2023年云安全调查报告（英）

GLOBAL

EDITION2023CLOUDSECURITYSTUDYTh

eChallengesofDataSecurity

andSovereigntyinaMulticloudWorld#2023CloudSecurityStudy2023

CloudSecurityReport:GlobalEditionIntroductionIfthere’s

adominanttheme

that

the

datafrom

the

2023

Thales

GlobalCloudSecurityStudyconveys,it’sthat

the

worldhas

becomecloud-first,multicloudandthat

it’s

morecomplextosecurethe

cloud.The

latesteditionofthe

surveyofnearly3000respondentsin18

countriesexploreschallengesofsecurityincloudenvironmentsthat

havebecomeacriticalelementinmoderndigitalinfrastructureandservices.Whilethere

has

beenimprovementinthe

overallcloudsecurityposturefrom

the

previousyear,

thereisstillworktobedonetosimplifyandsecurecloudoperations,especiallywhen

itcomestoaddressinghuman

error.Multicloudoperationsbringwiththem

operationalcomplexity,somethingthatneedstobetamedtosecurecloudenvironmentsefficientlyandeffectively.Source:2023

CloudSecuritycustomsurveyfromS&PGlobalMarketIntelligence,commissionedby

Thales.Sponsoredby2#2023CloudSecurityReportContents0406080911KeyfindingsIt’s

amulticloud

worldThethreatlandscape

for

thecloudClouddataconcernsImpactsof

datasovereigntyOperationalcomplexityinthecloudPathwaystobetter

cloudsecurityMovingahead13141617Aboutthisstudy32023

CloudSecurityReport:GlobalEditionKey

findingsMulticloud

is

a

reality.Securing

data

inthe

cloud

is

seen

asbecoming

more

complex.The

averagenumberofcloudinfrastructureprovidersiswellabovetwo

(2.3).More

thanthreequarters(79%)

ofthisyear’s

respondentshavemore

thanIthasincreasedto55%from

46%justtwo

yearsago.onecloudprovider.79%2021202330%40%50%60%SaaS

usage

is

growing.97Dramatic

increaseinsensitivedatareportedin

thecloud.The

reporteduseofSaaSapplicationshasexpanded,withthemeanrisingto97

applications,increasingthenumberofpointsofusewhere

datamustbesecured.75%38%SaaSapplicationsgarneredthemostvotesastheleadingtargetsforattackers(rankedfirstas

atargetby38%),followedcloselybycloud-basedstorage(rankedfirstasatargetby36%).ofrespondentsreportthat40%ormore

oftheirdatainthecloudissensitive,upfrom

49%

in2021.4#2023CloudSecurityReportWe’re

only

human:Levels

of

sensitivedata

encryptionmust

be

higher.Human

erroris

theleadingcauseofclouddatabreaches22%ofrespondentsreportthat60%ormore

oftheirclouddataisencrypted.Onaverage,only45%ofsensitivedataisencrypted.55%ofrespondents

chose

humanerrorasthe

leading

causeofclouddatabreaches,

wellahead

ofexploitationofvulnerabilities,

thesecondhighest

selectionat21%.Complex

encryption

keymanagement

creates

securityand

operational

risks.Digital

sovereignty

issuesaround

cloud

usage

loomlarge

on

multiple

fronts.Respondentsreportmultiplekeymanagementsystemsinuse.Respondentsreporthighuseofcloudprovider-dependentencryptionkeymanagement,alongsidegrowingconcernsaboutsovereigntymandates.83%are

concernedaboutimpactsofsovereigntyonclouddeployments.62%saytheyhavefiveormore

keymanagement14%saythattheycontrolalloftheirownencryptionkeysincloudsystemsinplace.environments.52023

CloudSecurityReport:GlobalEditionIt’s

a

multicloud

worldThere

aremanyreasonsthatcouldbepushingenterprisesintoexpandingtheirportfolioofcloudproviders.Aninterestinadditionalfunctionality,amovetodiversifyoperationsforgreaterresilience,partnerships,serviceavailabilityandespeciallymergersandacquisitionsareallpossiblecausesthatmaybebehindthe

increasingnumbers,butthe

studyresultsareclear–multicloudusecontinuestogrow.

