2019 Cloud Security Report

As organizations migrate more and more of their data and operations to the cloud, they must
ensure that they maintain a robust cybersecurity posture. However, frequent breaches in the
news seem to suggest that many companies are not prioritizing security to the degree that
they should. To uncover the state of enterprise security in the cloud, Bitglass partnered with a
leading cybersecurity community and surveyed IT professionals.
 Awesome Mix 2019
Organizations’ leading cloud priorities have shifted over the past year. While defending against malware has ascended to the
top spot, discovering unmanaged apps in use has fallen to number six. Despite a change in their order, the top three priorities
from 2018 are each still in the top three in 2019. Finally, it is concerning that securing mobile devices isn’t a higher priority in
light of recent Bitglass research which found that 85% of companies now enable bring your own device (BYOD).

v o l . 1
m e m i x
A w e s o 2018
2019
p s i n use
jor a p l i ance
g m a c o m p
rin latory ware
1. Secu r e g u
r e 2 . R e a ching
a g a i n st mal pps
malwa a
a i n s t n c e . d e f ending unmanaged
ing ag 3
f e n d o r y c omplia d i s c o v ering d e vices a t ions
.1 D e u l a t 4 . b i l e i g u r
a c h i n g reg p p s i n use rations s e c u r ing mo oud misconf
2. Re 5. l
n g m ajor a misconfigu e v e n ting c
r i d 6. p r
3. Secu nting clou vices
ve de
4. pre ing mobile g e d apps
c u r a n a
5. se r i n g unm
ov e
6. disc
 Security in the Skies
67% of respondents believe cloud apps are as secure or more secure than on-premises apps—this is significantly
higher than the 40% recorded in 2015. Despite this, 93% of respondents are at least moderately concerned about
the security of the cloud. In other words, organizations know the cloud itself is highly safe, but are wrestling with
their responsibility to use it securely.

How concerned are you about When compared to on-prem apps,

the security of the cloud: public cloud apps are:

3%
4%

18%
Not Concerned 33% 32%
38%
Slightly Concerned
Moderately Concerned
Very Concerned
Extremely Concerned

37% 35%
 A Galaxy in Need of Saving
Organizations are moving workloads and data into the cloud, granting them greater productivity and flexibility, but
increasing the likelihood of data leakage where proper security is not employed. As 45% of respondents store customer
data in the cloud, 42% store employee data in the cloud, and 24% store intellectual property in the cloud, adopting the
appropriate security measures is clearly critical.

What type of corporate data do you store in the cloud?

80

70

60 63%

50
45%
40 42%
38% 38%
30 33%
30%
20 24%
18%
10

0 5%
l

es

er
ai

rt
at

at

at

at

at

io

th
ic
Em

pe

at
D

lD
vo

O
rm
ro
er

ee

ps

ia
In
tin

lP
m

oy

fo
nc
&
to

ke
ev

In
ua
pl

na
ts
us

ar
D
Em

lth
ct
Fi
ac
C

lle

ea
tr

te
&

on

te
ra

H
s

In
po
C
le
Sa

or
C
 Weapons Systems
Access control (52%) and anti-malware (46%) are the most-used cloud security capabilities. However, these and others—like single
sign-on (26%) and data loss prevention (20%)—are still not deployed often enough. Additionally, as 66% of respondents said that
traditional security tools don’t work or have limited functionality in the cloud, adopting appropriate cloud security solutions becomes
even more critical. Fortunately, cloud access security brokers (CASBs) can provide many of these essential capabilities.

What security capabilities have you deployed in the cloud?

60

50 52%
46%
40

34%
30
30%
26% 25%
20 22% 22%
20% 19% 18%
10

n
ol

AC

FA

en
rit
ar

tio
tio

tio

tio
tr

M
-
N
w

em
cu
on

gn

en
ec

ec
yp
al

Se
C

Si

ag
ot

et
ev
cr
M

ls
ss

D
Pr
En
ti-

al

Pr

an
le

nt
ce

at
ng
An

oi

M
ss
re

ifi

re
Ac

dp
Si

Lo

g
Fi

ec

Th
Lo
En

a
Sp

al
at
p-

or
D
Ap

vi
ha
Be
Knowhere Your Data is Going
Despite a slight increase since last year, a mere 20% of organizations have visibility over cross-app anomalous
behavior. This is a critical requirement as only 25% of survey respondents are “single cloud” today. Unfortunately,
corporate visibility over every other category decreased since 2018. This may be due to the growing number of cloud
apps and personal devices over which IT struggles to gain visibility.

