CLOUD SECURITY

2016 SPOTLIGHT REPORT

PRESENTED BY

Group Partner

Information
Security
 TABLE OF CONTENTS
Overview 3
Key survey findings 4

CLOUD ADOPTION TRENDS

Cloud benefits 6
Cloud investments 7
Cloud adoption stages 8
Barriers to cloud adoption 9
Top cloud service delivery & providers 10
Most popular cloud workloads 11
Data stored in the cloud 12
Applications deployed in the cloud 13
Most popular cloud apps 14

CLOUD SECURITY CHALLENGES

Cloud security concerns 16
Cloud security incidents 17
Security risks in the cloud vs. on-premise 18
Cloud apps vs. on-premise apps 19
Biggest security threats in public clouds 20
Cloud security concerns 21
Biggest cloud security headaches 22
Personal cloud storage policy 23

CLOUD SECURITY SOLUTIONS

Paths to stronger security 25
Cloud confidence builders 26
Traditional security tools in the cloud 27
Most effective cloud security technologies 28
Most popular cloud security controls 29
Drivers of cloud-based security solutions 30
Barriers to cloud-based security solutions 31
Cloud application security 32

CLOUD SECURITY Access to cloud applications

Security impact on DevOps
33
34

SPOTLIGHT REPORT Methodology & Demographics 35

Sponsors 36
Contact us 39
 OVERVIEW
Cloud investment continues In this new report, you will learn how your peers are
to grow over 20% annually as approaching cybersecurity in the era of cloud,
organizations are looking to reduce including the latest trends and benchmarks to gauge
IT cost, increase agility and better how your own organization stacks up.
support business functions.
Many thanks to our sponsors for supporting this
Security of critical data and research project: AlienVault, Bitglass, Cato
systems in the cloud remains a Networks, CloudPassage, Dell Software, Dome9,
key barrier to adoption of cloud
FireLayers, IMMUNIO, (ISC)2 and Randtronics.
services. This report, the result
of comprehensive research in
We hope you will enjoy this report.
partnership with the 300,000+
member Information Security
Community on LinkedIn, reveals Holger Schulze
the drivers and risk factors of
migrating to the cloud. Learn how
organizations are responding to
the security threats in the cloud
and what tools and best practices
IT cybersecurity leaders are Holger Schulze
considering in their move to Group Founder Group Partner
Information Security
the cloud. Community on LinkedIn Information
hhschulze@gmail.com Security

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 3

 KEY SURVEY FINDINGS

Security concerns top the list of barriers to cloud adoption led by general security concerns
1 (53%, up from 45% in last years survey), legal and regulatory compliance concerns (42%, up
from 29%), and data loss and leakage risks (40%). The rise in specific concerns about compliance
and integration suggests that companies are moving from theoretical exploration of cloud
models to actual implementation.

53% of organizations see unauthorized access through misuse of employee credentials and
2 improper access controls as the single biggest threat to cloud security. This is followed by
hijacking of accounts (44%), and insecure interfaces / APIs (39%). One in three organizations
say external sharing of sensitive information is the biggest security threat.

Verifying security policies (51%), visibility into infrastructure security (49%) and compliance
3 (37%) were named as the top three cloud security challenges that cause the biggest headaches
for IT security professionals.

Organizations moving to the cloud have a variety of choices available to strengthen cloud
4 security. 61% of organizations plan to train and certify existing IT staff, 45% partner with a
managed security services provider, and 42% deploy additional security software to protect data
and applications in the cloud.

Encryption of data at rest (65%) and in motion on networks (57%) top the list of most effective
5 security technologies to protect data in the cloud. This is followed by intrusion detection and
prevention (IDP) with 48% and access control technologies such as Cloud Access Security
Brokers (CASB) with 45%.

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 4

CLOUD ADOPTION TRENDS
 CLOUD BENEFITS

After a few years of operating workloads in the cloud, organizations are confirming the benefits match the original
promise of cloud computing. Availability (46%), cost reduction (41%) and flexible scalability (36%) top the list.
Cloud is still falling short of expectations in the areas of regulatory compliance (13%) and the promise of reduced
complexity (14%).

