When cloud adoption first began, many companies started their cloud journey by using the Infrastructure-as-a-Service offerings from CSPs, the upside being that they were happy with the level of control they had over the infrastructure. With time, adopters began realizing that maintaining their cloud infrastructure was getting too complex and time-consuming, which led to a shift to Platform-as-a-Service (PaaS) offerings. Along the way, CSPs enhanced their PaaS offerings to make them more reliable, feature-rich and simpler to operate and integrate with and, therefore, more attractive to their customers.

But by using a PaaS offering, businesses have not outsourced the responsibility to secure their data to the CSP. Companies’ CloudOps and DevOps teams are responsible for configuring all elements of any cloud service securely so they avoid exposing their company’s data to threats. And that’s where businesses are struggling today.

Companies are asking questions like: “Have I configured the security tools provided by my CSP correctly?” “Do I have any gaps in my identity and access management processes?” “Are my cloud-based storage containers configured properly so that only legitimate access is allowed?” “Am I properly integrating security into my continuous integration/continuous delivery pipelines?” These questions can be difficult to answer if security best practices are not included in every step of the development life cycle.

In addition, skilled professionals who have knowledge across CSPs are hard to find and retain, which presents challenges to properly running, securing and maintaining critical cloud assets. During the past year, we have seen attackers targeting supply chains, which are out of businesses’ direct control. Many businesses struggle to keep up with visibility into who is accessing their cloud infrastructure, what kinds of permissions users have and what misconfigurations exist in their cloud environment.