Cyber Security Cloud Survey 2019

Cyber Security & Cloud Expo Survey: Cloud Adoption Soars, but Security Struggles

Cloud migration has become ubiquitous and most organizations are including API security in their cloud migration strategy, but the sophistication of their approach (or lack thereof) raises some questions about if their APIs are really protected.

This week at the Cyber Security & Cloud Expo, CloudVector surveyed more than 100 of its 12,000 attendees about their organizations’ approach to cloud migration and API security. Read on for a full analysis of the results.

1) Has your organization adopted a cloud migration strategy?

Yes – 91%
No – 9%

As a baseline, the results of this question should be no surprise (unless you are surprised that adoption rates are not 100 percent at a cloud expo) since a 2018 Deloitte global CIO survey determined that 93% of respondents were adopting or considering the cloud. Along with the similarities to the Deloitte survey, this question confirms that the paradigm shift to the cloud has become pervasive.

2) Does your organization’s cloud migration strategy include the use of Docker Containers or Kubernetes in its production environment?

Yes – 58%
No – 31%
Don’t Know – 11%

This is an interesting question because it provides insight into more advanced cloud migration strategies. More than half of organizations have embraced the new micro-services architecture in their production environments and are actively using Docker containers and Kubernetes. These are the current state of the art for DevOps and the primary reason we believe that organizations use Docker containers and Kubernetes is for more flexible application deployment, management, and scalability. This directly drives the point that cloud migration is leading to more APIs being created and used compared to anytime before.

3) Does your organization’s cloud migration strategy include API security?

Yes – 71%
No – 23%
Don’t Know – 6%

This question also provides insight into more advanced cloud migration strategies. It should be very encouraging that more than two-thirds of organizations include API security in their cloud migration strategy, but the next few results will reveal that their API security strategy is limited in its capabilities.

4) Does your organization have the ability to authenticate APIs and authorize APIs?

Yes – 67%
No – 20%
Don’t Know – 13%

For two-thirds of organizations, API security begins with authentication and authorization. These are important access controls, but only half the battle because authentication and authorization measures are unable to address all of the OWASP API Security Top 10.

5) Does your organization have the ability to validate API payloads and detect API threats?

Yes – 43%
No – 43%
Don’t Know – 14%

We can already see a pretty sizeable drop-off with this question. Less than half of organizations are validating API messages and detecting API threats. If organizations are not validating API messages and detecting API threats, then they are at risk for compromised credentials, data breach or sensitive data exposure via shadow APIs, or stealth API recon attacks, just to name a few.

6) Does your organization have an automated tool to discover all its APIs (including shadow APIs) to create API blueprints?

Yes – 10%
No – 74%
Don’t Know – 16%

There is a lot to unpack here. If we had simply asked “does your organization have an API blueprint” we would have returned a higher affirmative response, but the key to this question was its focus on automation (and discoverability of shadow APIs as well). If two-third of organizations are including API security in their cloud migration strategy, but only one-in-ten have an automated tool to discover APIs, then that means a lot of IT teams are manually registering APIs, or leaving them unregistered entirely. In either case, it’s a recipe for disaster. And the reality is that the overwhelming majority of organizations are lacking this capability.

7) Does your organization have a tool to detect API abuse and API-related data exfiltration?

Yes – 25%
No – 59%
Don’t Know – 16%

This is a concerning response, which reveals another missing capability in these organizations’ security strategy. Only one-quarter of organizations have the ability to detect API abuse and API-related data exfiltration. With the rise of API-related data breaches, organizations should be prioritizing solutions that protect against this threat.

8) In the past 12 months, has your organization detected any reconnaissance attempts to exploit your APIs?

Yes – 26%
No – 58%
Don’t Know – 16%

It is interesting to note the similarities between these last two questions. It makes sense that most organizations haven’t detected any reconnaissance attempts to exploit APIs since most organizations don’t have a tool to detect API abuse.
But what should be really concerning is that a quarter of organizations HAVE detected reconnaissance attempts to exploit their APIs. The reality is likely much higher, given that most organizations lack the capability to detect these threats. The lack of visibility into API payloads is a major blind spot.

My take on these survey results is that API security concerns are real, and the awareness is there, but organizations have limited capabilities to address their blind spots because of limitations in the market. Organizations have implemented authentication and authorization access controls because that is the extent of API security offered by Web Application Firewalls and API gateways.

CloudVector is eliminating these limitations with the first API Threat Protection solution that enables organizations to move beyond the gateway. Only CloudVector enables organizations to automate the continuous discovery of APIs, monitor for deviant behavior, and secure data from exfiltration to prevent data breaches.