46%
Availability
41%
Cost Reduction
36%
Flexible Scalability

Cloud Benefits

14% Reduced
Complexity 13% Regulatory
Compliance

Moved expenses from fixed CAPEX (purchase) to variable OPEX (rental/subscription) 32% | Accelerated deployment and provisioning 31% |
Increased agility 28% | Improved performance 27% | Increased efficiency 26% | Increased geographic reach 24% | Increased employee productivity 23% |
Improved security 19% | Accelerated time to market 18% | Align cost model with usage 18% | Not Sure/Other 25%

Q: What benefits have you realizedfrom your cloud deployment?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 6

 CLOUD INVESTMENTS

For over a third of organizations (38%), cloud investments represent up to 15% of overall IT infrastructure
investment. Half of all organizations have over 15% of their IT invested in the cloud.

38% 50%
Organizations invest more
than 15% of all IT in cloud

21%
12% 13%
IT infrastructure 9%
7%

0% 1-15% 16-25% 26-50% 51-75% +75%

Share of cloud relative to overall IT investment

Q: Cloud infrastructure investments represent what percentage of your overall infrastructure footprint (in terms of servers/workloads/instances)?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 7

 CLOUD ADOPTION STAGES

79% of respondents are either in planning or trial stages, currently implementing or in active production cloud
environments.

30% 25% 24% 21%

Private Cloud Public Cloud Hybrid Cloud No Plans

41%

41% 34%
Deployed 20%
Implementing 16% 20% 20%
Trial 19% 18%
23%
Planning 20% 28%

Cloud computing can be classified by location and ownership of the cloud infrastructure:

Private Cloud - Cloud infrastructure and Public Cloud - Cloud services and Hybrid Cloud - Cloud computing environment
services are dedicated to a particular infrastructure are hosted by a third-party in which single applications are split across
organization. Private clouds can reside cloud provider and resources are shared private and public cloud, often to dynamically
on premise or be hosted by a third party. among multiple cloud tenants / clients. accommodate spikes in server demand.

Q: What cloud service delivery model(s) is your organization using?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 8

 BARRIERS TO CLOUD ADOPTION

Cloud security concerns not only top the list of perceived barriers to cloud adoption, they are further increasing.
General security concerns (with 53% up from 45% in last years survey), legal and regulatory compliance concerns
(42% up from 29%), data loss & leakage risks (40% slightly down from 41%), integration with existing IT environments
(35% up from 29%) and lack of expertise (26% up from 16%) top the list of barriers to cloud adoption. However, it
is important to put this in context as the number of reported breaches in enterprise environments far exceed the
reported exposure from cloud platforms.

Cloud Adoption Barriers

#1 #2 #3 #4 #5

53% 42% 40% 35% 26%

General Legal & regulatory Data loss & Integration with Lack of
security risks compliance leakage risks existing IT environments expertise

8% p.p. 13% p.p. 1% p.p. 6% p.p. 10% p.p.

from last year from last year from last year from last year from last year

Loss of control 23% | Management complexity 20% | Increased agility 28% | Fear of vendor lock-in 18% | Internal resistance and inertia 18% |
Lack of staff resources 17% | Lack of transparency and visibility 15% | Lack of maturity of cloud service models 14% | Cost/Lack of ROI 13% | Lack of budget 13%
Performance of apps in the cloud 12% | Lack of management buy-in 10% | Lack of customizability 9% | None 9% | Dissatisfaction with cloud service offerings/
performance/pricing 7% | Billing & tracking issues 7% | Lack of support by cloud provider 6% | Availability 5% | Not sure/Other 10%

Q: What are the biggest barriers holding back cloud adoption in your organization?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 9

 TOP CLOUD SERVICE DELIVERY & PROVIDERS

The dominance of both cloud applications and cloud Amazon AWS is the big fish in the cloud services
infrastructure requires that we think about securing pond, used by 45% of respondents. Microsoft Azure
these different entities as part of a holistic vision follows with 39%.
for securing application and infrastructure (both on
premise and in the cloud). A majority of organizations
(61%) uses SaaS models, followed by IaaS (53%) and
PaaS (39%) as their cloud service delivery model.
45%

cloud service
delivery models
SaaS 39%
18%
61%
IaaS
PaaS 18%
39% 53% 11% 8% 5%

VMware Rackspace IBM Softlayer / IBM

9% 8% 11%
CenturyLink Savvis 4% | HP 4% | Verizon Terremark 4% |
Not sure/Other AT&T 4% | CSC 1% | GoGrid 1% | Joyent 1% | Not sure/Other 32%
None BPaaS

Q: What cloud service delivery model(s) is your organization using? Q: What public cloud provider(s) do you currently use?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 10

 MOST POPULAR CLOUD WORKLOADS

Storage (52% up from 38% in last years survey), computing (51% up from 32%) and virtualization (44% up from 33%) top
the list of most deployed workloads in the cloud.

