The State of Cloud Security Risk, Compliance and Misconfigurations

The State of Cloud
Security Risk,
Compliance, and
Misconfigurations
© 2021 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational, non-
commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.
2 © Copyright 2021, Cloud Security Alliance. All rights reserved.

Acknowledgments
Lead Author:
Hillary Baron
Contributors:

Josh Buker
Sean Heide
Alex Kaluza
Shamun Mahmud
John Yeoh

Designers:
Stephen Lumpe
AnnMarie Ulskey
Special Thanks:
Nikhil Girdhar, Product Marketing Leader, CloudHealth® by VMware
Lauren van der Vaart, Senior Content Marketing Specialist, Multi-Cloud, VMware

© Copyright 2021, Cloud Security Alliance. All rights reserved. 3

Table of Contents
Executive Summary.............................................................................................................................6
Key Finding 1: Lack of knowledge and expertise continue to plague security teams........................................................... 6
Key Finding 2: Information security and IT operations held responsible for reducing cloud misconfigurations................... 6
Key Finding 3: DevSecOps approach to security still out of reach....................................................................................... 7
Departments are struggling to align on security policies and/or their enforcement.................................................... 7
Interdepartmental alignment on security policies and enforcement is crucial for proactive security........................... 8
Current State Of Cloud Security Programs...........................................................................................9
Public Cloud Providers Used.............................................................................................................................................. 10
Annual Budget for Public Cloud......................................................................................................................................... 10
Overall Confidence to Defend Against a Cloud Security Breach.........................................................................................11
Confidence in Ability to Defend Against Cloud Vulnerabilities and Threats........................................................................11
Barriers to Resolving Security Concerns.............................................................................................................................12
Interdepartmental Alignment on Security Policies and Enforcement..................................................................................13
Measuring Security and Compliance Posture.................................................................................................................... 14
Cloud Security Tools Being Used........................................................................................................ 15
Solutions Used for Cloud Security......................................................................................................................................15
Satisfaction with Cloud Service Provider’s Security Solutions.............................................................................................15
Use of Managed Service Providers.................................................................................................................................... 16
Cloud Security Posture Management................................................................................................. 17
Identification of Misconfigurations.....................................................................................................................................17
Team Responsible for Detecting, Tracking, and Reporting Misconfigurations.............................................................17
Causes of Cloud Misconfigurations........................................................................................................................... 18
Pipeline Delivery Stage Where Misconfigurations are Detected................................................................................. 18
Length of Time to Detect Misconfigurations...............................................................................................................19
Breaches and Incidents from Misconfigurations................................................................................................................ 20
Cloud Security Incident or Breach due to Misconfigurations in the Past Year............................................................. 20
Barriers to Preventing or Fixing Cloud Misconfigurations.......................................................................................... 20
Governance and Compliance..............................................................................................................................................21
Designing Security and Compliance Standards for Managing Cloud Misconfigurations..............................................21
Enforcing Standards Across Teams and Organizations............................................................................................... 22
Balancing Security with Project Delivery.................................................................................................................... 22
Resolution of Misconfiguration Mistakes........................................................................................................................... 23
Group Responsible for Correcting Misconfigurations................................................................................................ 23
Pipeline Delivery Stage Where Misconfigurations are Remediated............................................................................ 24
Length of Time to Remediate a Misconfiguration...................................................................................................... 24
Methods for Improving Resolution of Security or Compliance Misconfigurations...................................................... 25
Barriers to Using Auto-Remediation.......................................................................................................................... 25
Demographics.................................................................................................................................... 27
Organization Public Cloud Spend...................................................................................................................................... 29
Job Level........................................................................................................................................................................... 29
Primary Department.......................................................................................................................................................... 30
Organization Industry........................................................................................................................................................ 28
Organization Size.............................................................................................................................................................. 28
Location............................................................................................................................................................................ 27

Survey Creation And Methodology
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to widely promote
best practices for ensuring cyber security in cloud computing and IT technologies. CSA is also tasked
with educating various stakeholders within these industries about security concerns in all other forms
of computing. CSA’s membership is a broad coalition of industry practitioners, corporations, and
professional associations. One of CSA’s primary goals is to conduct surveys that assess information
security trends. These surveys help gauge the maturity of information security technology at various
points in the industry, as well as the rate of adoption of security best practices.
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to widely promote
best practices for ensuring cyber security in cloud computing and IT technologies. CSA is also tasked
with educating various stakeholders within these industries about security concerns in all other forms
of computing. CSA’s membership is a broad coalition of industry practitioners, corporations, and
professional associations. One of CSA’s primary goals is to conduct surveys that assess information
security trends. These surveys help gauge the maturity of information security technology at various
points in the industry, as well as the rate of adoption of security best practices.

