Organizations are increasing their cloud adoption, but they aren’t necessarily keeping pace with their security practices. Every year Oracle and KPMG collaborate on the Oracle and KPMG Cloud Threat Report, a survey of cybersecurity and IT professionals from private- and public-sector organizations about their public cloud usage and cybersecurity products and services. In 2013, 57 percent of our respondents said they were using public cloud services. Today, that number has jumped to 85 percent.
While people are feeling more confident than ever about security in the public cloud, many organizations are putting themselves at risk by making a handful of common mistakes. I’ll outline each of the main pitfalls below, but for more detail on what’s causing these mistakes and pointers on how to remedy them, don’t miss our on-demand webcast “Sharing the Cloud Security Responsibility and Mitigating the Top 5 Risks.”
Mistake #1 Lack of Responsibility
When you adopt a cloud service, it’s tempting to think that they’ve got security covered. Sure, they’re probably taking care of some of it, but there are certain things that they just can’t be responsible for—like how careful your employees are with their credentials.
The division between what you’re responsible for and what your cloud provider is responsible for is an important one to iron out with your cloud provider to ensure that there aren’t any gaps. In the Cloud Threat Report, we found that only 43 percent of organizations could correctly identify the most common IaaS shared responsibility model.
Knowing what your responsibilities are is the first step to fulfilling them and keeping your organization protected.
Mistake #2 Lack of Training
One of the most common ways an organization can be breached is through the average employee. The number 1 and 2 most common attack vectors are phishing scams, and all it takes is one person making one mistake to expose your company. In this case, it’s training (and not some fancy tool) that will make the difference.
Mistake #3 Lack of Automation
The number 1 challenge for security organizations is being able to detect and react to cloud threats. In the Cloud Threat Report, only 14 percent of respondents said they were able to analyze all of their relevant security event and telemetry data. This lack of insight usually happens because cloud services are rolling out faster than SecOps can support them.
In order to combat this problem, organizations need to remove manual processes and introduce more automated responses to risks. We’re past the point of hiring our way out of this problem. There just aren’t enough of us. We need assistance in the form of automation.
Mistake #4 Lack of Compliance
Organizations are struggling with not only how to meet, but also maintain their compliance requirements globally. A key distinction that companies often miss is that compliance doesn’t necessarily mean security. Compliance is primarily about data confidentiality, integrity, and making data available. You can be compliant and still get breached.
Still, it’s difficult to meet your compliance goals if you don’t have an expert heading up the charge. You really need somebody who knows their stuff, can see the whole picture, and can determine how your organization can best tackle its compliance responsibilities.
Mistake #5 Lack of Leadership
It’s become a real struggle for security teams to rein in lines of business who think they can get their cloud services out “faster” if they skirt the security process. These projects often hit a snag when their owners realize that they have to meet the company’s security requirements.
One of the reasons this happens is that lines of business don’t see how involving security operations early is actually an advantage for them. The key here is leadership. By having someone who can help internal groups see an efficient path to deployment and check all the necessary boxes, organizations can both protect themselves and get what they need sooner.
Ultimately our confidence in the cloud is well placed. All we have to do is update our thinking to match our technology. For more detail on these mistakes and how to avoid making them, see our on-demand webcast “Sharing the Cloud Security Responsibility and Mitigating the Top 5 Risks.”