STORAGE 52%
POPULAR
COMPUTING 51%
CLOUD
WORKLOADS
44%
41%
VIRTUALIZATION

BUSINESS
APPLICATIONS

Productivity Applications (email, collaboration, instant messaging) 37% | Networking (virtual private cloud, DNS, etc) 35% |
Database (relational, NoSQL, caching, etc.) 33% | Operating System 30% | IT Operations Applications (administration, backup, provisioning, monitoring, etc.) 25%
Developer / Testing Applications 25% | Security (Identity management, access control, data protection, usage & resource monitoring, anti-virus, etc.) 25% |
Middleware 17% | Desktop virtualization 15% | Runtime 9% | Not sure/Other 17%

Q: What services & workloads is your organization deploying in the cloud?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 11

 DATA STORED IN THE CLOUD

Email is the most common corporate information stored in the cloud (44%), followed by customer data such as
names and contact information (31%), sales and marketing data (31%), and employee and payroll data (30%). Fewer
organizations store intellectual property information (18%) or employee healthcare data (12%) in the cloud.

4 %
4Em
ail

2 %mer 26%
3 sto
Cuata Contracts,
d invoices, orders
%
1 s & ing dat
a

3Salearket 18%
M 19% Intellectual

0 %yee Financial
property

3 ploEmata
corporate data

DevOps / development data 16% | Health information 12% | None 11% | Not sure/Other 24%

Q: What types of corporate information do you store in the cloud?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 12

 APPLICATIONS DEPLOYED IN THE CLOUD

The use of cloud applications is increasing as the number of organizations with 50% or more of applications deployed
in the cloud (18%) has more than doubled since last years survey. It is apparent that the move toward cloud computing is
inevitable. Organizations have no real competitive advantage by owning core IT infrastructure any more than owning
power generation or water supply.

56%

16%
10% 12%
6%

0% 1-25% 26-50% 51-75% 76-100%

Share of Applications Deployed in the Cloud

Q: What percentage of applications used by your organization are in the cloud?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 13

 MOST POPULAR CLOUD APPS

Q: What types of business applications is your organization

Web apps
46% deploying in the cloud?

Collaboration &
communication apps 38% Web-based applications and websites (47%),
collaboration and communication tools (38%) and
Productivity 33% productivity tools (33%) are the most popular types
of business applications deployed in the cloud.
IT Operations 27% Application development / testing 26% |
Sales & Marketing 25% | HR 25% |
Custom business
applications 27% Business intelligence / analytics 24% |
Disaster recovery / storage / archiving 24% |
Content management 22% | Finance & accounting 19% |
Supply chain management 11% | Not sure/Other 20%

MOST POPULAR CLOUD APPS CURRENTLY FUTURE

DEPLOYED DEPLOYMENT
Microsoft Office 365 is leading the way in existing
41% Microsoft Office 365 20%
cloud app deployments (41%) as well as planned 27% Salesforce 7%
future deployments (20%). Salesforce follows second 24% Exchange 11%
and is already deployed in 27% of organizations and 20% Google Apps 6%
planned for future deployment in 7% of organizations. 17% Dropbox 5%
The migration to Office 365 is one of the biggest 15% Service Now 5%
changes to enterprise IT in recent years. It represents 14% Box 4%
9% Workday 4%
yet another step in the migration of enterprises to
8% None 5%
a utility-based model for IT services delivery that
7% SuccessFactors 3%
started with Salesforce.com many years ago. 6% Not sure 10%

Q: Which of the following cloud applications are deployed or will be deployed in your organization?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 14

 CLOUD SECURITY CHALLENGES

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 15

 CLOUD SECURITY CONCERNS

Cloud security concerns are on the rise. An overwhelming majority of 91% of organizations are very or moderately
concerned about public cloud security. Today, perceived security risks are the single biggest factor holding back
faster adoption of cloud computing. And yet, adoption of cloud computing is on the rise. The overwhelming benefits
of cloud computing should drive organizations and security teams to find a way to get cloud done. This is a prime
example to where security can have a profound impact on enabling business transformation.

