2020 Cloud Threat Report: Public Cloud Adoption Has Rapidly Become a Business Enabler Yet Most Have Significant Security Gaps

In the latest study of 750 cybersecurity and information technology leaders around the world, we see that cloud infrastructure holds promise of empowering innovation, reducing costs, and improving cyber security resilience. However the third-annual Oracle and KPMG Cloud Threat Report 2020 also highlights that most organizations also have critical security gaps due to talent shortages, legacy mentalities, over-engineered security tools, and unclear ownership of the specific cloud stack components.

Enterprise cyber risk: Increased or decreased with cloud architecture?

Many business teams feel increased pressure to adapt and innovate in this new COVID-19 commercial ecosystem and scalable cloud infrastructure and cloud-based digital platforms offer an attractive option for meeting targeted customer needs while reducing overhead. 90 percent of companies are using Software as a Service (SaaS); 76 are using Infrastructure as a Service (IaaS) today; and 50 percent expect to move all of their data to the cloud within two years. 

However, as Logan Simpson, Head of Cyber Security Services at KPMG Fakhro, noted, “Often there are missed connections between the business, compliance, information technology, cyber security, and risk management units. These communication, process, and relational trust gaps between teams often trigger the opposite result and cause the cloud solutions to introduce critical levels of enterprise cyber risk instead of capitalizing on the many improved security features of cloud architecture.”

Security through obscurity: How many security products does it take to stop a hacker?
The study shows IT professionals are using a patchwork of different cybersecurity products. 78 percent of organizations use more than 50 discrete cybersecurity products; 37 percent use more than 100 cybersecurity products. However, cloud security products usually need to be procured, implemented, and maintained separately from the on-premise security products. Often this additional overhead is not factored into the total cost of ownership when the decision is made to migrate.

Shifting responsibility: More confusion means more security breaches 

Growing cloud consumption has created new blind spots as IT teams and cloud service providers work to understand their individual responsibilities in securing data. This confusion has left IT security teams scrambling to address a growing threat landscape

• Shared responsibility security models are causing confusion; only 8 percent of IT security executives state that they fully understand the shared responsibility security model. 

• 92 percent of companies admitted they have gaps between their cloud usage and the maturity of their cloud security program

• 75 percent of IT professionals have experienced data loss from a cloud service more than once. 

Top cloud security fears listed in the report include misconfigurations on security groups, externally facing servers, and privileged account authentication and authorization.

Rise of the BISO: Can DevSecOps through intelligent automation be the answer? 

Some companies reported that they had successfully adopted the “shift-left” approach to coordinate across internal teams and vendors to build their new business platforms on a foundation of solid security principles and processes. Many are also turning to machine learning to automate the increasing tide of basic security operational tasks needed to address the evolving cyber threat landscape.

• 73 percent of organizations have or plan to hire a CISO with more cloud security skills; over half of organizations (53 percent) have added a brand new role called the Business Information Security Officer (BISO) to collaborate with the CISO and help integrate security culture into the business.

• 87 percent of IT professionals see artificial intelligence/ machine learning capabilities as a “must-have” for new security purchases in order to better protect against things like fraud, malware and misconfigurations

Successful transition to the DevSecOps approach is being reported as helping to build trust and get security architects involved earlier in the cloud projects. These success stories reported that previously security was usually forced to be re-architected into the cloud solutions later in the project due to compliance audits or the inevitable data breach. However, beginning the cloud adoption and migration initiatives with open communication channels and a risk-based security mindset can often lead to smoother and lower cost implementations and more time for the business teams to focus on customers.

Manav Prakash, Partner, Advisory added “ A coordinated approach to managing cloud security is required. The survey determines that as cloud adoption continues to increase rapidly, there is a need for security teams to upskill/add new skills, to be embedded in cloud outsourcing discussions early on, to understand deeply the shared responsibility model so as to be able to identify and importantly, manage the risks on an ongoing basis”