Averagenumberofcloudinfrastructureproviders(IaaSandPaaS)isup35%

overtwo

years

(from1.68

to2.26).Witheachadditionalcloudprovider,

therearenewsecuritycontrolsanddataprotectionmodelstounderstandandimplement.Cloudusers

havetoextendtheirexistingoperatingprocessesfurther,

whileunderstandingthe

constraintsofthe

newenvironment.Multicloud

is

the

rule,

not

the

exceptionOf

thefollowingcloudInfrastructureasaService

(IaaS)providers,whichdoesyourorganizationuseorplantouseinaproductioncapacity?12345AVERAGE60%%%%%%%2.52504030201001.510.5020212022202335%Source:S&PGlobalMarketIntelligence’s2021-2023CloudSecuritycustomsurveysGrowth

in

the

number

of

cloud

providersreported

over

the

last

two

years6#2023CloudSecurityReport41Growth

reported

in

themean

number

of

SaaSapplications%While

cloudusageisgrowingforinfrastructure,SaaSuseisgrowingaswell.MorerespondentsareusingSaaSapplicationstoreplaceon-premisesapplicationfunctionality.In2

021,

16

%ofrespondentsreportedtheirenterprisesusing51-100

SaaSapplications.That

numberincreasedto22%

for2023

respondents.That

translatesintoashiftinthe

meannumberofapplicationsreportedinusefrom69in2

021

to97

in2023,

a41%

increase,growingfasterthanregularcloudinfrastructure.Allofthisexpansionmeansthat

thereismoretomanageandsecure,andthatsensitivedataisdistributedtomorelocations.Amajorityofrespondents(55%)notethat

they

finditmorecomplextosecuredatainthe

cloud,andtheincreasingnumberofcloudproviderscouldbedrivingthatissue.SaaS

diversity

is

trending

higherHowmanySoftware

asaService

(SaaS)applicationsdoesyourorganizationuse?202320222021500+101-50051-10026-5011-250-100%5%10%15%20%25%30%35%40%Source:S&PGlobalMarketIntelligence’s2021-2023CloudSecuritycustomsurveys72023

CloudSecurityReport:GlobalEditionThe

threat

landscapefor

the

cloudWiththe

increasinguseofcloud-basedresources,it’s

importanttounderstandperceptionsofthe

threatlandscapeandthe

experiencesthatrespondentshave

had

indefendingcloudresources.The

studyaskedrespondentstorankasetofattacktargetsby

likelihoodofattack.Garneringthe

mostvotes,morethanathird(38%)ofrespondentssaySaaSappsarethe

toptargetforcyberattacks,with36%identifyingcloudstorage.It’s

anindicationofthe

levelofconcernthatexistsforcloud-basedresources.Andit’s

notaconcernthatisunfounded.38%Organizationsidentifythe

potentialexposureofapplicationsanddatastoredinthe

cloudasarisk.Infact,abouthalf(46%)saythey

haveexperiencedadatabreachintheircloudenvironment.The

numberexperiencingadatabreachinthe

lastyearisup4percentagepoints(from

35%

to39%)fromlastyear’s

report.As

attackerstargetcloud-basedresources,there’s

agreaterneedfororganizationstoimprovetheirsecurityposture.As

the

dataindicates,thattaskisallthemoredifficultwhen

therearemorecloudproviderstosecure,whichcouldbecontributingtothe

reportedincreaseinsuccessfulattacks.rank

SaaS

apps

as

the

top

targetfor

cyberattacksWithalargernumberofplatformstosecure,the

opportunityforoperationalerrorsgrows,increasingthe

attacksurfacewitheacherror.

Organizations

either

havetodedicateseparateteamstospecializeineachplatformorexpecttheirsecurityteamstobecomewell-versedinmultipleplatformsatthe

sametime.Respondentssaythat

human

erroristhe

leadingcauseofclouddatabreaches,whichmightbeanindicationthat

the

strategythey’re

usingforplatformmanagementisnotworkingwellenough.39%As

organizationsareembracingcloud,the

attackercommunityisincreasingitspresenceandskilllevelinthosesameenvironments.That

meansthat

the

threatlandscapeinthe

cloudwillcontinuetobecomemorehostileandrequireincreasingeffort

tosecure.This

pressure,combinedwithincreasingcloudenvironments,putsagreateremphasisonthe

abilityofsecurityteamstobecomemoreefficientinsecurityoperations.of

respondents

experienced

adata

breach

in

the

last

year8#2023CloudSecurityReportCloud

data

concernsThe

studyresultsconfirmthat

therearemoreworkloadsanddataresidinginthe

cloud,withthosewith60%ormoreoftheirworkloadsanddatainthe

cloudincreasingfrom

23%

to27%

inthe

lastyear.