44% Very
concerned

91%
organizations
44%
4% Not sure
5% Not at all
concerned

have security
concerns 47%

47% Moderately
concerned

Q: Please rate your level of overall security concern related to adopting public cloud computing

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 16

 CLOUD SECURITY INCIDENTS

A majority of respondents say they did not experience a cloud-related security incident. 36% cant disclose or arent
sure about security incidents, indicating a lack of visibility into cloud security.

9% Yes
15%
Cant disclose

21%
Not sure

55% NO

Q: Did your organization experience a cloud-related security incident in the last 12 months?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 17

 SECURITY RISKS IN THE CLOUD VS ON-PREMISE

We continue to see evidence that the perception of cloud security is slowly improving relative to traditional enterprise IT
environments. The share of organizations that see a higher risk of security breaches in the cloud compared to traditional
IT environments is shrinking to 21% compared to last years 28%.

About the same

22%
Lower risk of security
7%
27%
5% 21%
Higher risk of security
breaches compared breaches compared
to on-premise 15% 16% to on-premise
Significantly lower (7%) Significantly higher (5%)
Somewhat lower (15%) Somewhat higher (16%)
30%

0% Not sure 7% p.p.

unchanged from last year
from last year

Q: Compared to your traditional IT environment, would you say the number of security breaches you experienced in a public cloud is?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 18

 CLOUD APPS VS ON-PREMISE APPS

Perceptions of SaaS security are slowly improving, thanks to continued investments in security controls and
customer education. For the first time since we asked this survey question, a majority of over 52% believe that cloud
apps are as secure or more secure than on-premises applications, up from only 40% in last years survey. The math
is simple: Large cloud providers can outspend any enterprise in securing their infrastructure and apply expertise and
manpower that is better utilized in protecting a shared infrastructure. The results are superior in terms of availability,
performance and security of cloud environments.

52%
Believe that cloud apps are as
secure or more secure than
on-premises applications

35% 33%
17% 15%

Public cloud Public cloud apps Public cloud Not sure

apps are more are about as apps are less
secure than secure as secure than
SaaS Security internal apps internal apps internal apps

Q: Do you believe public cloud apps/SaaS like Salesforce and Office 365 are more or less secure than your internally hosted applications?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 19

 BIGGEST SECURITY THREATS IN PUBLIC CLOUDS

Unauthorized access through misuse of employee credentials and improper access controls is the single biggest
threat (53%) to cloud security. This is followed by hijacking of accounts (44%) and insecure interfaces / APIs (39%).
33% of organizations say external sharing of sensitive information is the biggest security threat. Identity management
and access control is an emerging and increasing threat concern for enterprises scaling and on-boarding to the
cloud. The good news is that all these risks can be addressed by using security controls including multi-factor
authentication, Identity and Access Management (IAM), Cloud Access Security Brokers (CASB), IP range restrictions
and access auditing.

#1 #2 #3 #4
11001010110010101
010PASSWORD10
11001010110010101
11001010110010101

53%
Unauthorized access
44%
Hijacking of accounts
39%
Insecure interfaces/APIs
33%
External sharing of data

Posting of confidential proprietary data by employees 33% | Malicious insiders 32% | Denial of service attacks 31% |
Foreign state sponsored cyber attacks 30% | Malware injection 25% | Abuse of cloud services 24% | Shared memory attacks 18% |
Lateral movement of threats (east-west traffic) 16% | Theft of service 15% | Lost mobile devices 12% | Natural disasters 5% | Not sure/Other 9% |

Q: What do you consider the biggest security threats in public clouds?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 20

 CLOUD SECURITY CONCERNS

Data loss, leakage and privacy continue to top the list of cloud related security concerns, virtually unchanged from last
years survey findings. Concerns about legal and regulatory compliance have seen the biggest gain, moving from the
number 7 spot (24%) to number 4 (39%) on the list, in line with the observed rise of compliance concerns as a key barrier
to cloud adoption.

