Companies continue to move business critical workloads and their most sensitive data to the cloud, yet security challenges remain, according to the second annual Oracle and KPMG Cloud Threat Report 2019 released today. The report found that 72 percent of respondents feel the public cloud is more secure than what they can deliver in their own data center and are moving data to the cloud, but visibility gaps remain that can make it hard for businesses to understand where and how their critical data is handled in the cloud.
The survey also found a projected 3.5 times increase in the number of organizations with more than half of their data in the cloud from 2018 to 2020, and 71 percent of organizations indicated that a majority of this cloud data is sensitive, up from 50 percent last year. However, the vast majority (92 percent) noted they are concerned about employees following cloud policies designed to protect this data.
The report found that the mission-critical nature of cloud services has made cloud security a strategic imperative. Cloud services are no longer nice-to-have tertiary elements of IT—they serve core functions essential to all aspects of business operations. The 2019 report identified several key areas where the use of cloud service can present security challenges for many organizations.
- Confusion about the shared responsibility security model has resulted in cybersecurity incidents. Eighty-two percent of cloud users have experienced security events due to confusion over the shared responsibility model. While 91 percent have formal methodologies for cloud usage, 71 percent are confident these policies are being violated by employees, leading to instances of malware and data compromise.
- CISOs are too often on the cloud security sidelines. Ninety percent of CISOs surveyed are confused about their role in securing a Software as a Service (SaaS) versus the cloud service provider environment.
- Visibility remains the top security challenge. The top security challenge identified in the survey is detecting and reacting to security incidents in the cloud, with 38 percent of respondents naming it as their top challenge today. Thirty percent cited the inability of existing network security controls to provide visibility into cloud-resident server workloads as a security challenge.
- Rogue cloud application use and lack of security controls put data at risk. Ninety-three percent of respondents indicated they are still dealing with “shadow IT”—in which employees use unsanctioned personal devices and storage or file share software for corporate data. Half of organizations cited lack of security controls and misconfigurations as common reasons for fraud and data exposures. Twenty-six percent of organizations cited unauthorized use of cloud services as their biggest cybersecurity challenge today.
“The world’s most important workloads are moving to the cloud, heightening the need for a coordinated, integrated and layered security strategy,” said Kyle York, vice president of product strategy, Oracle Cloud Infrastructure. “Starting with a cloud platform built for security and applying AI to safeguard data while also removing the burden of administrative tasks and patching removes complexity and helps organizations safeguard their most critical asset—their data.”
“As organizations continue to transition their cyber security thinking from strictly risk management to more of a focus on business innovation and growth, it is important that enterprise leaders align their business and cyber security strategies,” said Tony Buffomante, U.S. Leader of KPMG LLP’s Cyber Security Services. “With cloud services becoming an integral part of business operations, there is an intensified need to improve the security of the cloud and to integrate cloud security into the organization’s broader strategic risk mitigation plans.”
Additional Key Findings
- Automation may improve chronic patching problems: Fifty-one percent surveyed report patching has delayed IT projects and 89 percent of organizations want to employ an automatic patching strategy.
- Machine learningmay help decrease threats: Fifty-three percent are using machine learning to decrease overall cyber security threats, while 48 percent are using a Multi-factor Authentication (MFA) solution to automatically trigger a second factor of authentication upon detecting anomalous user behavior.
- Supply chain risk: Business-critical services must be contained as supply chain compromise has led to the introduction of malware in 49 percent of cases, followed by unauthorized access of data in 46 percent of cases.
- Security events continue to increase while shared responsibility confusion expands: Only 1 in 10 organizations can analyze more than 75 percent of their security event data and 82 percent of cloud users have experienced security events due to confusion over cloud shared responsibility models.
- Cloud adoption has expanded the core-to-edge threat model: An increasingly mobile workforce accessing both on premise and cloud-delivered applications and data dramatically complicates how cybersecurity professionals must think about their risk and exposure. In 2018, the number one area of investment was training, but this year, training slipped to number two and was replaced by edge-based security controls (e.g., WAF, CASB, Botnet/DDoS Mitigation controls).
To find out more about the Oracle and KPMG Cloud Threat Report 2019, visit Oracle at the RSA Conference, March 4-8 in San Francisco. (Booth #1559 – Moscone South).
About the Report
The Oracle and KPMG Cloud Threat Report 2019 examines emerging cyber security challenges and risks that businesses are facing as they embrace cloud services at an accelerating pace. The report provides leaders around the globe and across industries with important insights and recommendations for how they can help ensure that cyber security is a critical business enabler. The data in the report is based on a survey of 450 cyber security and IT professionals from private and public-sector organizations in North America (United States and Canada), Western Europe (United Kingdom), and Asia (Australia, Singapore).