While the high percentage of organizations that have visibility into user logins (69%) suggests that the first step of
cloud security (identity management) has been taken, many organizations still lack visibility and control over what
happens after authentication.

What do you have visibility into in the cloud?

2019 2018
69% User 78%
Logins

57% File 58%

Downloads

55% File 56%

Uploads

External
40% Sharing
44%

DLP Policy
38% Violations
46%

Shadow IT
35% Usage No Data
Cross-App
20% Anomalous 15%
Behavior

80% 60% 40% 20% 0 0 20% 40% 60% 80%

 Holes in the Hull
Since 2018, malware has emerged as the most concerning data leakage vector; it was selected by 27% of
respondents. Conversely, unsanctioned cloud apps falling from 12% to 5% shows that organizations are becoming
aware that there are data leakage threats greater than shadow IT.

Concerns about app infrastructure fell from 21% in 2018 to 9% in 2019. At the same time, misconfigurations
ascended from the middle of the pack (12%) to third place (20%). These stats highlight the growing awareness that
the cloud itself is highly secure, but that organizations must use it in a safe fashion.

Which data leakage vector is most concerning

for your organization?
2019 2018
27% Malware 14%

21% Compromised 21%

Accounts

20% Mis- 12%

configurations
App
9% Infrastructure 21%
Vulnerabilities
Unmanaged
8% Devices
11%

Unsecured
7% WiFi
3%

Unsanctioned
5% Cloud Apps 12%

3% Other 7%

30% 25% 20% 15% 10% 0 0 10% 15% 20% 25% 30%
 Defenses at the Ready
Successfully defending against malware requires organizations to utilize a three-pronged strategy that encompasses
devices (endpoint protection), the corporate network (secure web gateways), and the cloud. While a few cloud apps
provide some built-in malware protections, most do not. As such, a combination of tools is necessary. Fortunately the
use of CASBs for malware protection has increased from 20% in 2018 to 31% today.

The use of agents to secure personal devices (which violates employee privacy and creates deployment challenges),
decreased from 38% in 2018 to 30% in 2019. Blocking personal device access to corporate data (which hinders
employee efficiency and flexibility), increased from 21% to 27%.

What anti-malware tools does your How does your firm secure corporate
firm use to secure cloud data? cloud data on personal devices?
69% Endpoint Protection
6%
48% Native App Protections
10%
31% Cloud Access Security Brokers 30%
31% Secure Web Gateways

25% Other Third-Party ATP Solutions

9% None of the Above 27%

0 10 20 30 40 50 60 70

27%

Agent-Based Tools Like MDM

Block Personal Device Access to Data
Use a Trusted Devices Model
Grant Access to Any Device
Apply DLP at Upload or Download
Tools for Saving the Galaxy
Interestingly, cost is the leading concern for organizations evaluating cloud security providers. Other critical concerns
include ease of deployment (46%), whether the solution is cloud native (45%), the ease with which cross-cloud security
policies can be enforced (36%), and the solution’s ability to integrate with various cloud platforms (36%).

What do you look for in a cloud security provider?

55% Cost Effectiveness

46% Ease of Deployment

45% Cloud Native

36% Simple Cross-Cloud Policy Enforcement

36% Integration with Cloud Platforms

0 10 20 30 40 50 60
Wrap-Up
Maintaining a robust cybersecurity
posture is crucial in today’s
fast-paced world. Data is now
being stored in more cloud apps
and accessed by more devices
than ever before. While some
enterprises are prioritizing cloud
security, many still need to rethink
their approach to protecting
data. Fortunately, there are cloud
security solutions that can make
the task incredibly simple.

About Bitglass
Bitglass, the Next-Gen CASB company, is based in Silicon Valley with offices worldwide. The company’s cloud
Phone: (408) 337-0190 security solutions deliver zero-day, agentless, data and threat protection for any app, any device, anywhere.
Email: [email protected] Bitglass is backed by Tier 1 investors and was founded in 2013 by a team of industry veterans with a proven
track record of innovation and execution.
www.bitglass.com