While there is growing recognition of the importance of DevOps security, expertise and talent shortages are hindering progress.
This is one of the key findings of the Cloud Security Alliance’s Cloud Native Application Protection Platform (CNAPP) Survey Report, which reveals insights into the industry’s adoption of and challenges faced in implementing CNAPPs.
CNAPPs have emerged as a critical category of security tooling in recent years, due to the complexity of comprehensively securing multi-cloud environments and consolidating the capabilities of the many security tools organisations currently deploy.
These include cloud security posture management (CSPM), cloud workload protection (CWP), cloud infrastructure entitlement management (CIEM), network security, as well as secure DevOps, says the Cloud Security Alliance.
Commissioned by Microsoft, the survey revealed that a majority of organisations (75%) have either implemented or plan to implement CNAPPs in their cloud environments.
The alliance says this high adoption rate can be attributed to the prevalence of multi-cloud strategies, with 84% of organisations utilising two or more cloud environments.
However, it notes that existing security tools often fall short in adequately supporting the complexities of such multi-cloud setups, leading organisations to seek alternative solutions, like CNAPPs.
The survey reveals that commonly deployed security tools – such as CSPM, CWP and CIEM − were integrated across multiple cloud environments for only 30% or fewer organisations.
Among the capabilities offered by CNAPPs, CSPM emerged as a key draw (25%) due to its importance in addressing security posture visibility, which was identified as a top priority (42%) for organisations.
According to the report, the incorporation of robust security measures within DevOps is still in its early stages, with significant obstacles hindering full integration.
DevOps is a methodology in the software development and IT industry. Used as a set of practices and tools, DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle.
The study shows 51% of organisations are integrating security into their DevOps practices, with only 35% reporting complete integration.
The primary challenges include lack of security expertise, insufficient automation, an excessive number of false positives and lack of actionable feedback.
“To ensure the success of their integration efforts, organisations must invest in security training for their DevOps teams, hire security specialists and foster a security-focused culture within the organisation,” says the Cloud Security Alliance.
The other main challenges are around technology, it notes. The lack of automation is the top technology-related challenge, noted by 43% of respondents.
“The absence of automated processes can make it difficult for organisations to manage and scale their DevOps practices efficiently. False-positives emerged as another significant issue, with 42% of organisations grappling with this problem. High false-positive rates can lead to fatigue and reduced effectiveness of an already struggling security team,” the Cloud Security Alliance adds.
Finally, 42% of organisations reported a lack of actionable feedback, which hampers effective response to security incidents.
“These challenges mirror those faced with security posture management, with education and training, as well as the quality of tooling, emerging as significant factors for successful security integration. Organisations must pay close attention to these aspects to ensure the successful integration of security into DevOps, thereby safeguarding their operations more effectively,” the alliance says.
Trust no one
Network security out of all the categories was most mature, with a noteworthy 43% of respondents reporting full integration in a multi-cloud environment for network security, compared to just 28% for CSPM.
The organisation points out that the rise in the popularity of zero-trust strategies may be a key driver behind this level of maturity.
However, it adds, organisations are still facing key challenges in network security, particularly concerning threat detection and the management of a large volume of security alerts.
It believes the sheer number of threats is potentially linked to the complexity of the organisations’ environments and the high volume of network traffic. This situation can make it difficult to identify and track potential security threats effectively, it explains.
“In the face of these challenges, a risk-based approach will help organisations prioritise more critical assets and vulnerabilities. This method ensures high-priority risks are addressed first, enhancing the overall security posture of the organisation.
“Moreover, leveraging security tooling that supports a multi-cloud environment and provides intelligent threat protection is highly recommended. Tools such as CNAPPs can help to automate, streamline and optimise network security processes, aiding in the swift identification and mitigation of threats.”
Additionally, the alliance says reducing the number of security alerts is important for network security management.
“One potential approach is to invest in intelligent security tools that can effectively differentiate between true threats and false positives. This approach can significantly decrease the volume of alerts, preventing security team fatigue and allowing them to focus on genuine threats.
“Despite network security being the most mature area in multi-cloud environment coverage, organisations still face significant challenges, particularly around threat detection and management of security alerts.
“By adopting a risk-based approach and leveraging advanced security tools, organisations can enhance their network security in the multi-cloud environment, effectively safeguarding their assets,” it concludes.