Thatmirrorslargerindustrytrendsascloudbecomesamorecommonpathfornewapplications.There

isabiggerstoryaroundsensitivedata.The

studylookedbothatthe

amountofanorganization’s

sensitivedatathatisstoredinthe

cloudandthe

amountofdatainthe

cloudthatissensitive.There

isanotableincreaseinbothareas.There

hasbeenadramaticincreaseinthe

amountofanorganization’s

sensitivedatainthe

cloud.In2022,

52%

ofrespondentsreportedthatmorethan40%oftheirsensitivedatawasinthe

cloud.This

year,

thisamountdramaticallyincreasedto64%.That’s

mostlikelyduetolargernumbersofcoreapplicationsrunninginthe

cloud,applicationsthatarebringingthe

criticaldatathat

they

handlewiththem.75%The

numberofrespondentssayingthat40%ormoreoftheirdatainthe

cloudissensitiveincreasedinasimilarfashion–movingfrom49%in2

021

upto75

%in2023.

Thatincreaseofmorethan50%,combinedwithanincreaseinthenumberofcloudplatforms,couldbeanotherfactorleadingtochallengesinmanagingclouddatasecurity.Point

dataprotectioncontrolsalonecannotkeep

upwiththe

volumeanddiversityofsensitivedatagrowth.report

that

40%

or

more

of

theirdata

in

the

cloud

is

sensitiveEventhoughmoredataisinthe

cloudandmoreofthatdataisconsideredsensitive,thereisstillmuchthatisnotencrypted.Moresensitivedataisbeingencrypted,butlevelsarestilllow.Only22%

ofrespondentsreportthatmorethan60%oftheirsensitivedatainthe

cloudisencrypted,withthe

averagebeing45%ofdatabeingencrypted.This

isamarkedimprovementfrompreviousyears.In2

021,

only17

%reportedthatmorethan50%ofsensitivedatawasencrypted.Thisyear,

thatnumberis40%.Only2%report100%

encryptionofsensitivedatainthe

cloudthisyear.2%ONLYreport

100%

encryption

ofsensitive

data

in

the

cloud92023

CloudSecurityReport:GlobalEditionSignificant

amounts

of

sensitive

data

are

unencryptedWhat

percentageofyourorganization’ssensitivedatainthecloudisencrypted?AVERAGE

=

45%0-2526-5051-7576-1000%10%20%30%40%50%60%Source:S&PGlobalMarketIntelligence’s2023CloudSecuritycustomsurveyThere

areclearlymanyfactorsatworkthatlimitthe

useofencryptiontotheselevels,butitraisesseriousquestionsaboutapproachestodatasecuritywhen

suchsignificantvolumesofdataidentifiedassensitivearen’t

encrypted.Alackofunderstandingofspecificcloudencryptionoperationsmightbeacontributorbecausecloudenvironmentstypicallyoperatedifferentlythantraditionalon-premisessystems.Concernsaboutlimitingdeveloperproductivitymightweighonsomeorganizations.Itcouldalsobethat

organizationsarecarryingthe

traditionalpracticeofrelyingonapplication-baseddataprotectionintoclouds,whereitisclearlynotsufficienttoaddressthird-partyrisk.Whatever

the

cause,organizationsneedtodomore,especiallyinlightofregulatoryrequirementsthataretakingonalargerroleindataprotection.22%report

that

more

than

60%

of

theirsensitive

data

in

the

cloud

is

encrypted10#2023CloudSecurityReportImpac

t

s

of

datasovereigntyDigitalsovereigntyisaglobalstrategicinitiative,andprivacycompliancerepresentsopportunitiesforenterprisestomaturetheirdatamanagementcapabilities.It’s

