2020年云安全报告.docx
Companies continue to rapidly migrate workloads from datacenters to the cloud, utilizing new technologies such as serverless, containers, and machine learning to benefit from increased efficiency, better scalability, and faster deployments from cloud computing.Cloud security concerns remain high as the adoption of public cloud computing continues to surge, especially in the wake of the 2020 COVID crisis and the resulting accelerated shift to remote work environments.Key survey findings include: Security remains a key issue for cloud customers, despite continued rapid adoption of cloud computing. A majority of cybersecurity professionals (94%) confirm they are at least moderately concerned about public cloud security, a small increase from last year's survey. Among the key barriers to cloud adoption, organizations mention a lack of qualified staff (37%) as the biggest impediment to faster adoption - up from the fifth spot on last year's survey. For the fourth year in a row, training and certifying IT staff (61%) ranks as the primary tactic organizations deploy to assure their evolving security needs are met. Fifty-eight percent of respondents rely on their cloud provider's native security tools, and 34% are looking to hire more staff dedicated to cloud security. A majority of six of 10 organizations expect their cloud security budget to increase over the next 12 months. On average, organizations allocate 27% of their security budget to cloud security. When asked how organizations rate their overall security readiness, 69% rate their team5s security readiness average or below average. Only half as many say they are above average (31%).Of those, 80% believe their teams would benefit from cloud security training and/or certification. The main recurring theme in this survey is the continuing shortage of not only qualified cybersecurity staff, but also the lack of security awareness and sk川s among all employees. Cybersecurity professionals agree that 59% of employees would benefit from security training and/or certification for their jobs.This 2020 Cloud Security Report has been produced by Cybersecurity Insiders to explore how organizations are responding to the evolving security threats in the cloud and the continued shortfall of qualified security staff.Many thanks to (ISC)a for supporting this important research project. We hope you find this report informative and helpful as you continue your efforts in securing your cloud environments.Holger SchulzeCEO and Founder Cybersecurity InsidersCybersecurityINSIDERSThank you,Holger SchulzeSECURITY ADOPTIONDespite the significant advantages offered by cloud-based security solutions, barriers to adoption still exist. When it comes to business transformation and cloud adoption, three important aspects must be aligned: people, process and technology. Our survey reveals that the biggest challenge organizations are facing is not technology, but people and processes. Staff expertise and training (55%) continues to rank as the highest barrier, followed by budget challenges (46%), data privacy concerns (37%), and lack of integration with on-premises platforms (36%).> What are the main barriers to migrating to cloud-based security solutions?55%Staff expertise/training55%Staff expertise/training46%Budget37%Data privacy3o3o293Lack of integrationwith on-premisessecurity technologiesSolutionmaturityRegulatory compliance requirementsDataresidencySunk cost into on-premises tools 24% | Integrity of cloud security platform (DDoS attack, breach) 17% | Limited control over encryption keys 15% | Scalability and performance 12% | Not sure/other 10%When asked about cloud benefits, the organizations participating in this survey generally confirm that cloud is delivering on its promise of flexible capacity and scalability (51%), improved availability (46%), and increased agility (45%).> What overall benefits have you already realized from your cloud deployment?rrz51%More flexiblecapacity/scalability46%Improvedavailability andbusiness continuity45%IncreasedagilityAccelerateddeploymentand provisioningAccelerateddeploymentand provisioningMoved expensesfrom fixed CAPEX(purchase) to variableOPEX (rental/subscription)ReducedcostIncreasedgeographic reachAccelerated time to market 26% | Improved security 23% | Improved performance 23% | Reduced complexity 21% Increased employee productivity 20% | Improved regulatory compliance 13% | Not sure/other 13%CLOUD SECURITYForthe fourth year in a row, training and certifying IT staff (61%) ranks as the primary tactic organizations deploy to assure their evolving security needs are met. Fifty-eight