AI-generated code vulnerabilities are the most common cloud security concern for 2024, with 100% of survey respondents reporting that their organizations use AI to assist with programming, according to Palo Alto Networks' original 2024 State of Cloud Security report Published on Wednesday.
Click for more special coverage
AI concerns, conflict between developers and security teams, rapid cloud migration and fragmentation across multiple cloud tools were the main focus points of the report, while AI risks and API and access management were among the top concerns reported by participants.
The report also reveals that security incidents such as data breaches, compliance breaches and incidents involving advanced persistent threats (APTs) are on the rise, indicating a need for greater identity and secrets management. The report concludes with recommendations for improving cloud native security.
GenAI is best for developers and cloud security professionals
The survey, which included responses from 2,800 executives and practitioners from development, security and IT departments around the world, resulted in the first-ever unanimous response in the history of the original State of Cloud Security report, with 100% of respondents saying their organization is adopting intelligence-assisted programming. artificial in their development processes.
Meanwhile, AI risks made up two of the three most common cloud security concerns, with 44% of respondents concerned about vulnerabilities in AI-generated code, and 38% saying AI-powered attacks pose a threat.
At the same time, the report stated, “organizations are not throwing caution to the wind.” Ninety-nine percent of respondents said their organizations plan to create AI security policies and ensure appropriate “need-to-know” access management for AI models. Additionally, 98% of responses indicated that their organizations plan to fully inventory AI models and applications powered by GenAI.
Overall, 100% of organizations plan to prioritize visibility into the full lifecycle of AI deployments, the survey found.
Application Programming Interface (API), identity risks common cloud security issues
The second most common security concern for survey participants was risks associated with the Application Programming Interface (API), cited by 43% of respondents.
“Concern among organizations centers on unmanaged and insecure APIs, third-party API risks, and lack of oversight in API integrations,” the report stated.
Thirty-five percent of respondents also expressed concern about insufficient access management in the cloud. The introduction of the cloud has created identity management challenges, including fragmentation of identities across multiple services.
The incident response section of the report reflects the need for greater API security and access control, with 64% of respondents reporting an increase in data breaches over the past year, 48% reporting an increase in significant compliance breaches, and 45% noting an increase in Compliance. Incidents involving insecure APIs.
45% of survey respondents also reported an increase in downtime due to misconfigurations, incidents related to advanced persistent threats (45%), secret disclosures (43%), and identities with excessive access permissions (42%). The top two “data security adversaries” cited in the survey were the complexity and fragmentation of cloud environments (54%) and lax access and incident management practices (50%), with an emphasis on the role of identity in preventing cloud-native data security incidents.
The time-to-market crunch undermines security, causing stress on employees
Another issue highlighted in Palo Alto's original State of Cloud Security report is conflicting priorities between developers and security teams, with DevOp teams under pressure to deliver requests quickly and seeing requests from SecOps colleagues as a burden.
92% of organizations said that conflicts between DevOps and SecOps lead to inefficient application development and deployment, and 84% said security operations lead to delays in project timelines. Meanwhile, 71% of respondents said rushed timelines led to security vulnerabilities upon deployment.
These conflicts not only harm security, but also cause significant workplace stress among DevOps and SecOps employees. More than half of respondents (52%) said conflict between DevOps and SecOps teams was a source of stress in the workplace.
The time crunch is also evident when it comes to moving to the cloud, with half of the professionals surveyed saying they wish they had spent more time refactoring applications for the cloud rather than taking a “lift and shift” approach.
Recommendations for securing the cloud in 2024
Palo Alto Networks offers five recommendations for improving cloud security amid current challenges. First, organizations should look to standardize their cloud security tools, as the survey found that organizations use an average of 16 cloud security tools across an average of 12 cloud service providers (CSPs), with 98% of respondents saying reducing this Number is important.
“One strategic way to prepare for new cloud security requirements is to start with a platform vendor that can scale to future use cases, including application and operations security,” the report said.
The second recommendation focused on the safe adoption of artificial intelligence, with clear policies for the use of and access to artificial intelligence. The report also recommended automating the discovery of sensitive data to keep sensitive details out of typical training, and noted the importance of awareness when it comes to using AI-generated code in third-party software supply chains.
Third, as cloud data breaches are on the rise, smart data security solutions should be implemented and data security strategies regularly reviewed. Access control and employee training are also key to protecting data in the cloud.
The fourth recommendation addressed the tug-of-war between speed and security, urging organizations to measure how often security is a critical factor in production timelines and adapt workflows to maximize efficiency and security. Adopting a safe design approach can also help in this area.
Finally, being proactive in implementing security measures for application development can help harmonize the relationship between DevOps and SecOps and get both departments on the same page.
“If you are not intentionally and strategically committing 100% to building a DevSecOps culture, your business results are at risk,” the report concluded.
