More business-critical data is finding a new home in the public cloud, which 72% of organizations believe is more secure than their on-prem data centers. But the cloud is fraught with security challenges: Shadow IT, shared responsibility, and poor visibility put data at risk.
These insights come from the second annual "Oracle and KPMG Cloud Threat Report 2019," a deep dive into enterprise cloud security trends. Between 2018 and 2020, researchers predict the number of organizations with more than half of their data in the cloud to increase by a factor of 3.5.
"We're seeing, by and large, respondents are having a high degree of trust in the cloud," says Greg Jensen, senior principal director of security at Oracle. "From last year to this year, we saw an increase in this trust."
It's a definite shift from a time in the not-so-distant past when businesses felt the cloud was less secure than their on-prem data centers. Cloud services are no longer nice-to-have elements of IT; they handle core functions related to all aspects of business operations. Software-as-a-service (SaaS) applications, in use among 84% of respondents, help remove cost and complexity of on-prem infrastructure.
Organizations have begun to test business-critical services in the cloud in recent years, Jensen says. Within the past couple of years there has been a "tipping point" at which a large percentage of businesses are diving in. More than 70% of survey respondents say the majority of their cloud-based data is sensitive, an increase from 50% who said the same last year.
The rise of automation has contributed to a change in mindset and businesses' sense of safety, Jensen continues. And while the cloud brings several benefits, the expectation that it solves all problems is flawed. "Cloud does still take work," he adds, and does require human effort.
CISOs on the Cloud Security Sidelines
Most (82%) of respondents polled have experienced security events due to confusion in the shared responsibility model. It's not for lack of effort: Nintey-one percent have formal methodologies for cloud use; however, 71% think employees violate policies and lead to malware and data compromise.
While many cloud security providers offer native security controls, it's up to the organization to apply and manage those controls or ones offered by third parties. Researchers found the less customers are responsible for, the more confused they are about security responsibilities. For instance, 54% of respondents expressed confusion with how they should be securing SaaS, even though their responsibility is limited to two things: data and user access and identity.
People who should know about this responsibility are in the dark. Only 10% of CISOs polled fully understand the shared responsibility model, compared with 26% of CIOs who reported no confusion. Researchers attribute the gap to CISOs' lack of involvement in cloud services.
"CISOs are really one of the newer C-level roles of the cyber enterprise today, and they've struggled attaching themselves in more of a collaborative way," Jensen says. And while CISOs, CIOs, data privacy officers, and other executives should share responsibility to protect data, it's typically the person in charge of security who takes the fall when there's a major cyberattack.
Of course, it doesn't help when different cloud providers have different models. Eighty-nine percent of respondents say the varying models have been a "significant challenge," and 46% have had to dedicate one or more resources to it; 43% are managing with existing resources.
The Problems with Poor Visibility
Visibility remains the top cloud security challenge, report 38% of respondents. Thirty percent say they are challenged by the inability of existing network security controls to provide visibility into public cloud workloads. Jensen says this finding is consistent with 2017 findings.
"What we're seeing is this issue, very similar to last year, the No. 1 security challenge cloud organizations are dealing with is detecting and reacting to what we call security event telemetry in the cloud," he adds. Security teams' inability to detect and respond to events has been at the center of several high-profile data breaches, researchers note in the full report.
Only 12% of respondents can see more than 75% of security event data. Nineteen percent can analyze 61% to 75% of security data, and 27% (the highest percentage) can view 41% to 60%.
Third parties that have access to an organization's cloud data can drive risk. Business partners, supply chain partners, contractors, auditors, part-time employees, customers, and other individuals all use different devices and operate under different policies than full-time workers. Enterprise file sync-and-share (EFSS) services, one of the most common types of shadow IT applications, are often used to share data inside and outside organizations.
"There are challenges around how companies are losing control of their intellectual property," which increases their exposure to data breaches, says Jensen. About half (49%) of businesses were hit with malware due to third-party compromise; 46% reported unauthorized data access.
Shadow IT is a key driver of cloud security challenges. Most organizations report having a formal policy to review and approve cloud applications; however, 92% of this year's respondents are concerned those policies are being violated. Nearly 70% are aware of a "moderate or significant" amount of shadow IT apps in use, and 50% say the use of unsanctioned cloud apps has led to unauthorized access to corporate data.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.