percent of respondents rely on their cloud provider's native security tools, and 34% are looking to hire more staff dedicated to cloud security.61%于> When moving to the cloud, how do you handle your changing security needs?Train and/or certify existing IT staffUse native cloud provider security tools (eg, Azure Security Center, AWS Security Hub, Google Cloud Command Center)Hire staff dedicated to cloud securityDeploy security software fromindependent software vendorsPartner with a Managed Security Services Provider (MSSP)OtherOther5%CQQZ Budget willincreaseA majority, six out of 10 organizations expect their cloud security budget to increase over the next 12 months. On average, organizations allocate 27% of their security budget to cloud security.> How is your cloud security budget changing in the next 12 months?27%allocated to cloud security34%Budget will stay flat7%§Budget will declineWhen asked how organizations rate their overall security readiness, 69% rate their team's security readiness average or below average. Only half as many say they are above average (31%).How would you rate your team's overall security readiness?Below average Above average AverageTRAINING AND CERTIFICATIONOf those rating their overall security readiness average or below average, 80% believe their teams would benefit from cloud security training and/or certification., Do you think you or your team need cloud security training and/or certification(s) to be better equipped to operate in cloud environments?80%12% 8%Yes No Not sureAND CERTIFICATIONThe main recurring theme in this survey is the continuing shortage of not only qualified cybersecurity staff, but also the lack of security awareness and skills among all employees. Cybersecurity professionals agree that 59% of employees would benefit from security training and/or certification for their jobs.> What percentage of your employees would benefit from security training and/or certification for their job?41%59%Of employees would benefit from security training.#1 CISSP#2 Security+#3 CCSP#8 CCSK#9 CRISC#10 GSEC> Top 10 most valued security certifications# 4 CISM5 CISA# 6 Network+7 CEHWhen it comes to prioritizing topics for security training, cybersecurity professionals in our survey selected cloud-enabled cybersecurity (66%), followed by application security (45%), and risk-based frameworks (43%) as the most valuable topics fortraining and education success.> Which of the following topic areas would you find most valuable for ongoing training and education to be successful in your current role?66%Cloud-enabled cybersecurity45%ApplicationsecurityA aj 43%Risk-basedframeworksDevOpsDevOpsSoft skills (e.g., leadership, effective teamwork, communicating to persuade/educate)IncidentresponseRegulatorycomplianceMobile security 29% | Digital forensics 25% | Open source vulnerabilities 21% | Internet of Things (loT) 21% | PH 21% | Identifying social engineering/phishing 17% | Not sure/other 6%The 2020 Cloud Security Report is based on a comprehensive survey of 653 cybersecurity professionals conducted in May 2020 to uncover how cloud user organizations are responding to security threats in the cloud, and what training, certifications and best practices IT cybersecurity leaders are prioritizing in their move to the cloud. The respondents range from technical executives to IT security practitioners, representing a balanced cross-section of organizations of varying sizes across multiple industries.CAREER LEVEL23%20%14%12%8%4% Manager/Supervisor Specialist Consultant Director CTO, CIO, CISO, CMO, CFO, COO Owner/CEO/President BOtherDEPARTMENT50%14%8%8%3%3% IT Security IT Operations Engineering Compliance Operations DevOps SecOps OtherCOMPANY SIZE8%5%12%8%17%9%41% Fewer than 10 10-99 100-499 500-999 1,000-4,999 5,000-10,000 Over 10,000INDUSTRY Government Technology, Software & Internet Financial Services Professional Services Healthcare, Pharmaceuticals, & Biotech Manufacturing Education & Research Energy & Utilities Telecommunications OtherSECURITY CERTIFICATIONS HELD CISSP Security+ CCSP Networkf CISM CISA CEH CRISC Other92%26%15%15%15%14%12%38%(ISC)2 is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)2 offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. In 2015, (ISC)2 and the Cloud Security Alliance (CSA) partnered to launch the Certified Cloud Security Professional (CCSP®) credential for security professionals whose day- to-day responsibilities involve procuring, securing and managing cloud environments or purchased cloud services. It is now our fastest growing certification. Our membership, more than 150,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation - The Center for Cyber Safety and EducatiorrMFor more information on (ISC)2, visit , follow us on Twitter or connect with us on Facebook and Linkedln.CCSRThe Path to Stronger Cloud SecurityCertified Cloud Security ProfessionalAn (ISC)2 Certification杵34%want to hire staff dedicated to cloud security.