acriticalfunctionalitybecauseconcernsaboutdigitalsovereigntycanhinderdigitaltransformationiforganizations

can’t

effectivelymanagethe

datathatfuelstheirbusinesses.Itcanpresentchallengeswithrequirementstocontrolandmanagewheredataisstoredandusedandwho

has

accesstoit.When

askedaboutdigitalsovereignty,83%ofrespondentsworldwidesaythey

are“somewhat”or”very”concernedaboutimpactsonclouddeployments.The

foundationofdigitalsovereigntyisnotthe

cloudproviderbutthe

datamanagementcapabilityofthe

infrastructurethatsupportsthe

workloadsandapplicationsunderthe

datacustodian’scontrol.Theuseofcloud-basedresourcesintroducesathirdparty

thatlegacydatamanagementstrategiesmaynothaveaddressed.Those

leveragingcloudneedtoensurenotonlythat

the

databeingsecuredisprotectedfromdisclosurebutalsothatitisdeliveredonlytothoseenvironmentswhereitshouldbeused.Multicloudenvironmentscanhelp

addressdigitalsovereigntyrequirementsasorganizationsleveragedifferentcloudenvironmentsforregionalcoverage.However,

thatpotentialbenefitcouldaddcomplexityiforganizations

aren’t

abletosimplifythe

waythey

managethe

variouscloudsthat

makeuptheirinfrastructure.83%say

they’re

concerned

about

digitalsovereignty

impacts

on

cloud

deployments112023

CloudSecurityReport:GlobalEditionRegardingexpectationsformeetingdigitalsovereigntyrequirements,96%ofrespondentsbelievethatdesignatingorchangingthe

locationandjurisdictionorthe

useoffulldataencryptionareacceptablemeasurestoachievevariouslevelsofdigitalsovereignty.Onlythe

remaining4%arenotconcernedaboutthe

locationofdatawithrespecttosovereigntymandates.Morethanathird(35%)believethatlocationisimportantforallworkloads.This

reflectsboththe

concernaboutregulationsthatusethe

physicallocationofdataasameansofprotectionandthe

growinginterestincryptographicprotectionsasasufficientmeansofprotection.Withthe

latter,dataencryptionprovidesthe

isolationrequiredandensuresthatnomatterwherethe

dataislocated,itisprotectedfromdisclosuretounauthorizedparties.It’s

anapproachthat

has

manyadvantagesandisunderactiveexplorationbyanumberofregulatorybodies.Organizationsneedtounderstandthat

the

coreelementsofdigitalsovereigntywillbecomearequirementforall.While

itmayseemthat

thoseoperatingwithinasingleregioncouldremainexempt,providinghighlyavailabledigitalcustomerexperienceswilleventuallyrequirethe

samelevelofdataprotection.Bybuildinginbetterdataprotectioncapabilitiestoday,they’llbepreparedforwhateverrequirementsregulators,eitherlocalorglobal,putforwardinthe

future.12#2023CloudSecurityReportOperationalcomplexity

in

the

cloudThe

operationalrealitiesofmulticloudenvironmentshaveraisedconcernsformanyorganizations.Morethan

half(55%)ofstudyrespondentsindicatethatitismorecomplextomanagedatainthe

cloudthanitisinon-premisesenvironments.While

mosthavebeenhoningtheiroperationalcapabilitiesinthe

cloud,it’s

stillseenasanoperationalconcern.Growingnumbersofcloudproviderscouldcertainlybeaddingtothiscomplexity.55%The

studylookedatoperationalaspectsofdataprotectionandmanagementinthe

cloud,andtheresultsoffer

someinsightsintowhatmaybedrivingthe

complexity.Only14

%ofrespondentssaythatthey

controlalloftheirencryptionkeys

intheircloudenvironments.This

meansthatmostorganizationsareworkingwithmultiplecloudenvironments,andtheymanagetheirdataencryptionkeys

indifferentwaysacrossthoseenvironments.say

that

it’s

more

complex

tomanage

data

in

the

cloudAfurtherconfirmationofthe

complexityindataprotectionmanagementcomesfromaquestiononthe

numberofkey

managementsystemsinuse.Almosttwo-thirds(62%)saythey

havefiveormorekey

managementsystemsinplaceacrosstheiroperationalinfrastructure.That

meansthat

thereareindependentrealmsinwhichdataprotectionmustbemanaged.Morethanaquarterofrespondents(27%)saytheircloudprovidercontrolsalloftheir

keys.

