SUSE has released findings from its latest report “Securing the Cloud,” which sheds light on the pressing challenges faced by IT teams in securing cloud environments and offers insights into effective solutions.

Cloud security fear is growing and a top priority: The survey found IT decision makers have experienced, on average, four cloud-related security incidents in the past year, going up to five for those in the U.S. and down to three for those in Europe. This contributes to concerns about security holding back cloud technologies, as 88% of professionals agreed that if they were certain about the integrity of their data, they would be more inclined to migrate additional workloads to the cloud and edge.

• Data stores as top cloud security concern: 31% of respondents named data stores hosted by cloud or third parties as their top cloud security concern
• Strong secondary concerns: Runtime attacks from threat actors, security policy management, federation, and automation follow closely behind data stores as secondary concerns (29% each)
• U.S. vs. European cloud security priorities: U.S. IT decision makers (35%) are significantly more likely than those in Europe (25%) to believe that security policy management, federation and automation are among their biggest cloud security concerns.

Cloud native security accounts for over a third of overall IT budgets: On average, those surveyed said they spend just over a third (36%) of their overall IT budget on cloud native security. This is significantly higher for U.S. (42%) than European (33%) respondents.

In terms of current cloud security practices, both security automation and container firewall are widely adopted, each accounting for 38% of the overall usage. This is followed by security policies and management tools provided by cloud vendors at 36% and security policy automation at 34%. Several cloud security practices exhibit significantly higher popularity among IT decision makers based in the U.S. compared to their counterparts in Europe. These practices include CSPM (Cloud Security Posture Management), CWPP (Cloud Workload Protection Platform) and CNAPP (Cloud Native Application Protection Platform) solutions, which are favored by 42% of U.S.-based decision makers compared to 26% in Europe.

Similarly, the usage of free or paid observability or security tools is higher among U.S. decision makers (33%) compared to those in Europe (24%). The same trend can be observed for PSP (Policy Security Policy) or PSA (Policy Security Automation) policies (31% versus 22%), Kubernetes network policies (32% versus 15%), and free CVE (Common Vulnerabilities and Exposures) or paid scanner (26% to 18%).

Qualitative feedback from respondents highlighted that open source software carries key benefits: capturing developer attention and harnessing the openness of the code plus the collective wisdom to identify potential security vulnerabilities.

Source-code auditability will emerge as a next battleground: In the coming years, a significant portion of IT decision makers (33%) foresee increased re-evaluation and prioritization of goals related to source-code auditability, the process of running tests and manual codebase inspection to detect bug. While 30% will prioritize build quality and 28% of respondents will prioritize SBOM depth/quality/security.

When comparing respondents based in the U.S. and Europe, it is evident that U.S. respondents will place a higher priority on source-code auditability (45%) and SBOM depth/quality/security (36%) to ensure businesses meet supply chain security goals. In comparison, Germany and the U.K. are falling behind in terms of source-code auditing priorities (just 23% and 26%, respectively), and spend less on cloud native security. On the other hand, European participants (40%) are significantly more likely to anticipate a re-evaluation of goals on build quality compared to their U.S. counterparts (15%).

Based on comprehensive polling of 501 C-suite to IT professionals across the United States, Germany and the United Kingdom, the report highlights the state of cloud native adoption, major security concerns, and how to address them.