2018 SURVEY:

THE STATE OF ENTERPRISE IT INFRASTRUCTURE

& SECURITY

2018 Survey: The State of Enterprise IT Infrastructure & Security 2

A common misconception is that today’s enterprises are primarily in the cloud, but in reality, cloud and SaaS represent a small

percentage of companies’ overall IT infrastructure. Instead, enterprises tend to have a much more complex IT architecture, with most

deploying a hybrid of cloud, SaaS and on-premises models. But regardless of their infrastructure, these organizations are increasingly at

risk for breaches of sensitive information: their own, their partners’ and their customers’ data.

Hackers and other bad actors will do whatever they can to gain access to the data goldmine that enterprises sit on, and these events

have serious, long-term repercussions for businesses. Security is top-of-mind for most organizations—as well as the number 1 reason

for the slow adoption of cloud and SaaS—and organizations are prioritizing security approaches to prevent such attacks, following a

year that was overwhelmingly defined by data breaches.

But the critical question remains: Are enterprises implementing the right security strategies to protect personally identifiable data

across their hybrid infrastructure?

Ping Identity surveyed more than 300 large enterprise IT and security professionals across the U.S. to explore the nature of enterprise

IT infrastructures and what companies are doing in response to the current data breach climate. The report examines the strategies

enterprises deploy, which ones they view as most effective in guarding against breaches of sensitive information—and the price

organizations pay when they find themselves victimized.

• Only 21% of IT/security professionals say that more than one half of their IT infrastructure is hosted in the public cloud and 15% say more than one half is comprised of SaaS applications.

• Security was cited as the No. 1 barrier to cloud and SaaS adoption, with 43% of respondents saying it’s the biggest barrier to cloud adoption and 37% saying it’s the biggest barrier to SaaS adoption.

• More than one quarter (27%) of respondents’ organizations have experienced a breach of customer identity data stored in a public cloud, on-premises or in a SaaS application provider’s cloud. Many faced damaging repercussions, like a lawsuit filed against their company (41%) or a legal investigation (29%).

• Nearly three-quarters of respondents (71%) say their organizations are spending more on protecting customer identity data now as compared with 12 months ago; just one percent say spend has decreased.

• Respondents say that multi-factor authentication is the No. 1 most effective security control their organization uses to protect identity data. It’s also among the most common technologies in place; more than 90% view it as effective and more than one half use it.

• More than 80% of respondents say that identity federation (single sign-on), role- or attribute- based policies, and biometric authentication are largely effective to protect access to identity data in public clouds. Despite this, adoption rates are low: only 34%, 38% and 22%, respectively.

INTRODUCTION

KEY DATA FINDINGS

2018 Survey: The State of Enterprise IT Infrastructure & Security 3

Contrary to popular belief, enterprise IT infrastructure is not largely hosted in the public cloud, nor is it SaaS based. In fact, the

majority of respondents says less than one half of their IT infrastructure is hosted in such environments. Respondents share that

security is the biggest adoption barrier for both, suggesting enterprises must first address these challenges before looking to expand

into cloud or SaaS environments. As enterprises grow, security becomes an even greater barrier to cloud adoption.

• 21% say more than one half of their IT infrastructure is hosted in a public cloud; 63% say less than one half is hosted in a public cloud. (Figure 1)

• 43% say security is the biggest barrier to cloud adoption, followed by budget (17%), application complexity (14%), compliance (11%), talent shortages (9%) and authenticating users (6%).

• 47% of companies with 10,000+ employees say security is the biggest barrier, compared with 37% of companies with 5,000-9,999 employees.

• 15% say more than one half of their organization’s applications are SaaS based; 63% say less than one half are SaaS based.

• 37% say security is the biggest barrier to SaaS adoption, followed by budget (22%), on-premises integration complexity (17%), compliance (15%) and IAM/user authentication (9%).

