A patchwork of tools, the presence of misconfigured services, and confusion around data security ownership in the cloud has created a crisis of confidence among IT security professionals that will only be fixed by organizations making security part of their business culture.
That’s a high-level summation of a recent cloud security report by consulting firm KPMG and database systems provider Oracle.
Data security is creating “fear and trust issues” for IT security professionals, according to the report, which is based on an online survey of 750 cyber security and IT professionals worldwide conducted by Enterprise Strategy Group in December 2019 and January 2020.
This concern is indicated by the fact that professionals are more concerned about the security of their company’s data than the security of their own homes. In fact, they are three times more concerned about the security of company financials and intellectual property than their home security.
While three quarters of the professionals surveyed view the public cloud as more secure than their organizations’ own data centers, a large majority (92%) do not think their organization is well prepared to secure public cloud services.
There’s clearly no lack of cyber security tools in place. A majority of the organizations surveyed (78%) are using more than 50 discrete cyber security products to address security issues, and 37% use more than 100 cyber security products.
However, this ends up being a patchwork of different products aimed at addressing data security concerns, and these systems are seldom configured correctly, the report noted. Organizations that discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year.
The most common types of misconfigurations are over-privileged accounts (37%), exposed Web servers and other types of server workloads (35%), and lack of multi-factor authentication for access to key services (33%). About 60% of the organizations disclosed that employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack.
Most of the IT professionals think too many specialized tools are needed to secure their public cloud footprint, and three quarters said their organization has experienced data loss from a cloud service more than once.
It’s clear that the cloud has become an essential component of many IT infrastructures. Nearly 90% of the organizations surveyed are using software-as-a-service (SaaS) and about three quarters are using infrastructure-as-a-service (IaaS). Half of all the organizations said they expect to move all their data to the cloud in the next two years.
But a key roadblock to success is figuring out who is responsible for which elements of security. Shared responsibility security models are causing confusion, the report, said, with only 8% of IT security executives saying they fully understand the shared responsibility security model.
To address increasing data security concerns and trust issues, the study said, cloud service providers and IT teams need to work together to build a security-first culture. This includes hiring, training, and retaining skilled IT security professionals, and working to constantly improve processes and technologies to help mitigate threats in an increasingly expanding digital world.
Strong cyber security leadership is vital to success, but 69% of organizations report that their CISO reactively responds and gets involved in public cloud projects only after a cyber security incident has already occurred.
Organizations appear to be making moves to enhance cloud security from within. About three quarters have or plan to hire a CISO with more cloud security skills; and more than half have added a new role called the business information security officer (BISO) to collaborate with the CISO and help integrate security culture into the business.
A majority of the professionals surveyed (88%) feel that within the next three years most of their cloud environment will use intelligent and automated patching and updating to improve security. And 87% see artificial intelligence and machine learning capabilities as a “must-have” for new security purchases, in order to better protect against threats such as fraud, malware, and misconfigurations.
As the report concludes, cyber security has all too often been viewed as a tax on the business “and awkwardly but quite literally bolted on to projects already in production. The alarming cloud security readiness gap exposed in this year’s report reveals that today’s line-of-business-driven consumption of cloud services threatens to leave security considerations even further behind.”
The presence of threats such as phishing, malware, cyber fraud, and a range of misconfigured cloud services further stretch already challenged cyber security programs, it says. By taking the right steps, organizations can achieve the goals of leveraging cloud services for business agility and managing the associated risk.
