Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:35 PM
Connect Directly

As Businesses Rush to the Cloud, Security Teams Struggle to Keep Up

Most organizations have a gap between current and planned cloud usage and the maturity of their cloud security programs.

The continued shift to the cloud is driving challenges in preparedness, configuration management, and defending against new attack techniques. Businesses are rushing to move applications to the cloud, putting growing amounts of pressure on security teams to keep pace.

Trust in the public cloud continues to grow, researchers found in the "Oracle and KPMG Cloud Threat Report 2020." Forty percent of the 750 IT and security professionals surveyed view the public cloud as more secure than what they can deliver on-premises, marking a 13% year-over-year jump from the 2019 study. Most (88%) currently use public cloud infrastructure services.

When asked about consuming business-critical applications as a service, respondents cite, on average, a 9% increase over the next two years. The shift to software-as-a-service (SaaS) for these applications shows more people are growing comfortable with the security of cloud providers. Enterprise resource planning, customer relationship management, human capital management, and IT services management are among the applications undergoing the transition to cloud, researchers say.

"Many of our clients are at the point where they deployed their first set of important applications, like finance applications in the cloud, supply chain applications … a core set of three to five applications, and that's gone OK," says Steve Barlock, principal with KPMG. What's happening over the past six to 12 months is businesses that have seen early success want to start moving everything to the cloud. "We're seeing a problem of scale right now," he adds.

Survey data shows 92% of companies have a "cloud security readiness gap" between their current and planned cloud usage and the maturity of their cloud security programs. More than 40% report a wide gap, while 48% say the gap is moderate. The space is created when cloud services and applications are consumed by business units outside the scope of IT and security teams. As the security pros try to catch up, their efforts are perceived as slowing the business down. 

"The shared responsibility picture is just getting worse every year," says Greg Jensen, senior principal director of cloud security at Oracle. Security teams must know what's going into production. Once they do, it takes time to implement monitoring and remediation mechanisms.

This readiness gap manifests in new challenges for IT and security pros: More than three-quarters (78%) say the differences between cloud-resident and on-premises applications and infrastructure require a distinct set of security policies and processes. These differences have led to buying more security controls, driving complexity. Seventy percent report too many tools are needed to protect public cloud environments. On average, each uses more than 100 discrete security controls.

Visibility was a primary issue among respondents. Nearly 30% of respondents said identifying software flaws and remediation was the most important area for improving visibility. Other areas include finding workload configurations that are out of compliance (28%), an audit trail of system-level activity (27%), identifying misconfigured security groups (25%), and detecting external-facing server workloads that don't route Internet traffic via jump/bastion host (25%). 

"The pace of change of underlying technology is tremendous," says Barlock. "It's just hard for teams to keep up with the pace of that change. The other dimension is the scale of the team: Do I have enough people on my security team who are knowledgeable about cloud and can meet the business where they are?"

Barlock, who heads up the cloud and AI division at KPMG, says his team faced the same issues. In response, they reorganized their cybersecurity team to place a stronger focus on cloud and cloud/AI technology. They also grew closer to technology partners and encouraged employees to pursue certifications focused on cloud as well as hands-on skill building, he explains.

A lack of cloud security skills is proving problematic for organizations across the board, Jensen says, noting how many security incidents over the past year could be linked back to cloud configuration issues, including overprivileged credentials, lack of encryption, or unprotected buckets.

"The news is scaring people," he explains. "It's making them realize they are vulnerable because of a lack of understanding and ability to get a handle on security controls."

These challenges are driving businesses to hire more technically savvy cloud security pros. Researchers report more companies have a cloud security architect than a security architect, indicating a rethinking of security programs to close the "readiness gap." One increasingly common role is the business information security officer (BISO), now a position at 35% of enterprises and 21% of midmarket companies.

The BISO acts as a liaison between business executives and the CISO, Jensen explains, but it won't replace the security leader. Today's CISOs know organizations are going to pursue cloud-based applications without them. A BISO moves the security team close to the business team and understands the business development life cycle, priorities, and security gaps, he notes. BISOs are driven by business goals and achievement, and their role is to help CISOs and line-of-business owners to collaborate.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
INTELBRAS TELEFONE IP TIP200 version allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
PUBLISHED: 2021-04-12
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.