Barriers to Cloud and SaaS AdoptionKEY TAKEAWAY

SUPPORTING DATA

Figure 1

Percent of IT infrastructure hosted in a public cloud

8%

0% 1-9% 10-19% 20-29% 30-39% 40-49% 50-59% 60-69% 70-79% 80-89% 90-100% Not sure

11% 11%12%

8%9%

5%

3%2% 2%

17%

13%

2018 Survey: The State of Enterprise IT Infrastructure & Security 4

Security concerns are clearly warranted; more than one quarter of enterprises surveyed have already experienced a data breach. Many

suffered lost money and customers, while some faced less obvious repercussions, like lawsuits and legal investigations. This shows

the damaging, long-term and sometimes intangible effects of privacy breaches involving customer data.

• Of the 27% of respondents who said their company had experienced a breach, 50% experienced one breach, 29% experienced two breaches and 20% experienced three or more breaches.

• More than one third (34%) said the breach cost their organization between $3 million and $10 million; 15% said it cost their organization over $10 million. (Figure 2)

• Nearly three quarters (74%) said fewer than one half of their customers were impacted by the breach. Only 17% said more than one half of their customers were impacted.

• As a result of a breach:

• 41% said their company was sued

• 40% said they received negative press

• 36% said they lost customers

• 36% said employees were fired

• 29% said their company was under investigation

Business Impact of BreachKEY TAKEAWAY

SUPPORTING DATA

Figure 2

How much did this breach cost your organization?

16%

27%

21%

13%

5%

10% 9%

Less than$1 million

$1 million -$3 million

$3 million -$5 million

$5 million -$10 million

$10 million -$25 million

$25 millionor more

Not sure

2018 Survey: The State of Enterprise IT Infrastructure & Security 5

With the prevalence of recent breaches and privacy incidents, enterprises are prioritizing the protection of their customers’ personally

identifiable information (PII). Investment in this area has increased substantially over a 12-month period (May 2017 to May 2018).

• 71% said spending on customer identity data protection has increased in the last 12 months. (Figure 3)

• 28% are spending the same amount on customer identity data protection today as they were 12 months ago.

Enterprises Investing in SecurityKEY TAKEAWAY

SUPPORTING DATA

Figure 3

Change in the percent of spend on protecting

customer identity data and access security

27%

44%

28%

1% 0%

Increasedsubstantially

Increasedslightly

No change Decreasedslightly

Decreasedsubstantially

2018 Survey: The State of Enterprise IT Infrastructure & Security 6

WHAT ENTERPRISES USE• These are the most commonly used security controls to protect access to identity data stored in a public cloud and

on-premises, and the percentage of respondents who use them (Figure 4):

Public cloud:

• Encryption (65%)

• Multi-factor authentication (60%)

• Standard technologies such as firewalls, IDS, IPS (57%)

• Compliance adherence (48%)

• Identity federation (single sign-on) and biometric authentication to protect access to identity are experiencing low adoption (Figure 4).

Public cloud:

• Identity federation (34%)

• Biometric authentication (22%)

Enterprises say that multi-factor authentication is the most effective security control to protect identity data. In addition, IT/security

professionals see identity federation (single sign-on) and biometric authentication as two of the top five most effective security

controls, but these technologies have a relatively low adoption rate among their organizations (less than 38%).

What’s in Use vs. What’s WorkingKEY TAKEAWAY

SUPPORTING DATA

On-premises:

• Encryption (67%)

• Standard technologies such as firewalls, IDS, IPS (57%)

• Multi-factor authentication (54%)

• Compliance adherence (50%)

On-premises:

• Identity federation (36%)

• Biometric authentication (28%)

What are key security controls your organization has in place to protect access to stored identity data?

