Cloud Offensive Security: 2023 Insights From the Ponemon Institute

In a groundbreaking study conducted with Ponemon Institute, 2023 The State of Offensive Security Creating a Blueprint for Success, we sought to discover and analyze the different types of offensive security testing used by mature security organizations to achieve stronger security postures.

Overall, 52% of respondents reported that offensive security is an important part of hardening defenses, emphasizing the importance of a proactive approach to cybersecurity. But as cloud environments become a necessary part of the technology stack for countless organizations, it was only natural to zero in cloud security as a key component of this study and learn how mature security programs implement offensive security to protect cloud environments.

In this blog, we highlight research findings from all 664 participating IT and security practitioners (as well as a deep dive into the 43% (285 respondents) who actively conduct cloud security testing) to showcase the importance of cloud security testing, the drivers behind it, and how it plays a key role in building mature security programs now and in the future.

Research Findings: Cloud Offensive Security

Many aspects of the threat landscape are driving investments towards offensive security testing, but cloud migration (41%) was second only to new technology adoption, according to survey respondents. 

In fact, of all the industries that were surveyed, cloud migration was the primary motivation behind offensive security testing in Financial Services (46%) and Technology and Software (45%) industries. Industrial and Manufacturing followed closely with 42% of respondents reporting cloud migration as a driver for offensive security testing. Healthcare and Pharmaceutical was not far behind at a 37% response rate supporting cloud migration for offensive security testing.

Furthermore, increased cloud adoption means that cloud vulnerabilities are on the rise with expanded cloud attack surfaces. Mature security programs use offensive security testing to keep pace with modern adversaries targeting their cloud environments. According to the survey results below, cloud vulnerabilities are considered one of the top three threats to enterprises, driving and justifying the spend on offensive security testing.

While cloud security testing is used less frequently (43%) compared to other types of offensive security testing like Red Teaming (64%), application security testing (54%), and penetration testing of internal and external networks (47%), respondents rated it as the most effective type of offensive security testing strategy for improved resilience with a whopping 57% success rate.

Now that we are familiar with the influence of cloud security in mature security programs, let’s drill down into the different ways that cloud environments are tested. Penetration testing, a classic offensive security technique, is a clear winner taking a 59% lead, followed by threat analysis (41%), cloud configuration review (38%), and assumed-breach scenarios (27%).

Tools like CloudFox (built by Bishop Fox’s Seth Art, Principal, and Carlos Vendramini, former Fox) support cloud penetration testers and offensive security professionals to find exploitable attack paths in cloud infrastructure. And his recently released sandbox, CloudFoxable, takes pen testing to the next level with an intentionally vulnerable AWS environment created specifically to teach the art of cloud hacking using the CloudFox tool.

Watch the video below for insights into how the CloudFox tool works.

Ponemon research demonstrates that cloud security testing is proving to be a valuable ROI for organizations with mature security programs. So, it is not surprising that 60% of respondents reported significant and/or moderate increases for cloud security will be implemented in the next one to two years.

The proactive approach of offensive cloud security testing is a sophisticated action enabling a view of your cloud environment through the lens of an attacker. The most mature security programs are proving that there is no reason to wait for modern adversaries to find exploitable attack paths in cloud environments. Instead, they are taking back control and investing in ways they can outpace attackers on the battlefield.

For information on how cloud penetration testing works, download our helpful guide. We’ve also put together our top 50 questions that all organizations should ask an offensive security provider to help guide you in your investments.