Thirty-eight percent of security and IT professionals surveyed by Oracle and KPMG identified the ability to detect and react to security incidents in the cloud as their top security challenge. Unauthorized use of cloud services was the second most pressing concern, with 26 percent identifying it as the No. 1 challenge.
Respondents, according to the Oracle and KPMG LLP Cloud Threat Report 2019, also exhibited confidence in the cloud: 72 percent reported feeling that the public cloud is more secure than their own data centers and are moving to a public cloud platform. And 71 percent reported that the majority of their data in the cloud is sensitive, which is up from 50 percent last year.
The human element elicits a bit less confidence. More than nine in 10 respondents — 92 percent — are concerned with employees following cloud policies designed to protect data.
Oracle and KPMG surveyed 450 professionals in private and public organizations in North America, Western Europe, and Asia for the second annual report.
New Thinking Needed
The challenge is — as always — people.
“It is always a human limitation, from the top down,” Greg Jensen, senior principal director of security at Oracle, told SDxCentral in an email. “We are ultimately the decision makers for policy, the privacy controls, how we look to respond, the choices we wish to incorporate into systems to mitigate risk, the people we hire, the partners we work with. It is always a human issue. The challenge we face today, is the best of our human intents to defend our networks is now being tested by the worst of human intent, to get around those defenses.”
Jensen said that organizations should understand shared security responsibilities across all cloud holdings so that appropriate management programs can be put in place. Policies should be written with a firm knowledge of where data is and how partners are using it. Putting a “cloud security architect” in place is a good idea as well, he wrote.
Organizations must accept the ideas that accessing cloud platforms do not end the organization’s need to work hard at security and risk management. The new partners augment the workload — but don’t eliminate it. Security is a shared responsibility.
New Technology Also a Must
Security tools must change as well. “Many early adopters of the cloud have learned that you simply cannot take your on-prem security methodologies and expand that into the cloud,” Jensen said.
For example, with an on-premises ERP system, an employee who resigns at 8am, and turns in his badge and laptop, is locked out of the system by 8:05am. “So historically, organizations might spend days or weeks de-provisioning all the internal accounts,” Jensen said. “Now in a cloud model, that same scenario is more challenging.”
In a cloud model, if there isn’t an immediate suspension of all accounts, this former employee could still use a smart phone to access sensitive data even after he resigned. “So the technologies have to change.”
These drastic changes suggest that organizations should do a very careful job of vetting potential cloud providers. Jensen said that prospective infrastructure as a service (IaaS), platform as a service (PaaS) and SaaS providers should be pressed to describe how the organization’s goals can be incorporated into contracts and service level agreements. He said some questions to ask include: Are you a heterogeneous service or must we go all in with the vendor? How do my privacy/regulatory obligations map to your ability to meet them as a provider?
Artificial intelligence (AI) and machine learning (ML) can also help improve security posture. Only 10 percent of organizations can see more than 75 percent of their event telemetry, Jensen said. Using AI- and ML-based tools can fill the obvious need of providing more comprehensive insights.
- The survey found that a “lack of clarity on this foundational cloud security construct between the enterprise and the cloud provider” is problematic. It’s not just theoretical: 82 percent of users reported security events because of the confused relationship. Ninety-one percent said they have formal methodologies about cloud usage — but 71 percent think their employees are violating those guides.
- Nine in 10 CISOs surveyed are confused about whether securing software-as-a-service (SaaS) environments are their responsibility or the cloud service providers’ responsibility.
- Ninety-three percent of respondents are dealing with issues related to shadow IT.
- Half of organizations say that misconfigurations and lack of security controls allow fraud and lead to data exposure.
- The proliferation of mobile workers and devices has led to a change in how organizations spend their money. In the first report, the top area of investment was training. In the current report, training has slipped to number two. The top area is edge security controls such as web application firewall (WAF), cloud access security broker (CASB) and botnet/distributed denial of service (DDoS) mitigation.