US and European IT decision-makers have different cloud security priorities

The growing adoption of cloud has elevated cloud security fear for IT teams, as they grapple with the challenges and concerns arising from the widespread use of complex cloud environments while diligently addressing them, according to SUSE.

Cloud security fear is growing

The survey found IT decision-makers have experienced, on average, four cloud-related security incidents in the past year, going up to five for those in the US and down to three for those in Europe.

This contributes to concerns about security holding back cloud technologies, as 88% of professionals agreed that if they were certain about the integrity of their data, they would be more inclined to migrate additional workloads to the cloud and edge.

• Data stores as top cloud security concern: 31% of respondents named data stores hosted by cloud or third parties as their top cloud security concern
• Strong secondary concerns: Runtime attacks from threat actors, security policy management, federation, and automation follow closely behind data stores as secondary concerns (29% each)
• US vs. European cloud security priorities: US IT decision makers (35%) are significantly more likely than those in Europe (25%) to believe that security policy management, federation and automation are among their biggest cloud security concerns.

Cloud native security accounts for over a third of overall IT budgets

On average, those surveyed said they spend 36% of their overall IT budget on cloud native security. This is significantly higher for US (42%) than European (33%) respondents.

In terms of current cloud security practices, both security automation and container firewall are widely adopted, each accounting for 38% of the overall usage. This is followed by security policies and management tools provided by cloud vendors at 36% and security policy automation at 34%.

Several cloud security practices exhibit significantly higher popularity among IT decision-makers based in the US compared to their counterparts in Europe. These practices include CSPM (Cloud Security Posture Management), CWPP (Cloud Workload Protection Platform) and CNAPP (Cloud Native Application Protection Platform) solutions, which are favored by 42% of US-based decision-makers compared to 26% in Europe.

Similarly, the usage of free or paid observability or security tools is higher among US decision-makers (33%) compared to those in Europe (24%). The same trend can be observed for PSP (Policy Security Policy) or PSA (Policy Security Automation) policies (31% versus 22%), Kubernetes network policies (32% versus 15%), and free CVE (Common Vulnerabilities and Exposures) or paid scanner (26% to 18%).

Qualitative feedback from respondents highlighted that open-source software carries key benefits: capturing developer attention and harnessing the openness of the code plus the collective wisdom to identify potential security vulnerabilities.

Source-code auditability will emerge as the next battleground

In the coming years, 33% of IT decision-makers foresee increased re-evaluation and prioritization of goals related to source-code auditability, the process of running tests and manual codebase inspection to detect bug. While 30% will prioritize build quality and 28% of respondents will prioritize SBOM depth/quality/security.

When comparing respondents based in the US and Europe, it is evident that US respondents will place a higher priority on source-code auditability (45%) and SBOM depth/quality/security (36%) to ensure businesses meet supply chain security goals. In comparison, Germany and the UK are falling behind in terms of source-code auditing priorities (just 23% and 26%, respectively), and spend less on cloud native security.

On the other hand, European participants (40%) are significantly more likely to anticipate a re-evaluation of goals on build quality compared to their US counterparts (15%).