IAL
DENT
NFI
CO

49% 46% 42% 39%

Data loss/leakage Data privacy Confidentiality Legal and regulatory
compliance

Data sovereignty/control 34% | Accidental exposure of credentials 26% | Lack of forensic data 26% | Incident & problem management 25%
Visibility & transparency 19% | Availability of services, systems and data 17% | Liability 17% | Disaster recovery 13% | Performance 13% |
Business continuity 13% | Fraud (e.g. account hijacking) 12% | Not sure/Other 5% | None 1%

Q: What are your biggestcloud security concerns?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 21

 BIGGEST CLOUD SECURITY HEADACHES

Verifying security policies (51%), visibility into infrastructure security (49%) and compliance (37%) were named as the top
three cloud security challenges that cause the biggest headaches for IT security professionals. Because the cloud is a
new environment, that is often incompatible with existing security technologies, there is a need for a new holistic security
model to cover both on-premise and cloud environments. The holy grail is a unified security policy that can be applied
across the infrastructure regardless of the underlying assets.

51%
Verifying security policies
49%Visibility to
37% Compliance
infrastructure security

No automatic discovery / visibility / control to infrastructure security 32% | Reporting security threats and solutions 31% | Remediating threats 29% |
Security cant keep up with pace of changes to new / existing applications 27% | Cant identify misconfigurations quickly 26% |
Complex cloud to cloud / cloud to on prem security rule matching 21% | Unknown / hidden open IP port 20% |
Automatically enforcing of security across multiple datacenters 18% | IaaS / PaaS security rules limit / cap 15% |
Lack of integration with on-premise security technologies 12% | Too much time and resource management overhead 11% |
Lack of feature parity with on-premise security solution 9% | No flexibility 7% | Native to cloud application or cloud infrastructure 5% | None 4% |
Not sure/Other 15%

Q: What are your biggest cloud security headaches?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 22

 PERSONAL CLOUD STORAGE POLICY

Employee access to private cloud storage is one of the biggest risk factors regarding data leakage and theft - and
organizations are repsonding accordingly. 42% of organizations do not allow employees to access private cloud storage
services from the companys network 36% do allow access. This is a notable reversal of last years survey findings
where only 36% of organizations did not allow access to cloud storage services. Identifying the use of unauthorized cloud
services (Shadow IT) remains a major visibility challenge.

13% 36%
Yes
We dont
have a policy

42% 9%
Not sure

Organizations do not allow

employees to access private
cloud storage services from the
42% NO
corporate network.

Q: Are employees allowed to access personal cloud storage services (those registered to a personal email address) from the companys network?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 23

 CLOUD SECURITY SOLUTIONS

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 24

 PATHS TO STRONGER SECURITY

Organizations moving to the cloud are faced with new security challenges that cannot be addressed with traditional
security approaches. Secure clouds cannot exist without the right cloud security expertise. 61% of organizations
plan to train and certify existing IT staff in cloud security to ensure the proper cloud security controls are being
implemented both internally and with third party cloud service providers. Organizations realize that their IT
teams need to stay current on evolving cloud technologies, threats and mitigation strategies. In addition, 45% of
organizations plan to partner with a managed security services provider and 42% deploy additional security software
to protect data and applications in the cloud.

Train and certify existing IT staff 61%

Partner with a managed services
provider who will provide the resources 45%
Use security software from
independent software vendor(s) 42%
Add security staff dedicated
to cloud security issues 23%
Hire Professionals 23%
Look at different security-as-a-service
providers to outsource 24x7 monitoring 17%
Not sure/Other 19%

Q: When moving to the cloud, how do you plan to handle your security needs?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 25

 CLOUD CONFIDENCE BUILDERS

Setting and enforcing security policies across cloud environments is by far the most requested capability to increase
confidence in public clouds.

56%
Setting and enforcing
security policies
across clouds

39% 38% 37% 34% 33%

Ability to create APIs for reporting, Effective mapping Isolation/protection Ability to compare
data boundaries auditing and alerting of security controls of virtual machines security levels across
on security events for internally-hosted cloud providers
applications to the
cloud infrastructure

Improved Security compared to self-managed deployment 30% | Organization certification 29% | High-integrity infrastructure 27% |
Regulatory oversight 25% | Protecting workloads 15% | Not sure/Other 13%

Q: Which of the following would most increase your confidence in adopting public clouds?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 26

 TRADITIONAL SECURITY TOOLS IN THE CLOUD

Most traditional security tools have not been designed for cloud environments and the unique challenges cloud
adoption presents. The survey results confirm that traditional tools work somewhat or not at all for over half of
cybersecurity professionals (59%). Only 14% feel that traditional security tools are sufficient to manage security across
the cloud. The gap, say those surveyed, is primarily in both verifying security policies and visibility into infrastructure
security. This is a great example of the dissolving perimeter. Together with mobility, the need to secure access from
anywhere (mobile users, branch locations) to anywhere (physical datacenter, cloud datacenter and public cloud apps)
breaks the traditional network topology and perimeter defense. The resulting proliferation in point security solutions
is putting additional pressure on short handed security teams, as experienced security staff is still scarce.

