To examine what kind of effect our cloud provider data had on our overall dataset, we extracted those companies to compare:
Figure 6: High-risk vulnerabilities found by client size (Cloud service providers) 40% 35%
Figure 7: High-risk vulnerabilities found by client size (Enterprises) 35% 30%
30% 25% 25% 20% 15%
As you can see, large cloud providers vastly skewed the overall risk level for large companies. Our year’s worth of data demonstrated that the largest cloud providers had what amounted to a fabulous security posture across their offerings, reducing high risks by almost 20%. Yet, even after extracting cloud providers from the dataset, midsized companies still show up as “worst” overall. Comparing year-over-year data, we can see that nothing has actually happened to midsized companies – they are still afflicted with the same proportion of high risk as last year. But in 2019, large and small organizations got significantly better by comparison. Extending the cloud theory to these large and small companies led us to the following theories: • Large cloud providers are highly invested in maintaining a strong security posture. Cloud security has been the top concern and barrier to entry for cloud solutions consistently, year after year; in a recent
20% 15%
study, more than 70% of respondents cited security as a barrier to cloud solution or SaaS adoption.3 Being secure is a top differentiator, and more cloud customers are looking to inherit cloud platform security tools. Their efforts and investments can be seen in this year’s data. • Large enterprises that are not cloud providers have, as previously stated, been aggressively moving to the cloud. Less shy about leveraging cloud-native security controls and hyperscale cloud architectures, they are inheriting much of the security posture of their cloud providers. Their risk comes primarily in the form of maintaining their part of the shared responsibility model and securing their on-prem gear, which reflects why their risk is still not up to the “large cloud provider” par; however, they have more sophisticated staff to manage that risk than midsized enterprises.
Ping Identity. “Ping Identity 2018 Survey: The State of Enterprise IT Infrastructure & Security.”
3
15