What's the Current State of Cloud in 2023?

Few things are more inevitable in this world than taxes and world domination by cloud. It's like an avalanche that seems so far away you think you have enough time outrun it, only to have it catch up to you in the blink of an eye. And with cloud, unless you can fight your way to the surface, you're just going to get dragged under like everyone else not paying attention.

‍

On that dramatic note, what is the state of cloud in 2023? How are companies responding to the continuous stream of new services and features? Who is using more than one cloud provider, and how advanced is their cloud strategy? Perhaps most importantly, what are the latest risks to your cloud infrastructure, and the best strategies to mitigate them?

‍

This article explores the growing complexity of a world powered by cloud, and how leaders are learning to grapple with the biggest challenges ahead.

‍

Why is cloud so important for your company's bottom line?

‍

As we get more entrenched in an economy reliant on cloud, it becomes increasingly clear that cloud isn't simply a tool for enhancing convenience or streamlining workflows. It's a virtual infrastructure companies can use to drive massive business growth, manage customer needs, and transform their lumbering on-prem infrastructure into one built for efficiency.

‍

Whether it's reducing the risk of a single point of failure by adopting multi-cloud strategy, or using the growing constellation of cloud services to closely manage massive quantities of data from anywhere on the globe.

‍

But according to a recent report, only 27% of leaders say their cloud initiatives are driving customer value. But cloud was supposed to help developers build and iterate on solutions faster, relieve operational burdens, and reduce costs across the board. So how is this possible?

‍

The answer might have to do with the cloud strategy these companies adopt. Or in the case of the other 73%, a lack thereof.

‍

Are you leaving precious cloud wins on the table?

‍

More than rapid cloud adoption, or all the brand-new bells and whistles offered by the likes of AWS and Azure (1500+ updates to AWS in 2023 alone!), it's your organisation's cloud strategy that determines what you get out of it.

‍

As it turns out, most organisations don't think too deeply about their long-term goals and desired outcomes for adopting cloud. Instead, they focus on the short-term goal of simply migrating all their data to the cloud because everyone else is doing it.

‍

Just look at how much cloud spending has been going up in recent years: between Q3 2021 to Q3 2022, revenue across the three biggest cloud providers (AWS, Azure, and GCP) increased by at least 20%. Companies are diving headlong into cloud adoption now more than ever. But most of them seem to be doing so without a concrete implementation strategy.

‍

Here's what ends up happening: companies spend all these resources migrating to the cloud, but with a half-baked strategy which leads to them not seeing customer value from it. As a result, they don't fully embrace it, leaving them in a limbo state with some critical infrastructure in the cloud, but not all of it. Now they're stuck with all the inefficiencies of on-prem, with none of the benefits of cloud.

‍

Solving this chicken-and-egg problem requires closely examining some important questions:

‍

• What long-term objectives are you trying to achieve by adopting cloud?
• How prepared is your team for a cloud-centric workflow?
• What security policies and practices do you have in place?

‍

It's not enough to simply migrate your data to the cloud. 94% of organisations are already doing it, and of those 44% adopt the latest services as soon as they come out. The real challenge—and value—is in realising a positive business outcome for your organisation.

‍

For that to happen, you need to formulate a long-term plan on how to securely store and use that data, capitalise on it to better deliver solutions to customers, and improve performance and measurement of cloud systems.

‍

Cloud maturity: are you training your teams?

‍

A key determining factor of the maturity of your cloud program is how prepared your teams are for the transition.

‍

While it might seem tempting to simply go the 'easy' route and hire experienced cloud talent, this path often ends up being much more expensive and far less effective overall. For a real transformation, the culture across the organisation needs to be geared towards cloud.

‍

This calls for training your entire workforce in line with your cloud strategy, whether it's aligning them to your security policies, or helping them respond to customer needs over the new interface. This extends even to your non-technical staff, who'll also be using these cloud services on a daily basis.

‍

The biggest motivation for employees to get invested in training is progressing their career. Contrary to popular belief, employees are far more likely to stay at your organisation if they get opportunities to improves their skills.

‍

The major point to note here is that upskilling needs to be ultra-focused towards helping your teams solve real-world problems relevant to their roles. That equates to practical, hands-on training instead of theoretical lectures that pass on knowledge rather than skills.

‍

The flip side is forcing employees to take training that doesn't directly improve their job performance can actively hurt their productivity and interest levels. It's a delicate balance, but a very important one.

