BlackHat EU byline: The State of Cloud Security in 2022


By Drew Wright

Cloud computing has created the biggest shift in the IT industry during the last 20 years. With cloud technology, companies can build, deploy, and scale their applications faster than ever. But as cloud computing becomes more widespread, new security challenges have emerged — attackers have access to a bigger attack surface than they did even a few years ago.

Snyk recently conducted research to assess the impact cloud security has on organizations and the challenges teams face in trying to secure cloud infrastructure while still deploying at scale. The research findings are summarized in the 2022 Snyk State of Cloud Security Report. The report is based on a survey by Propeller Insights, polling more than 400 cloud engineering and security practitioners and leaders across various organization types and industries. It examines how engineers and security professionals secure cloud applications and infrastructure while still deploying quickly.

Cloud security events are widespread

Statistics from the report reveal the following insights:

  • 80% of organizations have experienced at least one severe cloud security incident in the past year (such as data breaches, data leaks, and intrusions into their environment).
  • 41% of respondents say cloud native services increase complexity, further complicating their security efforts.
  • Nearly half (49%) of organizations find deployment is faster as a result of improved cloud security.

Security work must be clearly defined

Of survey respondents, 42% of cloud engineers say that their team is responsible for cloud security, but only 19% of security professionals believe that to be the case. Securing cloud resources requires coordinated effort across teams. Having security responsibilities well-understood and well-defined helps companies work effectively to keep their cloud environments safe from attacks.

Training teams on security, learning infrastructure as code

77% of organizations surveyed feel that many of today's cloud security failures result from a lack of effective cross-team collaboration and training. When different teams use different tools or frameworks, ensuring consistent output and policy enforcement is challenging. Insufficient tooling that produces false positives can lead to alert fatigue on security teams, contributing to human error when critical issues need fixing.

Survey data also shows that 55% of organizations are leveraging infrastructure as code (IaC) for better security pre-deployment. Not only does infrastructure as code help teams operate more efficiently and consistently at scale; it helps teams shift left on cloud security even before applications are deployed. Poll data shows that using IaC reduces cloud misconfiguration issues by 70%.


Looking toward the future

Developers and engineers working with cloud infrastructure are constantly building, iterating, and deploying. They rewrite code and make configuration changes often. But many changes that occur during the software development lifecylce can open up a project to the risk of attack. Knowing the risks of cloud infrastructure, and empowering teams with tools and policies to protect them from those risks, delivers measurable results. A developer-first approach to cloud security helps organizations innovate faster and more securely, with benefits that extend far beyond just fixing vulnerabilities.

Photo of Drew Wright

Drew Wright

Sustaining Partners