97% of security findings are related to cloud, study finds

While many organizations continue to focus on security policies mainly and queries around physical devices, the vast majority of an organization’s assets — and security issues — are now in the cloud, according to a new study.

JupiterOne says it conducted the study, the 2022 State of Cyber Assets Report, in an effort to assess the current state of security for enterprise cyber assets. Those assets include cloud workloads, devices, networks, apps, data and users.

It appears to be the first research of its kind, and involved the analysis of 372 million data points at nearly 1,300 organizations, according to Jasmine Henry, field security director at JupiterOne.

“We wanted to create a new baseline of normal for asset inventories and attack surface,” Henry said in an email. “Many security practitioners know their cloud asset inventory has grown exponentially. Still, many lack the data to explain to non-technical executives how cloud adoption has impacted their workload and security posture.”

Cloud assets outnumber physical devices

Among the key discoveries in the report: 97% of security findings come from cloud assets, such as applications, hosts and containers. And in all, nearly 90% of all assets are cloud-based, JupiterOne’s report found.

That means that physical devices — including PCs, smartphones, routers and IoT devices — represent less than 10% of total devices within organizations, and they generate only about 3% of security findings, according to the report.

And yet, when it comes to security policies, cloud-specific policies constitute 28.8% of the total number, JupiterOne found.

Meanwhile, security data queries — which reveal what the security teams care most about — are also weighted toward physical devices rather than cloud, according to the report.

In other words, many organizations are still operating in the old mindset where there’s a lot of attention placed on securing physical assets, and not as much on other assets, Henry said.

“Security practitioners query devices and users far more often than policy, networks or findings,” she said. “This attention is not entirely misdirected, since people and physical devices create a ton of security risk. Still, the lack of attention toward data, policies and findings is concerning — especially since less than 8% of practitioner queries consider indirect relationships or blast radius.”

Third-party risk

The finding in the report that “chills me to the bone,” Henry said, is on the state of software supply chain risk.

The report found that 91.3% of code assets in the average organization are developed by a vendor or third party.

“That means we have not seen the end of software supply chain threats like Log4j,” she said. “Third-party code risk is a complex predicament with no easy solution, just some tactics for management such as mapping dependencies with knowledge graphs, SBOMs [software bill of materials] and vendor consolidation.”

Shift to the cloud

Adopting cloud services, resilient architectures and agile development lifecycles have created a cloud-dominant attack surface, Henry said.

“Traditional approaches to IT asset inventory do not capture the largest percentage of attack surface,” she said. “The state of cyber assets forces security to take a step back and rethink our approaches to everything, including skills pipeline, policy and best practices.”

In response to these realities, developers should be encouraged to rapidly decommission and reboot cloud assets — because long-lived cloud assets accrue security debt, Henry said.

“Above all, we must shift security conversations toward analytics, visualization and automation. There must be new approaches to training, upskilling, and operations,” she said.

Ultimately, the hope is that the data in the report “helps my peers navigate difficult conversations and decisions about risk in a cloud-native landscape,” Henry said.