As enterprises look toward the 2019 budget cycle, CISOs and other IT executives are increasingly pushing cloud security to the top of the cybersecurity budgetary priority list.
One recent report from Threat Stack showed that cloud workload security topped the list of allocations for next year's cybersecurity spending initiatives, above IDS/IPS systems, SIEM, security awareness training, and endpoint protection. Meantime, Gartner's worldwide security spending projections for next year show a blazing hot growth rate for cloud security. Analysts with the firm expect the category to grow by 51% in 2019, more than five times the 9% rate of growth expected for the overall security market.
To be fair, Gartner's breakdown still shows cloud security as cybersecurity's smallest subcategory, so part of the massive growth rate reflects a previously immature market playing catch-up. But the fact remains that organizations are finally getting serious about securing their cloud assets and workloads. Here are three of the main reasons why organizations are finally putting their money where their mouth is when it comes to cloud security.
Cloud Adoption Skyrocketing
One of the biggest drivers of cloud security spend is the overall trajectory of cloud adoption for 2019. According to the temperature check from Threat Stack, only 41% of those surveyed still keep their infrastructure on premises today. And Gartner expects the cloud footprint will increase by 21% by the end of this year compared to 2017. There's no stop to this cloud adoption train, as Gartner forecasts double digit growth through 2021.
As a result, the cloud no longer represents a limited threat environment for enterprises. It's increasingly becoming the main field of engagement between enterprise defenders and the cybercriminals.
"Risk executives reported being most concerned about the probability and impact of potential data risks associated with cloud computing," explains Matthew Shinkman, analyst and practice leader for Gartner. “Despite the advantages, cloud computing comes with an added vulnerability if data is stored incorrectly or if the provider’s own security is compromised. To mitigate these risks, executives will need to guarantee that their cloud security strategy keeps up with the pace of this growth.
According to Shinkman, security and risk pros targeting their strategies and spending in 2019 need to keep the following risk indicators top-of-mind:
- Rising proportion of data stored in the cloud
- Changes in product offerings or contract terms from cloud provider(s)
- Growing percentage of non-cloud provider third parties with access to data in the cloud
- Unauthorized employee usage of cloud services
Stakes are Getting Higher
What's more, the stakes are getting higher as more of the data committed to cloud workloads is of a sensitive nature. The rule of thumb for de-risking cloud was to put low-value but expensive systems in the cloud but keep tight reins on sensitive, regulated or critical systems and data. That's starting to get thrown out the window.
For example, consider the highly regulated financial services industry. One study out from Thomson Reuters found that firms in this vertical will increase their spending on public cloud such that it will represent 47% of their IT budgets next year, compared to 30% last year. More than 90% of firms in this industry say they will use public cloud for the majority of their data needs. This is telling that cloud dominates even an industry handling some of the most sensitive data sets known to IT.
Cloud Complexity Increasing
The sheer volume of cloud instances isn't the only thing growing quickly. These deployments are growing more complex, with hybrid and multi-cloud models favored by most organizations. According to a recent survey by IBM Institute for Business Value, 85% of companies are already operating in multi-cloud environments and 98% of organizations will be there within three years. These complex deployment scenarios makes it increasingly difficult for large organizations to keep track of where data lives, how it flows, who's entitled to access it, and who's responsible for securing it.
As a result, many organizations are spending more on ways to gain better visibility and control over their entire cloud ecosystem. For example, take the dangerous and common state of cloud misconfigurations today. This year has offered up a number of embarrassing examples of organizations exposing sensitive data to the public internet through poorly configured cloud data stores.
A survey last month from Fugue showed that while 92% of IT and security professionals are concerned about security risks due to misconfiguration, fewer than one in three organizations are actually monitoring continuously for these poorly configured clouds.
That's just one of the numerous insecure elements of cloud computing that's going to necessitate a huge round of architectural and strategic investments to secure.