They work just fine Not at all

14% 11%

Other
2%

59%
traditional tools
Not sure work somewhat
25% or not at all

Somewhat (but not

a complete solution)
Q: How well do your traditional network
48% security tools / appliances work in public
cloud environments?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 27

 MOST EFFECTIVE CLOUD SECURITY TECHNOLOGIES

Virtually unchanged from last years cloud security survey, encryption of data at rest (65%) and in motion on networks
(57%) tops the list of most effective security controls to protect data in the cloud. This is followed by intrusion detection
and prevention (IDP) with 48% and access control technologies such as Cloud Access Security Brokers (CASB) and
Identity and Access Management (IAM) with 45%.

65%
Data encryption
57%
Network encryption
48%
Intrusion detection
& prevention

Trained cloud security professionals 45% | Access control (e.g. CASB / Cloud Access Security Brokers) 45% | Log management and analytics 43% |
Firewalls / NAC 40% | Data leakage prevention 40% | Endpoint security controls 40% | Patch management 38% | Network monitoring 37% |
Single sign-on / user authentication 35% | Anti-virus / Anti-malware 35% | Employee usage monitoring 29% | Mobile device management (MDM) 25% |
Database scanning and monitoring 24% | Content filtering 24% | Security Information and Event Management (SIEM) 22% | Cyber forensics 21% |
Not sure/Other 12%

Q: What security technologies and controls are most effective to protect data in the cloud?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 28

 MOST POPULAR CLOUD SECURITY CONTROLS

The most prevalent cloud security controls include multi-factor authentication in nearly half of organizations. One in four
organizations deploy additional security mechanisms.

45% 43% 41% 40%

We use multi-factor We use encryption or Intrusion detection We use security

authentication for tokenization to protect & prevention services offered by
access control data in the cloud the cloud provider

Organizations deploy additional

security mechanisms

We deploy additional security services offered by third party vendors 25% | We dont protect data in the cloud 5% | Not sure/Other 21%

Q: How do you protect data in the cloud?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 29

 DRIVERS OF CLOUD-BASED SECURITY SOLUTIONS

Faster time to deployment (47%), reduced

software maintenance efforts (40%) and
direct web access from any location (35%) #1 48%
are the dominant drivers for cloud-based
Faster time to
security solutions. deployment 41% #2
Reduced effort
Placing security in the cloud provides #3 35% around patches and
upgrades of software
significant ROI benefits for businesses. Need for direct secure
Internet access from
It breaks the traditional appliance model any location
of security: Instead of physical constraints,
31% #4
patch and upgrade cycles, and need for Automation helps
#5 28% reduce manual effort
a local IT support, the cloud enables a
Easier policy
security model that is up to date, always management

patched, elastic and scalable, and available

27% #6
everywhere. #7 25% Better performance

Appliance footprint
reduction in
branch offices
20% #8
Protection focused on
#9 9% the workload/instance

Native to cloud
application or
cloud infrastructure Not sure/Other 20%

Q: What are the main drivers for considering Cloud-based Security Solutions?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 30

 BARRIERS TO CLOUD-BASED SECURITY SOLUTIONS

On the flipside, data privacy (56%), compliance (43%) and platform integrity (39%) are the main barriers to cloud-based
security solutions.

These concerns apply to cloud in general. Using regional cloud instances to comply with data localization requirements,
minimizing personal data storage, and demonstrating tight security controls around the platform should make cloud-
based security the default security delivery model. This way, cloud computing can offer a compelling alternative to on-
premise security in the face of emerging threats, shrinking budgets and scarce expertise.