CloudHealth® by VMware commissioned CSA to develop a survey to add to the industry’s knowledge
about public cloud security and to prepare this report of the survey’s findings. CloudHealth financed
the project and co-developed the initiative by participating with CSA in the development of survey
questions addressing cloud security. The survey was conducted online by CSA from May 2021
to June 2021 and received 1090 responses from IT and security professionals from a variety of
organization sizes and locations. The data analysis was performed by CSA’s research team.

Goals of the study

The goal of this survey is to assess organizational readiness for mitigating public cloud security and
compliance risks due to configuration mistakes. Key research topics include:
• Current state of cloud security programs, including top risks and usage of security tools
• Cloud Security Posture Management (CSPM) challenges faced by organizations in mitigating
misconfiguration vulnerabilities
• Organizational readiness, success KPIs, and teams responsible for different aspects of cloud
security posture management

Executive Summary
Cloud misconfigurations consistently are a top concern for organizations utilizing public cloud.
Such errors lead to data breaches, allow the deletion or modification of resources, cause service
interruptions, and otherwise wreak havoc on business operations. With recent breaches due to
misconfigurations making major headlines, this survey was conducted to better understand the
current state of cloud security programs, tools utilized to mitigate security risks, organizations’
cloud security posture, and barriers organizations face in reducing security risks.
Key Finding 1
Lack of knowledge and expertise continue to plague
security teams
Lack of knowledge and expertise are well-known
issues within the information security industry. It is no
surprise then, that lack of knowledge and expertise was
consistently identified as: 59% 62%
• The primary barrier to general cloud security (59%)
• The primary cause of misconfigurations (62%)
• A barrier to proactively preventing or fixing
misconfigurations (59%) The primary barrier The primary cause Ab
• The primary barrier to implementing auto- to general cloud of misconfigurations p
remediation (56%) security m
These findings highlight the trickle-down effect that lack

of knowledge can have on security teams. It starts as a
general barrier to implementing effective cloud security
59% 62%
measures. This leads to misconfigurations, the primary
cause of data breaches. But it’s also preventing security 59% 56%
teams from implementing a solution, such as auto-
remediation, which could supplement this knowledge 0
and skills deficit.
The primary barrier The primary cause A barrier to proactively And the primary barrier
to general cloud of misconfigurations preventing or fixing to implementing
security misconfigurations auto-remediation

Key Finding 2
Information security and IT operations held
responsible for reducing cloud misconfigurations
Each year data breaches due to misconfigurations make headlines, making it a top concern for many
organizations.
One likely reason why organizations struggle with management of misconfigurations is that they
are holding their IT operations and information security teams primarily responsible for detecting,
monitoring, and tracking potential misconfigurations (information security 54%, IT operations 33%)
as well as remediating these misconfigurations (information security 36%, IT operations 34%), rather
than distributing responsibilities across the DevOps or application engineering teams who may be
accidentally causing such mistakes and are in a better position to directly fix these errors.
For this reason, it is important for organizations to shift left the remediation responsibilities to DevOps
and application engineering teams in order to manage misconfiguration risk more effectively.
Also, the primary reason organizations state for having a security incident due to misconfigurations
is “lack of visibility” (68%). It is equally as important for organizations to prioritize tooling that
provides three primary things:
• Improved visibility
• Effective risk governance
• Automation
These functions will help improve the organization’s ability to quickly identify and correct
misconfigurations, regardless of the team responsible for them.
Other 3%
Primary team responsible for detecting,
tracking, and reporting cloud misconfiguration
DevOps 10%
mistakes in your organization.
33% IT Operations
54% Information Security
Other 3% Primary group responsible for ensuring cloud

Unsure 4%
misconfiguration mistakes are corrected.
DevOps 16%
34% IT Operations
Application Engineer 8%

