Published on the 21/05/2020 | Written by Heather Wright
Cloud data security keeping IT teams up at night…
The continuing move to the cloud is challenging security preparedness and configuration management with a ‘Frankenstein-like’ patchwork of security tools and processes putting pressure on IT teams.
The KPMG and Oracle Cloud Threat Report 2020 paints a picture of IT teams scrambling to play whack a mole as companies’ adoption of cloud outpaces the businesses’ ability to secure cloud services. That, KPMG and Oracle say, is leaving a ‘palpable’ cloud security readiness gap.
The third annual report found 78 percent of organisations surveyed are using more than 50 discrete cybersecurity products. As if 50 products wasn’t a big enough headache, 37 percent say they’re using more than 100 cybersecurity offerings.
“Until security becomes the cultural norm, DevSecOps serves as a call to action.”
It’s a problem KPMG says, that is creating opportunities for data loss, with IT professionals concerned about the patchwork of security products being used and that the products were rarely configured correctly.
Organisations who discovered misconfigured cloud services reported experiencing 10 or more data loss incidents in the last year. Leading the way as the most common types of misconfigurations: Over-privileged accounts, exposed web servers and other types of server workloads and a lack of multi-factor authentication for access to key services.
While companies are increasingly comfortable with cloud – 40 percent of respondents viewed public cloud as ‘much more’ secure than their own data centres – the majority (92 percent) also don’t believe their organisation is well prepared to secure public cloud services.
Fifty-one percent said between 21 percent and 40 percent of their business critical applications are already consumed as software-as-a-service. When it comes to consuming business-critical applications as a service, respondents cited on average a nine percent increase over the next 24 months.
“This shift to SaaS for those applications that are truly mission-critical is another indicator that businesses are comfortable with the security posture of cloud service providers,” the report says.
“Indeed, the applications that are the backbone of business operations – ERP, customer relationship management, human capital management, IT service management and more – are now in the process of moving to the cloud.”
Infrastructure as a service and Platform as a service are also seeing an uptick, KPMG says.
But the cloud move is coming at a cost: 92 percent admit there’s a gap between current and planned cloud usage and the maturity of their cloud security program with 44 percent saying that public cloud security readiness gap is ‘wide’.
At the heart of the issue, according to KPMG is the consumption of cloud by business units – and their view that security teams will simply slow things down.
“Cloud services and applications are often consumed by a business unit outside of the purview of the centralised IT and cybersecurity teams. Then, as lines of business realise rapid time to value, use expands.
“Collaboration with the cybersecurity team is perceived as threatening to throttle speed. Herein lies the issues of velocity outpacing security readiness and the need for a cultural shift in how organisations approach cybersecurity.”
There are also new blind spots forming as IT teams and cloud service providers work to understand individual responsibilities in securing data.
The lack of visibility from operating in someone else’s data centre and sharing responsibility has led to a common refrain: A lack of visibility which has created a series of configuration management challenges.
Nearly 30 percent said identifying software vulnerabilities and remediation was the most important area to improve security visibility, with 28 percent citing the ability to identify workload configurations that are out of compliance, and 27 percent wanting an audit trail of all system level activity.
So what’s the solution? According to KPMG it’s that old catchall of having a ‘security-first model’.
“To be able to manage [the] increased threat level in this new reality, it is essential that CISOs build security into the design of cloud migration and implementation strategies, staying in regular communication with the business,” says Tony Buffomante, KPMG cyber security services global co-leader.
IT teams and cloud service providers must work together to build that security-first culture, which includes hiring, training and retaining skilled IT security professionals and constantly improving the processes and technologies used.
Specifically, KPMG references the emergence of DevSecOps, automating cybersecurity processes and controls via integration with the continuous integration and continuous delivery toolchain that orchestrates the application lifecycle.
“Some view the term as nebulous and in need of a clear definition. Others assume that DevOps already includes security, obviating the need for the term. It is the view of this year’s report that until security becomes the cultural norm, DevSecOps serves as a call to action.”