Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:35 PM
Connect Directly

As Businesses Rush to the Cloud, Security Teams Struggle to Keep Up

Most organizations have a gap between current and planned cloud usage and the maturity of their cloud security programs.

The continued shift to the cloud is driving challenges in preparedness, configuration management, and defending against new attack techniques. Businesses are rushing to move applications to the cloud, putting growing amounts of pressure on security teams to keep pace.

Trust in the public cloud continues to grow, researchers found in the "Oracle and KPMG Cloud Threat Report 2020." Forty percent of the 750 IT and security professionals surveyed view the public cloud as more secure than what they can deliver on-premises, marking a 13% year-over-year jump from the 2019 study. Most (88%) currently use public cloud infrastructure services.

When asked about consuming business-critical applications as a service, respondents cite, on average, a 9% increase over the next two years. The shift to software-as-a-service (SaaS) for these applications shows more people are growing comfortable with the security of cloud providers. Enterprise resource planning, customer relationship management, human capital management, and IT services management are among the applications undergoing the transition to cloud, researchers say.

"Many of our clients are at the point where they deployed their first set of important applications, like finance applications in the cloud, supply chain applications … a core set of three to five applications, and that's gone OK," says Steve Barlock, principal with KPMG. What's happening over the past six to 12 months is businesses that have seen early success want to start moving everything to the cloud. "We're seeing a problem of scale right now," he adds.

Survey data shows 92% of companies have a "cloud security readiness gap" between their current and planned cloud usage and the maturity of their cloud security programs. More than 40% report a wide gap, while 48% say the gap is moderate. The space is created when cloud services and applications are consumed by business units outside the scope of IT and security teams. As the security pros try to catch up, their efforts are perceived as slowing the business down. 

"The shared responsibility picture is just getting worse every year," says Greg Jensen, senior principal director of cloud security at Oracle. Security teams must know what's going into production. Once they do, it takes time to implement monitoring and remediation mechanisms.

This readiness gap manifests in new challenges for IT and security pros: More than three-quarters (78%) say the differences between cloud-resident and on-premises applications and infrastructure require a distinct set of security policies and processes. These differences have led to buying more security controls, driving complexity. Seventy percent report too many tools are needed to protect public cloud environments. On average, each uses more than 100 discrete security controls.

Visibility was a primary issue among respondents. Nearly 30% of respondents said identifying software flaws and remediation was the most important area for improving visibility. Other areas include finding workload configurations that are out of compliance (28%), an audit trail of system-level activity (27%), identifying misconfigured security groups (25%), and detecting external-facing server workloads that don't route Internet traffic via jump/bastion host (25%). 

"The pace of change of underlying technology is tremendous," says Barlock. "It's just hard for teams to keep up with the pace of that change. The other dimension is the scale of the team: Do I have enough people on my security team who are knowledgeable about cloud and can meet the business where they are?"

Barlock, who heads up the cloud and AI division at KPMG, says his team faced the same issues. In response, they reorganized their cybersecurity team to place a stronger focus on cloud and cloud/AI technology. They also grew closer to technology partners and encouraged employees to pursue certifications focused on cloud as well as hands-on skill building, he explains.

A lack of cloud security skills is proving problematic for organizations across the board, Jensen says, noting how many security incidents over the past year could be linked back to cloud configuration issues, including overprivileged credentials, lack of encryption, or unprotected buckets.

"The news is scaring people," he explains. "It's making them realize they are vulnerable because of a lack of understanding and ability to get a handle on security controls."

These challenges are driving businesses to hire more technically savvy cloud security pros. Researchers report more companies have a cloud security architect than a security architect, indicating a rethinking of security programs to close the "readiness gap." One increasingly common role is the business information security officer (BISO), now a position at 35% of enterprises and 21% of midmarket companies.

The BISO acts as a liaison between business executives and the CISO, Jensen explains, but it won't replace the security leader. Today's CISOs know organizations are going to pursue cloud-based applications without them. A BISO moves the security team close to the business team and understands the business development life cycle, priorities, and security gaps, he notes. BISOs are driven by business goals and achievement, and their role is to help CISOs and line-of-business owners to collaborate.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Navigating the Asia-Pacific Threat Landscape: Experts Dive In
Kelly Sheridan, Staff Editor, Dark Reading,  9/25/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...