#1 #2 #3

cloud-based 56% 43% 39%

security solutions
Data Privacy Regulatory Integrity of Cloud
compliance security platform
requirements

Solution maturity 39% | Need to keep data within specific geographical area 31% | Need to provide Keys for SSL decryption in the Cloud 23% |
Scalability and performance 17% | Lack of integration with on-premise security technologies 15% | Lack of feature parity with on-premise security solution 11% |
Not sure/Other 15%

Q: What are the main inhibitors of using Cloud-based Security Solutions?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 31

 CLOUD APPLICATION SECURITY

A majority of organizations are taking proactive measures to protect their business applications. We dug deeper to find
out how companies were protecting their applications. The most popular application security measures are penetration
testing (59%) followed by web application firewalls (54%) and developer education (47%).

59%
Penetration testing
54%
Web application firewalls
47%
Developer education

44% 38% 7% 6% 17%

Static/Dynamic testing Security monitoring Bug Bounty programs None Not sure/Other

Q: What Application Security measures are you taking in order to protect your business applications?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 32

 ACCESS TO CLOUD APPLICATIONS

The vast majority of organizations surveyed (55%) use Active Directory on premise as the authoritative directory to
identify, authenticate and authorize access to cloud applications. Consequently, access to cloud based applications for a
majority of organizations depends heavily on proper security controls around on-premise Active Directory infrastructure.
The cloud enablement of Active Directory is a key enabler for moving to cloud-based security infrastructure.

55% Organizations use Active

Directory on premise

28% 27%

8% 7%
4% 3%
On premise On premise On premise Cloud based Cloud based None
Active Directory Active Directory LDAP Directory Directory only Directory only
(synchronization) (federation) (Non Microsoft) AzureAD Amazon
Simple AD
Not sure/Other 23%

Q: What is the authoritative directory you use for identity data and authentication, and authorization of access for your cloud based applications?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 33

 SECURITY IMPACT ON DEVOPS

46% of respondents state that security slows down continuous development methods like DevOps, another 15 percent
noted that security is ignored completely in their DevOps process.

59% of respondents indicated that agility and accelerated deployments are among the cloud adoption benefits, yet
security slows down DevOps. Utilization of built for the cloud security products provides security governance directly
integrated into the DevOps process and is key to fully realizing the benefits of the cloud.

31%
No - security is fully
integrated with DevOps

46%
Yes - security slows
down DevOps

15%
No - security is completely
8% ignored in DevOps
Other

Q: Does security slow down continuous development methods like DevOps at your organization?

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 34

 METHODOLOGY & DEMOGRAPHICS

The Cloud Security Spotlight Report is based on the results of a comprehensive survey of 2,200 professionals across a broad
cross-section of organizations about their adoption of cloud computing and security related concerns and practices.

The 2,200 respondents range from technical executives to managers and practitioners, and they represent organizations of
varying sizes across many industries. Their answers provide a comprehensive perspective on the state of cloud security today.

C AR EER LE VEL
25% 19% 17% 14% 7% 6% 4% 8%

Specialist Manager / Supervisor Consultant Director Owner / CEO / President CTO, CIO, CISCO, CMO, CFO, COO Vice President
Other

D EPARTM ENT
52% 20% 9% 6% 4% 3%2%2% 2%

IT Security IT Operations Engineering Operations Compliance Sales Product Management Marketing Finance Legal HR
Other

CO M PAN Y SIZE
11% 13% 19% 16% 9% 32%

Fewer than 10 10-99 100-999 1,000 4,000 5,000 10,000 Over 10,000

I N DUSTRY
20% 18% 12% 8% 8% 6% 5% 5% 3% 3% 3% 2%2% 5%

Technology, Software & Internet Government Financial Services Professional Services Healthcare, Pharmaceuticals, & Biotech
Education & Research Computers & Electronics Telecommunications Manufacturing Energy & Utilities Retail Non-Profit Other

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 35

 SPONSORS

AlienVault | www.alienvault.com
AlienVault has simplified the way organizations detect and respond to todays ever evolving threat landscape. Our
unique and award-winning approach, trusted by thousands of customers, combines the essential security controls
of our all-in-one platform, AlienVault Unified Security Management, with the power of AlienVaults Open Threat
Exchange, the worlds largest crowd-sourced threat intelligence community, making effective and affordable
threat detection attainable for resource-constrained IT teams.

