for a number of other key areas, including DevSecOps, vulnerability management and even the security operations center (SOC).
I am the final decision-maker for this practice
Practice | % respondents |
DevSecOps | 61% |
Vulnerability management | 58% |
Security operations / SOC | 57% |
SaaS applications / tools | 56% |
IT operations | 56% |
Identity access / privilege management | 53% |
DevOps | 53% |
Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture
Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable
Yet, cybersecurity is often left out of the loop through most stages of technology deployment.
How often is your organization’s cybersecurity team engaged during the following stages of deployment?
Stage | Never | Rarely | Sometimes | Most of the time | All of the time |
Architecture review | 1% | 10% | 38% | 35% | 15% |
Scoping | 2% | 16% | 41% | 32% | 9% |
Request for proposal (RFP) | 3% | 10% | 31% | 35% | 21% |
Vendor evaluation / proof of concept (PoC) | 2% | 10% | 33% | 31% | 24% |
Configuration and deployment | 0% | 5% | 27% | 42% | 26% |
User privilege and access management | 0% | 2% | 23% | 38% | 35% |
Ongoing vendor management and maintenance | 1% | 9% | 27% | 40% | 23% |
Governance and exception management | 1% | 11% | 21% | 45% | 22% |
Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture
Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable
DevOps is another area of concern for cloud decision-makers: four in 10 (42%) say their organization's DevOps team does not prioritize security in its code development process.
More about the respondents
Survey respondents represent cloud decision-makers working in IT (65%) and cybersecurity (35%). They’re more likely to be VPs or directors rather than C-level executives. They’re very involved in IT and security strategy.
Which of the following best describes your current position/department?
Position/department | % respondents |
IT | 65% |
Cybersecurity / infosec | 35% |
Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture
Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable
Which title best describes your position at your organization?
Title | % respondents |
Senior-most IT or security decision-maker in the firm (e.g., CIO, CISO, CTO) | 22% |
Business Information Security Officer (BISO) | 3% |
VP in IT or security | 40% |
Director in IT or security | 35% |
Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture
Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable
To what extent are you involved with setting, managing and/or implementing the following areas of your IT/SECURITY strategy at your organization?
Area | Marginally involved | Moderately involved | Very involved |
Budget | 1% | 45% | 53% |
Performance metrics | 0% | 40% | 59% |
Business strategies | 0% | 48% | 52% |
Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture
Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable
Four recommendations for reducing cloud security risk
Securing your complex cloud infrastructure requires addressing a variety of people, process and technology challenges. Here are four recommendations to get you started:
- Dismantle silos. Develop a plan to standardize cloud security across various business units, providing a single point of reference that can be used by teams in security, IT, DevOps and DevSecOps. Can you quickly determine the relationships among users, systems and assets across your organization, so you can realistically identify and address their exposure? Or, do your siloed systems form a barrier that stops you from effectively integrating such data into your cloud security practices? Standardization can help to minimize friction between IT, security and dev teams and ensure swift decision-making based on accurate recommendations that everyone can comprehend.
- Visually map your attack surface. Knowing which cloud assets you have is just the beginning. You need visibility into the configurations, digital identities and associated permissions for each asset on your network. Only with a contextual view of assets, configurations and identities can you achieve the visibility necessary to perform the kind of precise analysis that enables security teams to offer targeted recommendations to reduce risk.
- Address multi-cloud challenges. Each major public cloud provider — Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure — manages and configures cloud components differently, resulting in inconsistencies in continuous security monitoring. Aim to consolidate information from all your public cloud providers into a unified monitoring and management space. This requires understanding the diverse mechanisms at play, including the infrastructure of the cloud provider and the permissions model, and can help you lay the groundwork for consolidated and precise remediation recommendations.
- Seek automated solutions. Automated cloud security solutions can help you continuously analyze your organization’s exposure to risk and present findings in an easy, consumable and actionable way, without requiring deep technical know-how on the part of teams. Automated security tools provide teams with the ability to understand, investigate and navigate risk amid the complexity. With the right automated solution, you can: gain full visibility into your cloud assets, users and configurations; consolidate information from all public cloud providers into a unified monitoring and management space; and prioritize and remediate based on risk severity. Automation can act as a force-multiplier for resource-starved security teams.
When searching for the right cloud security solutions, organizations should focus on those that reduce complexity and risk. The right cloud security solutions should be user-friendly and standardize cloud security across various business units. A robust solution serves as an advisor, offering insights into vulnerabilities or misconfigurations requiring immediate attention. It also delivers contextually rich risk prioritization and actionable insights for informed decision-making about mitigation and tools to automate and accelerate remediation.