Key Finding 3
DevSecOps approach to security still out of reach
Departments are struggling to align on security policies and/or their
enforcement
Topics like DevSecOps and shifting security left have become increasingly hot topics for the security
industry. While these strategies result in harder, more secure, and more resilient applications,
many organizations struggle to implement these approaches. They are struggling to even get
interdepartmental agreement on security policies and the enforcement of those policies. Under a
third of organizations have been successful in this regard.
This lack of alignment among departments could be due to cultural differences, namely differing
priorities among managers. Typically, this issue starts with the managers and spreads to their team.
Another explanation for this lack of alignment could tie back to a lack of knowledge noted in the
previous key finding. If departments don’t have sufficient knowledge of DevSecOps strategies and best
practices, then it’s incredibly difficult to start implementing them or to gain alignment on key issues.
It’s also worth noting that despite approximately 70% of organizations struggling to obtain
interdepartmental alignment on security policies and/or enforcement, only 39% identified this as a
primary barrier to resolving security concerns. So, it’s likely that organizations are encountering more
fundamental problems that are preventing them from moving toward a DevSecOps or shift left model.
Relationship between Security, IT Operations, and Developer

teams regarding security policies and enforcement
Not aligned on security policies

21% Aligned on security policies and
and enforcement strategy 30%
enforcement strategy
Aligned on security policies, but

49%
not on enforcement strategy

Interdepartmental alignment on security policies and enforcement is
crucial for proactive security
Organizations who can gain alignment among their departments regarding security policies and
enforcement strategies and are moving toward a DevSecOps approach are better equipped to deal
with configuration errors. These organizations were more likely to detect a misconfiguration within
a day of the error occurring (full alignment – 56%, partial alignment – 41%, no alignment – 31%).
They are also more likely to remediate that error within a day of detecting the misconfiguration
(full alignment – 51%, partial alignment – 24%, no alignment – 19%). Since misconfigurations are
one of the leading causes of data breaches, the shorter the timeline to detecting and remediating
these errors, the more secure an organization is overall. It’s clear that this alignment and movement
towards a DevSecOps approach is key for organizations addressing misconfigurations, but also
reducing the risk of a data breach or other major security incident.
Detect Configuration Error within a Day
56% 41% 31%
Aligned on security policies Aligned on security policies Not aligned on security

and enforcement but not enforcement policies or enforcement
Remediate Configuration Error within a Day
51% 24% 19%
Aligned on security policies Aligned on security policies Not aligned on security

and enforcement but not enforcement policies or enforcement

Current State Of Cloud
Security Programs
Public Cloud Providers Used
There is not one dominant public cloud platform in the market, but Amazon Web Services (AWS),
Microsoft Azure, and Google Cloud Platform (GCP) continue to be the primary public cloud providers
used. In this survey, 74% of respondents use AWS, 79% use Azure, and 41% use GCP.
41% 6%
79% Alibaba Cloud
Google Cloud
Platform (GCP)
Microsoft 6%
IBM
Azure
8%
74% Oracle
Amazon Web
Services
(AWS)
Annual Budget for Public Cloud

The budgets for public cloud spend varied greatly among participants. However, the top three most
common responses were under $1,500,000 with “$0-$250,000” at 22%, “$500,001-$1,500,000” at
15% and “$250,001-$500,000” at 13%. There was also a notable percentage who were unsure (16%).
0s
00
0
0
0y
0,
0
nd
00
,0
0
00
po
00
,0
0,
10
0,
50
s
3,
re
0s
50
-$
1,
-$
00
o
-$
0
-$
tt
1
1
00
0,
00
0
1
1
no
,0
0,
0
0
0
0,
e
,0
,0
00
,0
25
er
ur
0
10
00
50
,0
,5
-$
ef
ns
>$
$2
$3
$5
$1
Pr
U
0
%
%
%
%
7%
7%
22
10
10
16
15
13

Overall Confidence to Defend Against a Cloud
Security Breach
To assess respondents confidence in their organization’s security program, they were asked to rate
their general level of confidence in the organization’s ability to defend against a cloud security breach.
Most respondents reported being “moderately confident” (42%) or “very confident” (31%).
Extremely Confident 6% 5% Not at all confident
Very Confident 31% Somewhat Confident

16%
42% Moderately Confident
Confidence in Ability to
Defend Against Cloud
Vulnerabilities and Threats Compliance and regulatory
On average, respondents are “moderately Network

confident” in their organization’s ability to defend
LEAST C ON FIDENT
MOST C ONFIDENT
against threats and vulnerabilities in a variety of
areas. There were minimal variations in the level Identity and access management
of confidence among the various categories.
The areas that inspired the most confidence,
Runtime and/or workload
“compliance and regulatory” and “network,”
were only slightly higher than the lowest rated,
“misconfiguration.” Data loss or leakage
Misconfiguration

Lack of skills and expertise Barriers to Resolving
59%
Limited budget and staffing resources

Security Concerns
56%
The primary barriers to resolving security
Difficulty managing complex cloud environment concerns were unsurprisingly, “lack of skills
41% and expertise” (59%) and “limited budget and
staffing resources” (56%). Both issues have
Lack of internal alignment or support
plagued the industry for some time and tie in
39%
closely to the other options. This suggests that
Lack of visibility into cloud environment issues of budget, staffing, and expertise are
38% perhaps obscuring other key issues such as “lack
of visibility” and “inadequate security tooling.”
Inadequate security tooling
26%
Interdepartmental Alignment on Security Policies and

Enforcement
DevSecOps and “shifting left” have become popular concepts within the security industry. However, it
appears that the execution on these concepts remains elusive for many organizations. Only 31% report
that their internal teams are aligned on both security policies and enforcement strategies. This lack of
alignment between departments could be due to cultural differences, namely differing priorities. Another
explanation could be a lack of knowledge, which is an issue noted in the previous question.
It’s also worth noting that despite approximately 70% of organizations struggling to obtain
interdepartmental alignment on security policies and enforcement, only 39% identified this as a
primary barrier to resolving security concerns.
Additionally, respondents who have better interdepartmental alignment on security policy and/or
enforcement policies are more likely to report they are “extremely confident” or “very confident” in
their ability to defend against a security breach (Extremely confident: full alignment – 15%, partial
alignment – 2%, no alignment – 1%; Very confident: full alignment – 49%, partial alignment - 27%,
no alignment –16%). Evidently, we can gather that internal alignment is a key determining factor and
baseline requirement for organizations looking to improve their cloud security posture.
Not aligned on security policies

21% Aligned on security policies and
and enforcement strategy 30%
enforcement strategy
Aligned on security policies, but

49%
not on enforcement strategy
12 © Copyright 2021, Cloud Security Alliance. All rights reserved. 12

Measuring Security and Compliance Posture
The indicators organizations are using to measure their security and compliance posture varies among
organizations. Respondents were asked to select the top three indicators their organization uses.
The most selected responses were “% of unresolved high-risk misconfigurations or violations”
(42%), “number of failed security and compliance controls” (38%), and “mean time to resolve
misconfigurations or security and compliance violations” (32%).
42% 38% 32% 30% 28%
% of unresolved Number of failed Mean time to resolve Mean time to % of cloud

high risk security and misconfigurations detect misconfigurations inventory covered
misconfigurations compliance controls or security and or security and by security or
or violations compliance violations compliance violations compliance controls
Cloud Security Tools Being Used

Solutions Used for Cloud Security
Generally, there is a relatively even split between organizations using cloud service provider’s native tools
and third-party solutions. However, a few categories of cloud security had a clear winner. Cloud service
providers’ native tools are the preferred solution for “identity and access management” (47%), while
third-party solutions are preferred for “detect network threat” (46%) and “prevent data leakage” (35%).
A particularly concerning pattern to note is the percentage of organizations not using a data loss
prevention tool (13%) which was much higher than for any other category. This could reflect the
difficulty these types of solutions are to implement.
Cloud Service Provider’s Third Party Soultion In-house Solution N/A -No Solution Unsure
Native Tools
Identity and access
management
47% 31% 17% 2% 3%
Benchmark and monitor

35% 34% 16% 9% 6%
compliance
Detect runtime and/or workload

threats and anomalies 35% 38% 13% 7% 7%
Detect and remediate

misconfigurations 34% 33% 17% 9% 7%
Detect network threats 31% 46% 13% 5% 5%
Prevent data loss

or leakage 30% 35% 15% 13% 7%

Satisfaction with Cloud
Identity and access management
Service Provider’s Security
Solutions
Detect network threats
On average, respondents are “moderately
satisfied” with their primary public cloud service
L E A ST CO NF ID E NT
M O ST CO NF ID E NT
Benchmark and monitor compliance
provider’s security solutions. There were minimal
variations in the level of satisfaction among the
Detect runtime and/or workload various categories. The areas that had the highest
threats and anomalies
average satisfaction, such as “identity and access
management,” were only slightly higher than the
Detect and remediate service lowest rated, “prevent data loss or leakage.”
misconfigurations
Prevent data loss or leakage
Use of Managed Service

Providers Unsure 10%
Most organizations are not using a Managed

Service Provider (MSP, 59%) to manage security
and compliance of public cloud environments. 31% Yes
Only 31% are using an MSP. It should also be
noted that small businesses with 1-50 employees No 59%
were more likely to not use an MSP (72%) than
organizations with 50 or more employees (57%).
Cloud Security Posture Management

Identification of Misconfigurations
Team Responsible for Detecting, Tracking, and Reporting
Misconfigurations
The primary team responsible for detecting, tracking, and reporting cloud misconfiguration mistakes
is most often the information security team (54%). IT Operations was the second most common
response (33%).

It is interesting that DevOps teams, who are usually the source of misconfigurations, and therefore
more likely to be aware that a misconfiguration has occurred, are not identified as the group responsible
for detecting, tracking, or reporting cloud misconfiguration mistakes. This highlights the importance
of moving towards a DevSecOps approach to improve alignment and visibility across departments,
that will ultimately result in faster detection and remediation of misconfigurations.
Equally important is ensuring the organization has the right tools that can enable all these departments
across the organization. In particular, tools that enable effective risk governance, so organizations are
better able to identify and manage risk and compliance. Automation is also key to quickly identify and
remediate misconfigurations. This will require organizations to modernize their architecture towards cloud.
Other 3%
DevOps 10%
33% IT Operations
Causes of Cloud Misconfigurations Lack of knowledge or expertise in cloud security

best practices
The primary cause of misconfigurations in 62%
organizations was “lack of knowledge or expertise Lack of security visibility and monitoring
in cloud security best practices” (62%). This 49%
is unsurprising since this was noted as a major
Speed of deployment and time to market constraints
security barrier earlier. Somewhat more surprising
was the second most selected response, “lack 43%
of security visibility and monitoring” (49%), Default account and service configuration settings
since visibility wasn’t noted as a primary barrier 34%
for resolving security concerns previously in the
Out-of-compliance templates and automation scripts
survey. This could indicate that organizations
22%
are not prioritizing resolving challenges around
visibility and as a result, visibility is a leading cause Other
of misconfigurations. 5%

Pipeline Delivery Stage Where Misconfigurations are Detected
The most common stage in the delivery pipeline where cloud configuration errors are detected are in
the “test” phase (36%) and the “post-production” phase (21%). This means that most configuration
errors are detected prior to deployment (67%) which would suggest in at least some ways
organizations have been able to “shift left.”
Plan Build Test Deliver Deploy Post-production
7% 16% 36% 8% 13% 21%
Length of Time to Detect Misconfigurations
The length of time organizations take to detect a cloud configuration mistake varies widely. Most
commonly they are finding them within a day (23%) or within a week (22%). More concerning however
is that 22% of organizations are taking longer than one week to even find the configuration errors, let
alone resolve the misconfiguration.
It is also important to note that organizations that reported interdepartmental alignment on policies
and their enforcement were more likely to detect a misconfiguration within a day of the error
occurring (full alignment - 56%, partial alignment - 41%, no alignment - 31%).
)
es
ut
in
m
s
in
th
ith
on
(w
m
th
th
s
k
e
6
ur
on
on
ee
im
n
ho
da
m
m
ha
w
l-t
rt
a
a
ea
in
in
in
in
in
ge
rr
ith
ith
ith
ith
ith
ea
n
Lo
W
W
N
%
%
%
%
4%
6%
12
22
23
17
16

Breaches and Incidents from Misconfigurations
Cloud Security Incident or Breach
due to Misconfigurations in the
Past Year Unsure 18% 17% Yes
Most organizations reported that they had not

experienced a public cloud security incident or
breach in the past year (65%). About 17% said
they had experienced such an incident, leaving
18% unsure. Given survey respondents are in job No 65%
roles directly involved in their organization’s cloud
security posture, it’s concerning that such a high
percentage of respondents were not sure whether
a security incident or breach had occurred.
Lack of security visibility and monitoring capabilities Barriers to Preventing or Fixing

68% Cloud Misconfigurations
Lack of knowledge or expertise
59% Of those 17% who had a cloud security
incident or breach, the most common barrier
Lack of proactive notifications when configuration
errors occur to proactively preventing or fixing the cause
57% was “lack of security visibility and monitoring
capabilities” (68%) followed by “lack of
Inability to prioritize misconfigurations
knowledge or expertise” (59%). Once again,
42%
knowledge and visibility are key barriers.
Lack of accountability
33%
Other
3%

Governance and Compliance
Designing Security and Compliance
Leverage industry compliance standards
Standards for Managing Cloud
69%
Misconfigurations
Leverage benchmarks recommended by cloud
service providers
Organizations are primarily utilizing “industry
55%
compliance standards” (69%), “benchmarks
recommended by cloud service providers” Create custom policies and/or standards
(55%), and “custom policies and/or standards” 45%

(45%). This leaves only 9% who reported that N/A - don’t do this currently
designing security compliance standards wasn’t 9%
something they were currently doing.
Enforcing Standards Across Teams and Organizations
The level of enforcement of security and compliance standards differs among organizations.
Roughly an even number of organizations reported “fully enforced in all environments” (23%),
“fully enforced in critical environments only” (26%), and “subset of standards enforced in all
environments” (24%). This is particularly interesting as 70% of companies reported struggling on
interdepartmental alignment on security policies and/or their enforcement.
It should also be noted that organizations who had interdepartmental alignment on policies and their
enforcement were more likely to report “fully enforced in all environments” (44%) when compared
with those who were aligned on policy, but not enforcement (17%) and those who were not aligned
on either (7%).
ts
en
l a
ly itic
nm
nv ds
ts tic ds
l
on cr
al
iro
le r
en cri dar
al da
ts in
t
ts in
en
on al
in tan
nm in an
en ed
en ced
em
ly
ro d st
nm rc
ed f s
nm or
rc
ro fo
vi rce of
rc o
ro f
fo
vi en
vi en
fo et
en fo et
en
en ubs
en bs
en lly
en ully
o
Su
Fu
N
S
F
%
%
0%
%
24
23
16
26

Balancing Security with Project Delivery
Organizations surveyed tend to prioritize risk mitigation even if it resulted in some delay in
speed of product delivery (41%). Another 29% prioritize speed of delivery with some delay in
risk mitigation. To ensure that these responses weren’t skewed because of the large number of
information security professionals who responded to the survey, the data was also analyzed with
their responses omitted. No significant differences were found.
Another notable finding was that organizations who had interdepartmental alignment on policies
and their enforcement were more likely to report that they “prioritize risk mitigation over speed of
delivery” (35%) when compared with those who were aligned on policy, but not enforcement (12%)
and those who were not aligned on either (12%).
n
sp n
io
er on
in atio
at
la
ee
liv ati
g
de
y
ay ig
iti
de tig
tio om f
ris of
ga s o
y del it
m
n e
of i
iti th d
er ed
m
d km
m i ee
k
ov e
liv me isk
k y w sp
y sp
ee ris
de so e r
ris er ze
er e
sp ze
of ith itiz
liv itiz
in eliv riti
er iti
w ior
de ior
ov rior
d rio
er
Pr
Pr
P
P
%
%
%
29
19
41
11
Resolution of Misconfiguration Mistakes
Group Responsible for Correcting Misconfigurations
Earlier, we found that the primary group responsible for detecting, tracking, and reporting cloud
misconfigurations is Information Security (54%), followed by IT Operations (33%). When it comes
to resolving misconfigurations, Information Security and IT Operations are still the two primary
groups responsible. However, the division of responsibility seems much more evenly split, with 36%
of organizations reporting Information Security is primarily responsible and 34% of organizations
reporting IT Operations is primarily responsible.
It is interesting that rather than the DevOps or Application engineer teams who are causing such
mistakes and in a better position to directly fix these errors, IT operations and information security
are held responsible. This once again
emphasizes the importance of alignment Other 3%
among these departments. If organizations

Unsure 4%
can gain this alignment and move toward
a DevSecOps approach, they will have DevOps 16%
greater visibility into the activities of the
34% IT Operations
other departments and can work together Application Engineer 8%
to more rapidly address misconfigurations 36% Information Security
and other errors that arise.

