Respondents to a CRA Business Intelligence survey tend to use the "big three" cloud services, including Google Cloud . (Photo by Sean Gallup/Getty Images)

Some businesses have relied on the cloud for years, while others recently migrated to the cloud because of the pandemic. Regardless of their experience, most respondents from CRA Business Intelligence’s September 2022 Cloud Security Survey recognize that despite the appeal of cloud, there are many security risks and vulnerabilities — and staying on top of it all has proven a big challenge.

The data and insights for this new report are based on an online survey conducted in September 2022 among 216 security and IT leaders and executives, security administrators, and compliance professionals from CRA’s Business Intelligence research panel. All respondents are based in the U.S.

In reviewing the findings, these infosec professionals cite misconfigurations, lack of oversight, and little visibility across the organization among their chief concerns about public cloud deployments. Some fear that their high-profile, public cloud platforms are easy targets for malicious actors that use automated tools to scan for cloud misconfigurations and easily gain access to their organization’s cloud-based assets.

The respondents also said the “shared responsibility” model of the large cloud providers is easily misunderstood and can cause concern about overall security. On the plus side, security pros are planning significant investments in cloud security technology in the year ahead.

Here are some of the leading findings from the CRA report:

  • Improved security drives cloud migration. Among the various benefits that appeal to organizations in moving to the cloud is the promise of improved security. Nearly 2 in 3 (62%) survey respondents cite improved security among their top goals for current or future cloud deployments and migrations. Lower operational costs (56%) and compliance (50%) are other primary cloud deployment drivers.
  • The big three cloud providers rule the roost. The top three public cloud platforms in use are Microsoft Cloud/Azure, Amazon Web Services (AWS), and Google Cloud Services (GCS) with 73%, 68%, and 34% adoption by respondents’ organizations. At least 8 out of 10 respondents using any of these cloud platforms reported one or more challenges or concerns with each. Cloud misconfiguration is the predominant problem, cited by 47% of AWS users, 40% of Microsoft Cloud/Azure users, and 35% of GCS users.
  • Most organizations support the cloud with other technologies. The largest shares of respondents indicated they incorporate vulnerability management (69%) and penetration testing (61%) in their organization’s cloud security strategy. Slightly more than one-third of respondents reported they also include API security, cloud security posture management, container security, static analysis, and cloud workload protection. About one-third of respondents (35%) indicate they are planning to add cloud security posture management to their cloud strategy.
  • The cloud security leaders have developed robust strategies. Cloud security champions, mostly large organizations with large IT teams (many in the high-tech sector), are distinguished by their robust cloud security strategies and the various technology solutions they incorporate into these strategies. They are at least twice as likely than other organizations to include a variety of cloud security solutions and much more likely to deploy specialized cloud security capabilities, such as application programming interface (API) security, container security, static analysis, dynamic application security testing, infrastructure as code, and software composition analysis.

As the cloud has grown, the threat actors have noticed, and these organizations understand that they are under attack. This survey shows that while cloud adoption is brisk and many have plans to deploy cloud security technology, the industry has a lot of work ahead to mitigate many of these threats.