Cloud security has become more of an imperative and a must-have for organizations today. However, when looking at cybersecurity and specifically cloud transformation, cloud environments are incredibly decentralized, industry experts argued during an Inkhouse Black Hat panel last week. 

Security responsibilities have become diluted across organizations, where different business units all have to consider security — units usually without an impressive IT or security knowledge background.

"IT is actually decentralized at an incredibly large amount, and so now, all of a sudden, IT doesn't even have access to the sales force or the engineering team," said Obsidian CTO Ben Johnson during the panel. "These teams are not necessarily experts, but they have to consider security. So you're seeing this incredible therapy session where you're bringing these different teams together that haven't been talking."

"Security is frustrated because they don't have access to these things, and yet, they're on the hook for the overall cybersecurity of the business," said Johnson.

In general, there is a need for conversations in cybersecurity for organizations transitioning to cloud environments. "It's really a need for waking everyone up a bit," he noted. 

More and more businesses are transitioning to cloud environments. Still, the benefits don't come without its risks — two top-of-mind cloud threats are attackers abusing cloud apps to target endpoints and attackers targeting cloud apps directly, Ray Canzanese, director of Netskope Threat Labs, pointed out during the panel.

"Half the malware downloads we see originate from cloud apps, and attackers do that to bypass block lists to exploit trust," Canzanese said. "Once they're on the endpoints, we see them also using their own infrastructure, using cloud apps like Twitter, GitHub, Slack for command and control traffic as well."

Threat actors target cloud apps directly for other attacks, forgetting the endpoint entirely to exploit data and launch additional attacks. End users, notoriously easy targets, are trained to click on permission allowances. However, this increases the risk of accidentally allowing permission to unauthorized users.

"We see traditional phishing attacks going after credentials, which becomes a little challenging when something like a Microsoft phishing page is hosted on Azure websites, and targeting Office 365 credentials — it becomes really hard for your average user to recognize," Canzanese said. "It becomes the most challenging and worrisome when we start seeing things like attackers abuse authorization workflows, so you're just getting a user to click on." 

Hybrid work is the new normal for many global workforces. With more work happening through online spaces rather than face to face, cloud adoption is on the rise. Netskope saw that organizations have increased their number of cloud applications by 80% on average since the beginning of the pandemic, according to Canzanese.

The next phase of businesses increasing their cloud transitions is the necessary increase in security budgets. 

"Large institutions, inevitably, are going to have to increase their security budgets," said Immuta CEO and co-founder Matthew Carroll. "Even in a recent recession, I think that budgets from the security side are going to have to go up because inevitably they're going to have to move data to the cloud, and these organizations have to mature their security posture to be able to do that."

Maturing business security falls back on the cybersecurity talent shortage — a shortage that will continue into next year.

"We're gonna see that talent shortage continuing to next year, and budget-wise you're going to need to figure out where you can merge technology and talent," said Thomas Elling, senior director of cloud pentesting practice at NetSPI. "You're going to need cybersecurity professionals to understand and improve how they can use their tools to monitor and alert in the cloud and then go beyond that."