If your organization has adopted cloud infrastructure or services, you have a significant amount of valuable data
in the cloud all of which needs to be secured. AlienVault Unified Security Management (USM) simplifies cloud
security management with a platform of essential tools to achieve complete security visibility and accelerate
compliance reporting.

Bitglass | www.bitglass.com
The Bitglass Cloud Access Security Broker (CASB) solution provides end-to-end data protection from the cloud
to the device. It deploys in minutes and works with any cloud app on any device.

Bitglass enables enterprises to understand and control usage of cloud apps like Office 365 and Salesforce, and
internal apps like Exchange and Sharepoint. Cloud data at rest is protected with encryption and suspicious activity
detection. IT security teams can enforce consistent access, sharing, and data leakage prevention policies across
multiple cloud services, and protect mobile devices - without MDM.

Cato Networks | www.catonetworks.com

Cato Networks provides businesses with a simple, affordable and enterprise-grade secure network, at the fraction
of the cost of legacy, appliance-based solutions. The Cato Cloud reestablishes the network perimeter in the Cloud,
connecting all datacenters, remote locations, cloud infrastructure and the mobile workforce. Cato protects all
WAN and Internet traffic with a set of network security services, built directly into the cloud network. Cato was
founded by cybersecurity luminary Shlomo Kramer, co-founder of Check Point Software and Imperva, and Gur
Shatz, co-founder of Incapsula.

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 36

 SPONSORS

CloudPassage | www.cloudpassage.com
CloudPassage Halo is the worlds leading agile security platform that provides instant visibility and continuous
protection for servers in any combination of data centers, private clouds and public clouds. The Halo platform is
delivered as a service, so it deploys in minutes and scales on-demand. Halo uses minimal system resources; so
layered security can be deployed where it counts, right at every workload servers, instances and containers.
Leading enterprises like Citrix, Salesforce.com and Adobe use CloudPassage today to enhance their security and
compliance posture, while at the same time enabling business agility.

Dell Software | software.dell.com

Dell Software empowers organizations of all sizes to experience Dells power to do more by delivering scalable
yet simple-to-use solutions that can increase productivity, responsiveness and efficiency. Dell Software is uniquely
positioned to address todays most pressing business and IT challenges with holistic, connected software offerings
across five core solution areas, encompassing data center and cloud management, information management,
mobile workforce management, security and data protection. This software, when combined with Dell hardware
and services, helps customers simplify IT, mitigate risk and accelerate business results.

Dome 9 | dome9.com
Dome9 Security provides enterprise identity access management (IAM) protection, network security, and
compliance for public clouds like Amazon Web Services (AWS). More than 200 enterprise customers trust Dome9
to protect their clouds running on AWS, Windows Azure, Google Cloud, IBM/Softlayer and many others.

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 37

 SPONSORS

IMMUNIO | www.immunio.com
IMMUNIO is a pioneer in realtime application self-protection (RASP), providing automatic detection and protection
against web application security vulnerabilities. IMMUNIO augments applications with the necessary protection
services and hardens applications against common attacks targeting typical security weaknesses. The companys
mission is to make truly effective real-time web protection technology easily available and widely deployed, and by
doing so, stop the biggest source of breached data records.

(ISC)2 | www.isc2.org/ccsp
(ISC)2 is the largest not-for-profit membership body of certified cyber, information, software and infrastructure
security professionals worldwide, with over 110,000 members. (ISC)2 s flagship certification is the CISSP. In 2015,
(ISC)2 and the Cloud Security Alliance partnered to launch the Certified Cloud Security Professional (CCSP)
credential for security professionals whose day-to-day responsibilities involve procuring, securing and managing
cloud environments or purchased cloud services. (ISC)2 offers education programs and services based on its CBK.

Randtronics | www.randtronics.com
Randtronics Data Privacy Manager (DPM) protects structured and unstructured data on premises and in the cloud
using encryption, masking, tokenization and anonymization. DPMs offering are some of the safest methods of
security available. Without measures like encryption, companies are only partly securing their data and exposing
themselves to growing vulnerabilities.

SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 38

 CONTACT US

Interested in joining the next

security research report?
Contact Holger Schulze to learn more.
hhschulze@gmail.com

Produced by:

All Rights Reserved. Copyright 2016 Crowd Research Partners. This work is licensed under a Creative Commons Attribution 4.0 International License.
SHARE THE CLOUD SECURITY SPOTLIGHT REPORT 39