The State of Cloud Infrastructure Governance 2017 Survey, commissioned by Fugue, a company specialising in Cloud Infrastructure Governance and Policy as Code, has revealed some very concerning statistics. The survey of more than 300 IT professionals, conducted by Propeller Insights in October 2017, revealed that the state of cloud infrastructure governance is extremely poor. In spite of an ever-increasing number of security breaches, 28 percent of IT professionals aren’t confident their cloud infrastructure is secure, 62 percent rely on manual reviews before infrastructure is provisioned, and 42 percent have no cloud infrastructure governance processes in place.
“The cloud has completely transformed IT. Infrastructure has been largely ‘abstracted away,’ but it’s still there, and it’s often ungoverned and insecure,” said Josh Stella, CEO of Fugue. “The cloud can be as secure—or even more secure—than traditional data centers. But relying on paper-based checklists and manual reviews doesn’t scale. Only automated solutions can keep up with the pace of change that is outstripping the human ability to govern infrastructure and operations.”
Cloud Infrastructure Governance Sorely Lacking
The vast majority of businesses are increasingly reliant on the cloud: 41 percent report managing multiple cloud-based systems with significant use in production; 23 percent are using cloud at scale with significant infrastructure automation; and another 24 percent are in the process of expanding their use, with some production workloads under limited use of infrastructure automation.
But when it comes to cloud infrastructure security, confidence is notably lacking: 25 percent of IT professionals are only “somewhat confident” that their infrastructure is secure against breaches. What’s more, 42 percent of organizations have no cloud infrastructure governance tools and processes in place, while 68 percent rely on paper-based checklists for infrastructure policies. 31% of application developers either don’t understand infrastructure risk or don’t know what to do to mitigate it.
When it comes to ensuring compliance for infrastructure provisioning and ongoing operations:
• 62 percent rely on manual reviews of infrastructure change
• 60 percent rely on manual remediation for policy violations and configuration drift
• 17 percent don’t validate compliance before infrastructure is provisioned
When breaches occur, it’s the C-suite who should be held accountable, according to the IT professionals surveyed. When asked who should be held accountable when a data breach occurs, nearly half (47 percent) of IT professionals said the CEO, followed by:
• CIO — 32 percent
• VP of Cloud — 31 percent
• CTO — 23 percent
• Cloud Architect — 22 percent
True DevSecOps Collaboration Is Attainable
The number one reason IT professionals say their organizations haven’t fully implemented infrastructure governance is that security and compliance slow down innovation (55 percent).
Another 44 percent say they struggle to keep track of all the infrastructure they have running, and an equal number struggle to identify and respond to infrastructure risks. More than a third (39 percent) cite the lack of collaboration between security, compliance, and IT.
“Optimized infrastructure governance is attainable but not with manual reviews and remediation, which are slow and prone to error,” added Stella. “What companies need is a holistic solution like Fugue, where true DevSecOps collaboration is focused on infrastructure and policy-as-code libraries that are vended across the organization, and where the system that provisions is the same system that monitors and remediates drift and policy violations. This provides a single source of truth and trust for infrastructure state. And it means total visibility into cloud infrastructure. Organizations can now go fast, see everything, and get enterprise cloud right from the start—and ensure things stay that way.”