屏61%of organizations want to train and certify their current IT staff, to ensure that their evolving security needs are met.Start with The Ultimate Guide to the CCSPEXCLUSIVE FEATURESG Is CCSP Right for Me?G Fast Facts about CCSPG BenefitsC Exam OverviewC Training and Self-Study ResourcesG Pathway to CertificationYES, GIVE ME THE FREE GUIDE >Security remains a key issue for cloud customers, despite continued rapid adoption of cloud computing. A majority of cybersecurity professionals (94%) confirm they are at least moderately concerned about public cloud security, a small increase from last year's survey.> How concerned are you about the security of public clouds?94% Not at all concerned Slightly concerned Moderately concerned 匚 Very concerned Extremely concernedOf organizations are moderately to extremely concerned about cloud security.66%Most organizations are not confident at all to moderately confident in their cloud security posture (66%). While confidence has been declining from 84% last year, we still see a degree of overconfidence not supported by the backdrop of security incidents and challenges presented in this report.> How confident are you in your organization's cloud security posture?Of organizations are not confident at all to moderately confident in their cloud security posture.Not at all confidentExtremely confident Not at all confident Slightly confident . Moderately confident . Very confident . Extremely confidentCloud providers offer increasingly robust security measures as part of cloud services, but customers are ultimately responsible for securing their workloads in the cloud. The top cloud security challenges highlighted in our survey are about data loss/leakage (69% - up five percentage points since last year) and data privacy/confidentiality (66% - up four percentage points). This is followed by concerns about accidental exposure of credentials and incident response (tied at 44% and up from 29% last year).> What are your biggest cloud security concerns?69%Data loss/leakage66%Data privacy/ confidentialityAccidentalexposureof credentialsIncidentresponseLegal and regulatory complianceData sovereignty/residency/controlVisibility & transparency 30% | Availability of services, systems and data 28% | Lack of forensic data 27% | Business continuity 26%Liability 24% | Fraud (e.g., theft of SSN records) 24% | Disaster recovery 23% | Having to adopt new security tools 21% | Performance 19% | Not sure/other 8%As more workloads continue to move to the cloud, cybersecurity professionals are increasingly realizing the complications with protecting these workloads. Lack of qualified security staff (47%) has risen to the number one spot on the list of day-to-day headaches, up from the third spot on last year's survey. This is followed by compliance (40%) and setting consistent security policies across cloud and on-premises environments (36%).> What are your biggest operational, day-to-day headaches trying to protect cloud workloads?47%Lack ofqualified staff40%Compliance36%Setting consistentsecurity policiesVisibility intoinfrastructuresecurityVisibility intoinfrastructuresecurityCan5t identifymisconfigurationsquicklySecurity can't keep upwith pace of changein applicationsLack of integrationwith on-premisessecurity technologiesSecuring traffic flows 27% | Understanding network traffic patterns 27% | Justifying more security spend 25% |Securing access from personal and mobile devices 25%Cloud computing is still not without challenges. Among the barriers to cloud adoption, organizations mention lack of qualified staff (37%) as the biggest impediment to faster adoption - up from the fifth spot on last year's survey. This is followed by challenges regarding integration with existing IT environments, and data security issues (tied at 35%).> What are the biggest barriers holding back cloud adoption in your organization?37%37%Lack of staffresources orexpertise35%Integration withexisting ITenvironment35%Data security,loss & leakagerisksLack of budgetLack of budgetLegal & regulatorycomplianceGeneralsecurity risksFear of vendorlock-inLoss of control 20% | Complexity managing cloud deployment 19% | Internal resistance and inertia 18% | Cost/lack of ROI 16%Lack of management buy-in 14% | Lack of transparency and visibility 13%When