More than half of firms running multicloud environments have been hit with a data breach in the past year, compared with 24% of hybrid cloud organizations and 24% of single-cloud users.
To gain a better understanding of how the public and private sectors are engaging with the $325 billion cloud market, researchers with Nominet polled 274 CISOs, CTOs, CIOs, and other professionals responsible for cybersecurity in large organizations across the US and UK. While 61% believe the risk of a breach is the same or lower in the cloud compared with on-prem environments, it seems there is a link between the number of clouds used and risk of attack.
The majority (71%) of respondents use software-as-a-service (SaaS) and 60% use infrastructure-as-a-service (IaaS). Fewer have moved to platform-as-a-service (PaaS) or business-process-as-a-service (BPaaS). Nearly half (48%) report their organizations uses a multicloud approach, and 24% use hybrid cloud. Only 29% of respondents use cloud services from one provider. Google Cloud was the most popular (56%), followed by IBM (49%), Oracle (44%), Microsoft Azure (36%), and AWS (32%).
Businesses using a multicloud approach are both more likely to have experienced a breach and more likely to have suffered multiple breaches: Sixty-nine percent of multicloud businesses report 11 to 30 breaches, compared with 19% of single-cloud organizations and 13% of hybrid cloud users.
Nominet vice president Stuart Reed points to a "tipping point" in terms of cloud adoption as more businesses consider the potential risks involved. Still, 69% remain moderately, very, or extremely worried about cloud security. Most fear cybercriminal sophistication and customer data exposure; other trepidations relate to increased attack surface, Internet of Things devices, and visibility.
These concerns no longer block cloud adoption as organizations recognize the cloud's potential to drive growth. "I think a lot of major SaaS applications are finding their way into enterprises as a matter of course now," he says. "We're beyond the point of people 'dipping their toe' in." Organizations are beyond using one cloud; now, more of them use at least two – if not more.
"There is a huge amount of choice out there in the market, from a cloud perspective," Reed says. "Organizations, generally speaking, have varied requirements depending on the project [they're] doing." A cloud service that works for one project may not work for another, for example, or have different geographical requirements. Companies' solution is to use several.
The higher likelihood of a breach for multicloud businesses has less to do with the security of each provider and more to do with heightened complexity. Each new cloud service increases the number of touch points onto a network, expanding opportunities for an attacker to get in.
"The traditional view of the network is becoming increasingly dissolved," he continues. "The network becomes broader, wider, and more significant. The need to be able to have a good level of visibility across that is highly important."
Navigating the Complexity of Cloud
For businesses working to secure existing multicloud environments, or those considering an additional cloud provider, Reed advises taking inventory of where assets reside and understanding the full breadth of the clouds. Knowing the implications of where data passes through and how it reaches other parts of the network or the Internet is important to achieve the level of visibility and understand what normal behavior looks like in the organization.
Nearly two-thirds of respondents (63%) already outsource cloud security to managed service providers, Nominet found. For organizations considering outsourcing, Reed emphasizes the importance of asking the right questions. Understand what they are able to offer and the security processes and procedures in place. This creates clarity between the supplier and organization in terms of what should happen when a breach is identified and how to mitigate it.
"It's the same level of diligence they need to apply to any supplier," he says.
Most (57%) respondents expect their cloud security budgets to increase, researchers found; the only industries where it's expected to lower are pharmaceuticals and hospitality. Budget increases could signify a more security-conscious organization, they report, or a response to an incident. Respondents are likely to believe cloud security budgets are increasing if their organization had been hit with a cyberattack in the 12 months prior.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: 'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities.