Professional Documents
Culture Documents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Security Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Final Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Prisma Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Security Drivers
• Organizations are consolidating their security approach. Nearly three-quarters use 10 or
fewer security tools, and we see a 27% increase from the 2020 data in the number of
organizations using just one to five security vendors, suggesting that they are looking to
fewer security vendors for more capabilities.
• Organizations that have implemented a high level of security automation are 2X more likely
to have low friction and strong posture than their counterparts with low levels of security
automation.
• How well organizations adopted and implemented DevSecOps methodologies is the
primary indicator of best-in-class security. Organizations that tightly integrate DevSecOps
principles are over 7X more likely to have strong or very strong security posture and are
9X more likely to have low levels of security friction.
46%
31%
59% 69%
Figure 1: Percent change in cloud workload volumes since 2020
2021 24%
Public Private VMs 30%
2020
2021 17%
Containers
2020 24%
48% 55%
2021 13%
CaaS
2020 1 21%
2021 42%
52% 45% PaaS and Serverless
2020 22%
20%
2021 4%
Other
2020 2021 2020 3%
Figure 2: Share of workloads hosted in public vs. private clouds (left); share of workloads by compute type (right)
When examining the reasons why organizations expanded their cloud capabilities, the growth was fueled
by strategic business drivers—application modernization, maintaining competitiveness, and controlling
infrastructure overhead. While the pandemic was surely a contributing factor in this year’s report, these
reasons remain paramount for why organizations choose to utilize the cloud in general. The flexibility
and agility that the cloud provides to organizations allow them to keep businesses moving forward at an
ever-increasing pace.
Regulatory compliance 1
42%
$ ¥
€
46%
In 2020, 21% of organizations dedicated In 2021, 39% of respondents Orgs with cloud budgets over
less than $10M toward their cloud. fall in that category. $50M dropped from 46% to 26%.
While we see slight differences in cloud adoption approaches by industry, geography, and revenue, the
data indicates that these variations do not play a significant role in overall results. That said, the figure
below highlights some of the more notable regional variations.
Almost half (47%) of USA respondents Germany reported the highest percentage Japan reported the most significant
report a strong or very strong security of automating security processes (40%). increase of using Serverless architecture
posture, higher in comparison to other (57%) in the next 24 months, over any
countries. other architecture.
In Brazil, almost half (48%) of respondents The UK uses more open source tooling as
expect their companies to have anywhere their primary provider for cloud security
from 76-100% of their workloads in the than any other country surveyed.
cloud in the next two years, showing a
movement of embracing the cloud.
2021 50%
Maintaining comprehensive security
2020 39%
2021 42%
Meeting compliance requirements
2020 32%
2021 1 45%
Technical complexity
2020 42%
While top-line cloud budgets fell, cloud security budgets remained steady.
We interpret that to mean that while organizations spent less money on the
cloud overall, they did not let their security budgets waver. This highlights
that companies understand the value of securing the cloud in order to take
the most advantage of it.
4% 15%
We saw this year that companies expanded their cloud security teams during
the pandemic, with 53% of organizations reporting a security team of over
30 people, up from 41% last year. Companies also consolidated their cloud
security vendors as they expanded their cloud environments. The data shows 2020 2021
a 27% increase in the number of organizations using just one to five security
vendors, while those using six to ten vendors is down 19% since last year. Figure 7: Respondents spending more
than 20% of cloud budget on security
80%
68%
60%
41%
40% 39%
20% 1 20%
0%
2020 2021
45%
all cloud accounts and resources
6%
Our risk and vulnerability prioritization
is extremely useful Strong strong cloud
Our automated runtime protection provides 39% security posture
a strong security baseline for workloads
90%
80%
70%
60%
50% 1
Requirements and design phase of Percentage of Teams with High DevSecOps Integration
the delivery cycle
61%
Testing phase of the delivery cycle
DevSecOps 22% 16%
Integration
Deployment phase of the delivery cycle Highly Automated Teams Medium Automated Teams Low Automated Teams
7X 9X
How well organizations adopted and implemented
DevSecOps methodologies was the primary indicator
of best-in-class security. Organizations that tightly
integrate DevSecOps principles into their development
lifecycle are over seven times more likely to have strong
or very strong security posture and are nine times more
likely to have low levels of security friction.
To measure automation, we asked respondents to
more likely to have strong or more likely to have low levels
rate how deeply their organization has automated five very strong security posture of security friction
security practices, on a scale of “completely manual” to
“completely automated.” Figure 14: Outcomes for organization that
tightly integrate DevSecOps principles
Onboarding of cloud accounts for visibility Percentage of Teams with Low Security Friction
Remediation of misconfigurations
100%
83%
80%
72%
60%
41%
38%
40%
31%
25%
20%
0%
Low Level of Automation Mid Level of Automation High Level of Automation
29% 18%
47%
39%
29% 36%
32%
21%
21% 18%
5% 3% 5% 7%
Security as %
of Cloud Budget 1–5% 6–10% 11–15% 16–20% 21%
36% 34%
36%
53%
28% 27%
33%
20%
26% 26%
10% 12%
Figure 17: Security provider and team budget (top) and size (bottom)
1% 2%
12% 6%
19% 15%
42%
43%
64% 51%
32%
15% 40%
29%
20%
9%
In aggregate, the data suggests that open source security tools do not offer an integrated, compre-
hensive approach that satisfies the full range of capabilities and features organizations are looking
for. Organizations successfully utilizing open source security tools seem to merely shift budget costs
to labor in order to support their efforts. Organizations that are looking to adopt open source tools
should be prepared to trade a highly customized implementation with ongoing investments for internal
support that would otherwise come from designated solution providers.
84%
62% 62%
Moderate Adopters: 39% of total Rapid Expanders: 33% of total Established Users: 28% of total
More likely to have lower revenue Tend to have higher revenue Mostly large organizations (by revenue)
Before pandemic: Small cloud footprint Before pandemic: Small cloud footprint Before pandemic: Large cloud footprint
Currently: Leveraging serverless architectures Currently: Leveraging PaaS architectures Currently: Balanced use of compute environments
Planning: Average target for total cloud usage (62%) Planning: Average target for total cloud usage (62%) Planning: High target for total cloud usage (84%)
Consumer Energy, resources, and industrials Financial services Under $10M $10M–$100M $100M–$500M
Life sciences and healthcare Technology, media, and telecommunications $500M–$1B $1B–$5B Over $5B
Figure 20: Cloud adoption groups by industry (left); cloud adoption groups by income (right)
Cloud Footprints
Moderate Adopters came into the pandemic with a fairly small cloud footprint and expanded minimally
over the following 12 months. Rapid Expanders entered the pandemic with a similar small cloud estate
but with much faster expansion. In contrast, Established Users show a significant existing cloud foot-
print but with slower growth, similar to the Moderate Adopters.
Cloud Spending
Across all groups, cloud spend varied significantly. Only 42% of Moderate Adopters spent more than
$10M on the cloud, compared to 69% of Rapid Expanders and 70% of Established Users. Established
Users also have the highest cloud budgets, with 10% spending over $100M, compared to just 2% of
Moderate Adopters and 1% of Rapid Expanders.
2% 1%
10%
13%
24%
27% 33%
44%
27%
39%
25% 26%
15%
4% 2% 4% 4%
10% 14%
28%
32%
11% 65%
48%
47% 10% 9%
14% 12%
51%
27%
39% 34%
30%
26%
15% 17%
4% 2% 2% 6% 1% 4%
Don’t know/No spend Under $1M $1M–10M $10M–$50M $50M–$100M Over $100M
We also see significant differences in our groups’ cloud objectives. For all groups, short-term goals
such as application modernization and maintaining competitiveness were the primary drivers of cloud
expansion, while more strategic thinking took a back seat. However, there were large differences in
organizational alignment, where our successful Rapid Expanders were significantly more likely to
integrate their cloud evolution into a larger strategic digital transformation effort. Rapid Expanders
who successfully expanded their cloud infrastructure over the past year were over two times more
likely to have integrated it into a wider, strategic digital transformation effort.
