Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:35 PM
Connect Directly

As Businesses Rush to the Cloud, Security Teams Struggle to Keep Up

Most organizations have a gap between current and planned cloud usage and the maturity of their cloud security programs.

The continued shift to the cloud is driving challenges in preparedness, configuration management, and defending against new attack techniques. Businesses are rushing to move applications to the cloud, putting growing amounts of pressure on security teams to keep pace.

Trust in the public cloud continues to grow, researchers found in the "Oracle and KPMG Cloud Threat Report 2020." Forty percent of the 750 IT and security professionals surveyed view the public cloud as more secure than what they can deliver on-premises, marking a 13% year-over-year jump from the 2019 study. Most (88%) currently use public cloud infrastructure services.

When asked about consuming business-critical applications as a service, respondents cite, on average, a 9% increase over the next two years. The shift to software-as-a-service (SaaS) for these applications shows more people are growing comfortable with the security of cloud providers. Enterprise resource planning, customer relationship management, human capital management, and IT services management are among the applications undergoing the transition to cloud, researchers say.

"Many of our clients are at the point where they deployed their first set of important applications, like finance applications in the cloud, supply chain applications … a core set of three to five applications, and that's gone OK," says Steve Barlock, principal with KPMG. What's happening over the past six to 12 months is businesses that have seen early success want to start moving everything to the cloud. "We're seeing a problem of scale right now," he adds.

Survey data shows 92% of companies have a "cloud security readiness gap" between their current and planned cloud usage and the maturity of their cloud security programs. More than 40% report a wide gap, while 48% say the gap is moderate. The space is created when cloud services and applications are consumed by business units outside the scope of IT and security teams. As the security pros try to catch up, their efforts are perceived as slowing the business down. 

"The shared responsibility picture is just getting worse every year," says Greg Jensen, senior principal director of cloud security at Oracle. Security teams must know what's going into production. Once they do, it takes time to implement monitoring and remediation mechanisms.

This readiness gap manifests in new challenges for IT and security pros: More than three-quarters (78%) say the differences between cloud-resident and on-premises applications and infrastructure require a distinct set of security policies and processes. These differences have led to buying more security controls, driving complexity. Seventy percent report too many tools are needed to protect public cloud environments. On average, each uses more than 100 discrete security controls.

Visibility was a primary issue among respondents. Nearly 30% of respondents said identifying software flaws and remediation was the most important area for improving visibility. Other areas include finding workload configurations that are out of compliance (28%), an audit trail of system-level activity (27%), identifying misconfigured security groups (25%), and detecting external-facing server workloads that don't route Internet traffic via jump/bastion host (25%). 

"The pace of change of underlying technology is tremendous," says Barlock. "It's just hard for teams to keep up with the pace of that change. The other dimension is the scale of the team: Do I have enough people on my security team who are knowledgeable about cloud and can meet the business where they are?"

Barlock, who heads up the cloud and AI division at KPMG, says his team faced the same issues. In response, they reorganized their cybersecurity team to place a stronger focus on cloud and cloud/AI technology. They also grew closer to technology partners and encouraged employees to pursue certifications focused on cloud as well as hands-on skill building, he explains.

A lack of cloud security skills is proving problematic for organizations across the board, Jensen says, noting how many security incidents over the past year could be linked back to cloud configuration issues, including overprivileged credentials, lack of encryption, or unprotected buckets.

"The news is scaring people," he explains. "It's making them realize they are vulnerable because of a lack of understanding and ability to get a handle on security controls."

These challenges are driving businesses to hire more technically savvy cloud security pros. Researchers report more companies have a cloud security architect than a security architect, indicating a rethinking of security programs to close the "readiness gap." One increasingly common role is the business information security officer (BISO), now a position at 35% of enterprises and 21% of midmarket companies.

The BISO acts as a liaison between business executives and the CISO, Jensen explains, but it won't replace the security leader. Today's CISOs know organizations are going to pursue cloud-based applications without them. A BISO moves the security team close to the business team and understands the business development life cycle, priorities, and security gaps, he notes. BISOs are driven by business goals and achievement, and their role is to help CISOs and line-of-business owners to collaborate.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I like the old version of Google assistant much better.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...