‍

You also need to take feedback from your teams about the training to understand what's working and what isn't. This information will prove crucial in refining your training strategy as your team's cloud maturity improves.

‍

Get our free ebook: Train Your Teams to Fly — a strategy guide to train your team with maximum ROI.

‍

‍

What's the deal with multicloud?

‍

The omnipresence of cloud has also given rise to a new phenomenon — multicloud workloads. Around 65% of companies globally operate within multicloud environments, using 2 or more cloud providers. The 'Big 3'—AWS, Azure, and GCP—naturally take up the lion's share of these workloads.

‍

Interestingly enough, most companies tend to rely heavily on a single cloud provider: 8 out of 10 companies have 80% of their workloads on a single cloud provider. But even that is changing as organisations continue to spread their eggs among multiple baskets.

‍

The advantages are obvious: they can pick and choose the best services offered by different cloud providers; they aren't locked down to a specific provider in case of an outage; it gives them immense flexibility at the department, team, or project level.

‍

But the risks cannot be understated, either. Only around 9% of leaders report they have extensive experience with more than one cloud provider. Moreover, interoperability between cloud infrastructures can introduce a plethora of security weak points that. Without the requisite cloud talent on your team, these security risks can compound to insurmountable levels.

‍

If your company has or is looking to adopt a multicloud approach, you need to ensure your team is equipped with the skills required to build it securely. Learn more about how to train them with AppSecEngineer's courses in AWS security, Azure security, and GCP security.

‍

Biggest cloud security risks in 2023 & beyond

‍

The kind of security threats companies face in the cloud is constantly changing, and as cloud infrastructure grows more complex, their threat surfaces continue to evolve. There's no 'right' answer, and what is considered a minor issue today might grow to become an existential threat in a matter of months. Acknowledging this, we can highlight broad patterns in cloud security risks that are relevant in 2023 and beyond.

‍

1. Misconfigured cloud services
   
   Cloud misconfigurations are consistently the biggest threat vector to your cloud applications, and they stem from—surprise, surprise—human error and negligence. Misconfigurations occur when, say, a cloud engineer improperly configures a critical cloud service thereby giving attackers unauthorised access to their resources.
   
   The most recent example of this was the massive Microsoft Azure leak from September 18, where a misconfigured Azure Blob storage bucket resulted in 38 TB of highly sensitive internal data being leaked to the public.
   
   
2. Multicloud security
   A uniquely recent phenomenon, multicloud's rise in popularity is an equal cause for concern with regard to security. Given how less than 10% of companies have expertise in more than one cloud provider, this leaves the doors wide open for all kinds of security weaknesses popping up in multicloud environments.
   
   The biggest challenge for companies in this space is acquiring the skills to securely deploy and manage apps and services on multicloud infrastructure.
   
   AppSecEngineer has a massive library of hands-on security trainings for the big 3: AWS, Azure, and GCP. We also have a growing list of Challenges in cloud security as well.
   
   
3. Insecure interfaces and APIs
   
   APIs offer enormous convenience by allowing various applications, services, and clients to communicate with each other and share information. Unfortunately, they're also highly susceptible to all manner of vulnerabilities including Broken Object-Level Authorisation (BOLA), injection, lack of rate limiting, etc. In 2022, APIs were one of, if not the top attack vector for web and cloud applications.
   
   Organisations need to not only configure their APIs to be more secure, but closely monitor and log the traffic that passes through their APIs in order to rapidly respond to security incidents.
   
   
4. Insufficient identity and access management (IAM)
   
   Similar to security misconfigurations, IAM flaws can often be chalked up to human error. Access controls are a tricky thing to get right, but between insufficient authentication methods, long-lived credentials, and giving users too many permissions, there are a ton of highly avoidable mistakes you might be making.
   
   Follow security best practices for IAM, implement multi-factor authentication (MFA), use a trusted identity provider instead of relying on passwords, and you'll see a dramatic improvement in the state of your access controls.
   
   
5. Unpatched web services
   
   Given the size and complexity of modern web and cloud-native apps, it should come as no surprise that among all the web services they use, a few would not be patched. This would expose them to the internet and leave them accessible to attackers, who'd be able to perform remote execution attacks, among others. This would be especially dangerous if the service is web-facing, that is, accessible from outside the network.

‍