Pipeline Delivery Stage Where Misconfigurations are Remediated
The most common stage in the delivery pipeline where cloud configuration errors are remediated are
in the “test” phase (34%) and the “post-production” phase (24%). This means that most configuration
errors are remediated prior to deployment (63%) which would again suggest in at least some ways
organizations have been able to “shift left.”
These findings are nearly identical to the stage in the delivery pipeline where cloud configuration
errors are detected, which was discussed earlier (test, 36%; post-production, 21%; remediating prior
to deployment, 67%).
Plan Build Test Deliver Deploy Post-production
4% 14% 34% 11% 14% 24%
Length of Time to Remediate a Misconfiguration
Most organizations are remediating these cloud configuration mistakes within the same week (32%)
or the same day (28%). For approximately 30% of organizations however, it is taking longer than one
week to remediate these misconfigurations.
A similar question about the length of time to detect a configuration mistake, found that 78% of
organizations were able to detect an error within one week. A similar trend was found with the length
of time to remediate a configuration error, with 69% remediating within a week.
Another notable finding was that organizations that reported interdepartmental alignment on
policies and their enforcement are also more likely to remediate that error within a day of detecting
the misconfiguration (full alignment - 51%, partial alignment - 24%, not alignment - 19%).
e
im
-t
al
re
in
ra
ut ted
ye
th
a
ia
on
r
th
)
n
ed
es
ye
m
ha
on
ee
ay
m
rt
a
W
M
D
re
in
in
in
ge
e
e
m
-
ith
ith
to
n
in
Au
Lo
Sa
Sa
Sa
W
ith
%
%
9%
2%
2%
(w
9%
32
28
17

Methods for Improving Resolution Training and education
of Security or Compliance 61%
Misconfigurations Manual remediation

48%
The most common method organizations Automated remediation
use to improve the resolution of security and/ 43%
or compliance misconfigurations in cloud
Leveraging security-verified Infrastructure-as-Code
environments is “training and education.” This
templates
is unsurprising since lack of knowledge has
40%
repeatedly been indicated as a key barrier to
security. The second and third most common Proactive enforcement of security controls in CI/CD
pipeline
responses were “manual remediation” (48%)
41%
and “automated remediation” (43%). Although
automation made the top three methods, it’s
clear that many organizations have yet to fully
implement auto-remediation since it wasn’t a
commonly selected response when asked about
the length of time it takes their organization to
remediate misconfigurations in the previous
question.
Lack of expertise Barriers to Using Auto-Remediation

56%
Lack of alignment between security and engineering on

For those who don’t utilize automated remediation,
auto-remediation strategy the most common reasons for not using this
43% solution were once again, lack of expertise (56%).
The second most common reason cited was the
Concern that auto-remediation will result in unintended
consequences lack of alignment between departments on the
42% auto-remediation strategy (43%). This is once
again unsurprising since 70% of organizations are
Insufficient budget
struggling to obtain interdepartmental alignment
35%
on security policies and/or policy enforcement.
No interest currently A close third reason was that there was concern
8% that auto-remediation could result in unintended
consequences (42%). This could be tied back to
the issue of lack of expertise and knowledge. If
the teams don’t know how to properly utilize the
technology, there is a much higher likelihood that
they could run into unintended consequences.

Demographics
This survey was conducted from May 2021 to June 2021 and gathered 1090 responses from IT and
security professionals from a variety of organization sizes, industries, locations, and roles.
Organization Industry
36% IT and technology
19% Financial services
16% Public sector (government, education, etc.)
9% Business and professional services
6% Other
6% Health, pharmaceuticals, and biotech
5% Telecommunications
4% Manufacturing and production
3% Retail
2% Energy, oil/gas, and utilities
2% Travel and transportation
1% Construction and property
Organization Size
s
ee
s
s
ee
ee
oy
s
ee
oy
oy
s
pl
ee
s
s
oy
pl
pl
ee
ee
em
oy
em
em
pl
s
oy
oy
ee
pl
em
pl
pl
0
oy
0
em
00
em
,0
em
0
0
pl
,0
10
0
5,
00
em
-2
,0
0+
00
–
-5
-1
0
1
1
1
-2
0
00
00
00
,0
-5
1
20
50
10
51
2,
5,
1,
1
%
%
%
%
9%
7%
9%
28
14
10
12
10
Job Level
20% C-Level or Executive
Staff 30%
Manager 50%