Application
58% 64% 77% 52%
modernization
Maintain competitiveness
49% 57% 75% 38%
in market
Reduce infrastructure
39% 52% 75% 46%
overhead
Maintaining comprehensive
54% 54% 51% 43%
security
Meeting compliance
46% 35% 51% 33%
requirements
No clear cloud
12% 21% 30% 15%
migration strategy
1%
7%
16% 19%
16%
35%
30%
40% 20% 60%
27% 40%
37%
18% 23%
11%
6%
16% 20% 16%
23%
27%
41%
36% 56%
28%
24%
35% 22%
19% 25%
6%
The research shows high numbers of security tools being used across all groups, with more than half
of each using more than five tools. This suggests that there may be a variable equation for the optimal
number of security tools needed for a given environment, where larger cloud environments necessarily
require more tools or different teams prefer different tool sets. But an over-emphasis on simplicity may
be detrimental, where unsuccessful adoptions seem to be driven by a lack of security information and
controls due to lack of availability from tooling.
13%
28% 26%
40%
38%
29% 24%
20%
9% 8% 5% 10%
If such a variable equation exists, the data indicates that the integration of security
tools is also a critical factor. Companies that leverage fewer than five security tools
“It’s the ability to integrate your
struggle to deliver a strong or very strong security posture—but friction among
security tools through
teams is unaffected by the number of tools. Rather, it's the ability to integrate
your security tools through DevSecOps methodologies—thereby gaining broader DevSecOps methodologies—
visibility and comprehensive control—that results in better outcomes. This aligns thereby gaining broader visibility
with industry trends toward consolidated, comprehensive security platforms. and comprehensive control—that
results in better outcomes.”
60% 59%
57% 55%
44%
52%
49%
40% 39%
37%
30%
20% 18%
0%
1–2 Tools 3–5 Tools 6–10 Tools 11–20 Tools 21+ Tools
14% 15%
35%
36% 63%
44%
32%
49% 24%
42% 33%
13%
14% 12%
40%
44%
48%
66%
36%
39%
40%
20% 17% 24%
Ultimately, we see that Rapid Expanders who saw success have the strongest security posture, with
81% ranking strong or very strong. Established Users are ranked the next-highest at 50%, while 69%
of Rapid Expanders who struggled showed a weak or very weak security posture. Moderate Adopters
exhibit a low security posture as well, but as noted earlier, this group, which remains dedicated to
lighter cloud usage, may measure cloud success or failure differently.
2%
5% 9% 8%
19%
26%
42%
72%
54% 35%
25%
34% 10%
25% 25%
9%
13% 14%
33%
50% 20%
24%
33%
While organizations used a range of security providers, Rapid Expanders who experienced c
hallenges
tended to leverage more open source security providers. By contrast, those who were successful in
their rapid cloud expansion avoided open source and balanced security sourcing, with 87% focusing
on either CSP- or third-party-driven security.
Balanced
15% CSP Primary
27%
Third-Party Primary
35%
5%
18% 8% 15%
25%
19%
36% 42%
28%
31%
33% 32%
45%
35%
13% 15%
Figure 36: Primary tool provider overall (top) and across adoption groups (bottom)
Final Thoughts
The pandemic put a distinctive mark on this year’s State of Cloud Native Security Report, and we expect
to see its impact continue. Despite rapid changes in business strategies and resources, however, organi-
zations have mostly been able to succeed in their cloud expansions during this time of upheaval. Even
with today’s complex, heterogeneous cloud environments—which incorporate a mix of public and
private clouds, diverse compute compositions, and a growing number of cloud service providers—our
research indicates a proven path forward.
Overall, organizations that made cloud infrastructure a strategic focus across the business were more
successful. Further, cloud security is a clear enabler of business outcomes. For any type of organi-
zation, anywhere in the world, security best practices are consistent and can be implemented as key
drivers for cloud success. Of course, better security does not necessarily lead to a specific measurement.
But having security under control—consolidating tools and vendors as well as using proven DevSecOps
and security automation strategies—sets a baseline that lets development teams do their jobs better
and enables organizations to succeed in their cloud transformations.
Prisma Cloud
Prisma® Cloud is a comprehensive cloud native security platform with the industry’s broadest
security and compliance coverage—for applications, data, and the entire cloud native technology
stack—throughout the development lifecycle and across multicloud and hybrid deployments. Prisma
Cloud’s integrated approach enables security operations and DevOps teams to stay agile, collaborate
effectively, and accelerate cloud native application development and deployment securely. For more
information, visit www.paloaltonetworks.com/prisma/cloud.
3000 Tannery Way © 2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 the-state-of-cloud-native-security-report-2022_011422
Support: +1.866.898.9087
www.paloaltonetworks.com