As

withotheraspectsofmulticloudsecuritymanagement,organizationswilleither

havetohavededicatedteamsforeachcloudorexpecttheirteamstobeskilledinkey

managementoperationsforalloftheir

providersatthe

sametime.Withthissituation,it’s

notsurprisingthatrespondents14%ONLYreporthuman

errorasthe

leadingcauseofclouddatabreaches(55%),wellaheadofthe

secondcause,exploitationofvulnerabilities(21%).Complexoperationalenvironmentsarealltoosusceptibletohumanfailings.This

isanotherareawhere

organizations

havetosimplifytheirsecuritymanagementtobecomemoreeffective.of

respondents

say

that

they

controlall

of

their

encryption

keys

in

theircloud

environments132023

CloudSecurityReport:GlobalEditionPathways

to

bettercloud

securityThe

studyresultsclearlyillustratethe

challengesfacedby

organizationsasthey

worktosecuretheircloud-basedinfrastructure,butthey

alsooffer

someindicationsofpathwaystoimprovingcloudsecurity.Identityandaccessmanagementhas

beenidentifiedasatopmitigatingcontrolfordatabreaches,andthere

has

beenprogressfrompreviousstudyresults.StrongMFAadoptionincreasedto65%,butthat’s

stillnotgoodenough.Withathirdofrespondentsyettoimplementthisimportantcontrol,thereissignificantcloudinfrastructureatriskAnother

key

pointtaken

from

the

studyresultsisthatdatasecurityhas

tobeimproved.Centralizingencryptionmanagementismandatory.Inamulticloudworld,organizations

havetobeabletocentrallymanagekeys

thatareusedacrosstheirinfrastructure—onpremisesaswellasinthe

cloud.Thatmanagementskillnotonlyreducesoperationalcomplexitybutcanalsogiveorganizations

the

flexibilitytosecurenewenvironmentsasbusinessneedsdictate,whether

that’s

totake

onanewpartnershipormergebusinesses.65%report

deploying

MFA

to

secure

clouddata

access14#2023CloudSecurityReportIt’s

alsoanimprovementthatcanaddressthe

leadingcauseofclouddatabreaches:human

error.Makingsecurityoperationsmoreefficientcanmake

them

moreeffective.Buildingsecuritymanagementsystemsthatcanleverageautomationandspanthe

fullrangeofanorganization’s

infrastructureisacriticalgoal.Improvingoperationalarchitecturesisanotherareatoimprovesecurityposture.Gettingtoazero-trustfootinginthe

cloudcanbuildabetterfoundationforoperationalsecurity.Only41

%have

zero-trustcontrolsoncloudinfrastructure,andevenfewer(38%)usezero-trustcontrolsincloudnetworks.Zero

trust

use

is

improving,

but

more

neededHowdoesyourorganizationusezerotrustpractices?RemoteaccesssystemsCloudinfrastructureCloudnetworksInternalnetworksServermanagementNotimplemented0%5%10%15%20%25%30%35%40%45%50%Source:S&PGlobalMarketIntelligence’s2023CloudSecuritycustomsurvey152023

CloudSecurityReport:GlobalEditionMoving

aheadThe

studyresultspointtoasetofchallengesthat

organizationsarefacinginsecuringdatainthe

cloudenvironments.They’re

livinginamulticloudworldandneedtobeabletosecureiteffectivelyandefficiently.They

needtoovercomethe

complexitythatworkingacrosscloudinfrastructureandSaaSenvironmentspresents.Dataprotectioninthe

cloudmustbecomesimplertomanagetoovercomeissueswithhuman

errorandmisconfiguration.The

resultsofthe

studyindicatespecificareasthatneedimprovement.•Key

managementconsolidation.•Greateruseofdataencryption.•Gainingcontrolofencryptionkeys.•Achievinggreatefficiencythroughsecurityautomation.Key

managementenvironmentsneedtobeconsolidated.Doingsocandeliverthe

operationalcontrolthat’s

neededtoscaleupthe

useofencryptioninwaysexistingsecurityteamscanhandle.At