Figure 4

Encryption Multi-factorAuthentication

StandardTechnologies

ComplianceAdherence

Role or AttributeBased Policies

User and DeviceContextual

Policies

IdentityFederation

(SSO)

BiometricAuthentication

Other None

67%65%

54%60%

57% 57%50% 48% 45%

38% 38% 36% 36% 34%28%

22%

0% 2% 4% 5%

ON-PREMISES PUBLIC CLOUD

2018 Survey: The State of Enterprise IT Infrastructure & Security 7

What’s in Use vs. What’s WorkingCONTINUED FROM PAGE 6

WHAT ENTERPRISES CONSIDER MOST EFFECTIVE• Companies that store identity data in a public cloud or on-premises agree that multi-factor authentication, encryption,

single sign-on and biometrics authentication are the most effective controls to protect access to such data.

• Respondents ranked the following security controls in place as either effective or very effective:

Public cloud (Figure 5):

• MFA (90%)

• Encryption (87%)

• Identity federation (single sign-on) (86%)

• Biometric authentication (86%)

• Standard technologies, such as firewalls, IDS, IPS (86%)

On-premises (Figure 6):

• MFA (97%)

• Encryption (93%)

• Biometric authentication (92%)

• Standard technologies, such as firewalls, IDS, IPS (89%)

• Identity federation (single sign-on) (87%)

How effective are the key controls your organization has in place to protect identity data stored in a public cloud?

How effective are the key controls your organization has in place to protect identity data stored on-premises?

Figure 5

Figure 6

90% 87% 86% 86% 86% 84% 78% 77%39% 35%

52%34%

62%45% 33%

52%

24%41%

51% 42% 37%

36% 40%51%

Encryption StandardTechnologies

Multi-factorAuthentication

ComplianceAdherence

Role orAttribute

Based Policies

User andDevice

ContextualPolicies

IdentityFederation

(SSO)

BiometricAuthentication

EFFECTIVE

VERY EFFECTIVE

EFFECTIVE

VERY EFFECTIVE

97% 93% 92% 89% 87% 82% 82% 81%

Encryption StandardTechnologies

Multi-factorAuthentication

ComplianceAdherence

Role or AttributeBased Policies

User and DeviceContextual

Policies

IdentityFederation

(SSO)

BiometricAuthentication

34%

63%

34%

59%

33%

59%

44%

45%

49%

38%

43%

39%

43%

39%

46%

35%

Ping Identity envisions a digital world powered by intelligent identity. We help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences. The Ping Intelligent Identity Platform provides customers, employees and partners with access to cloud, mobile, SaaS and on-premises applications and APIs, while also managing identity and profile data at scale. Over half of the Fortune 100 choose us for our identity expertise, open standards leadership, and partnership with companies including Microsoft, Amazon and Google. We provide flexible options to extend hybrid IT environments and accelerate digital business initiatives with multi-factor authentication, single sign-on, access management, intelligent API security, directory and data governance capabilities. Visit www.pingidentity.com.

Copyright ©2019 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingOne, PingAccess, PingID, their respective product marks, the Ping Identity trademark logo, and IDENTIFY are trademarks, or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies.

#3382 | 01.19 | v005

8

With security being the biggest barrier to cloud and SaaS adoption, IT leaders know where to focus their agendas if they want to enable

a more flexible, hybrid IT infrastructure. While enterprise investment in security has increased in the past year and IT professionals

understand what technologies they should employ to protect data, they aren’t relying on these controls as much as others they consider

less effective. This is perhaps because identity federation can be complex to implement if the chosen solution is not architected for

hybrid IT environments, whereas deploying MFA is often simpler. Biometric authentication is still an emerging technology and therefore

may not be as commonplace as more established security controls.

In an increasingly heated regulatory environment with more pressure than ever for companies to protect identity data, enterprises must

be strategic in how they prioritize and deploy security controls. Failing to do so puts them at risk of losing the trust of their customers,

lawsuits, management shake-ups and costly regulatory penalties.

To learn more about how identity and access management can help you protect identity data, visit pingidentity.com.

Ping Identity commissioned MarketCube to conduct a survey of 301 U.S. IT or security professionals at enterprises with 5,000

or more employees. The survey was conducted online between May 17 and May 24, 2018. The margin of error is plus or minus

5.6 percentage points.

CONCLUSION

METHODOLOGY