Organization Public Cloud Spend
s
00
00
,0
00
0y
d
00
,0
on
,0
00
00
,0
00
sp
10
0,
3,
5
re
0s
50
-$
1,
-$
00
o
-$
0
-$
tt
01
01
00
0,
01
01
no
,0
,0
0,
00
e
00
,0
00
,0
25
er
ur
0,
00
50
,0
,5
-$
ef
ns
1
>$
$2
$3
$5
$1
Pr
U
0
%
%
%
%
7%
7%
22
10
10
16
15
13
Primary Job Other 12%

IT Operations
Department
13%
DevOps 5%
Application Engineer 4%
Location
20% Asia-Pacific
Americas 51%
Europe, Middle East,

29% Africa
Top contributing countries include: United States of America, India, United Kingdom of Great
Britain and Northern Ireland, Canada, Australia, Singapore, Germany, Switzerland, France

About the Sponsor
VMware is a leading innovator in enterprise software. We power the world’s digital infrastructure.
Our cloud, app modernization, networking, security, and digital workspace platforms form a flexible,
consistent digital foundation. This foundation empowers businesses to build, run, manage, connect,
and protect applications, anywhere–enabling technology-driven transformation without disruption.
VMware acquired CloudHealth Technologies, Inc. in October of 2018.
Sponsors are CSA Corporate Members who support the findings of the research project but have no
added influence on the content development or editing rights of CSA research.

The State of Cloud Security Risk, Compliance and Misconfigurations

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The State of Cloud Security Risk, Compliance and Misconfigurations

Uploaded by

Copyright:

Available Formats

The State of Cloud

2 © Copyright 2021, Cloud Security Alliance. All rights reserved.

© Copyright 2021, Cloud Security Alliance. All rights reserved. 3

4 © Copyright 2021, Cloud Security Alliance. All rights reserved.

Goals of the study

© Copyright 2021, Cloud Security Alliance. All rights reserved. 5

These findings highlight the trickle-down effect that lack

6 © Copyright 2021, Cloud Security Alliance. All rights reserved.

54% Information Security

Other 3% Primary group responsible for ensuring cloud

36% Information Security

© Copyright 2021, Cloud Security Alliance. All rights reserved. 7

Relationship between Security, IT Operations, and Developer

Not aligned on security policies

Aligned on security policies, but

8 © Copyright 2021, Cloud Security Alliance. All rights reserved.

Detect Configuration Error within a Day

56% 41% 31%

Aligned on security policies Aligned on security policies Not aligned on security

Remediate Configuration Error within a Day

51% 24% 19%

Aligned on security policies Aligned on security policies Not aligned on security

© Copyright 2021, Cloud Security Alliance. All rights reserved. 9

Annual Budget for Public Cloud

10 © Copyright 2021, Cloud Security Alliance. All rights reserved.

Extremely Confident 6% 5% Not at all confident

Very Confident 31% Somewhat Confident

42% Moderately Confident

On average, respondents are “moderately Network

© Copyright 2021, Cloud Security Alliance. All rights reserved. 11

Limited budget and staffing resources

Interdepartmental Alignment on Security Policies and

Not aligned on security policies

Aligned on security policies, but

12 © Copyright 2021, Cloud Security Alliance. All rights reserved. 12

42% 38% 32% 30% 28%

% of unresolved Number of failed Mean time to resolve Mean time to % of cloud

Cloud Security Tools Being Used

Benchmark and monitor

Detect runtime and/or workload

Detect and remediate

Detect network threats 31% 46% 13% 5% 5%

Prevent data loss

© Copyright 2021, Cloud Security Alliance. All rights reserved. 13

Prevent data loss or leakage

Use of Managed Service

Most organizations are not using a Managed

Cloud Security Posture Management

14 © Copyright 2021, Cloud Security Alliance. All rights reserved.

54% Information Security

Causes of Cloud Misconfigurations Lack of knowledge or expertise in cloud security

© Copyright 2021, Cloud Security Alliance. All rights reserved. 15

Plan Build Test Deliver Deploy Post-production

7% 16% 36% 8% 13% 21%

Length of Time to Detect Misconfigurations

16 © Copyright 2021, Cloud Security Alliance. All rights reserved.

Most organizations reported that they had not

Lack of security visibility and monitoring capabilities Barriers to Preventing or Fixing

© Copyright 2021, Cloud Security Alliance. All rights reserved. 17

(55%), and “custom policies and/or standards” 45%

Enforcing Standards Across Teams and Organizations

18 © Copyright 2021, Cloud Security Alliance. All rights reserved.

among these departments. If organizations

and other errors that arise.