Lack of adequate visibility and control is the greatest challenge to cloud adoption in an organization, according to McAfee’s third annual cloud adoption and security report.
However the business value of the cloud—Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS)—is so compelling that some organizations are plowing ahead.
Modern cloud security tools and practices don’t require organizations to make that difficult choice between business velocity and data security.
“Despite the clear prevalence of security incidents occurring in the cloud, enterprise cloud adoption is pressing on,” McAfee SVP of cloud security Rajiv Gupta said.
“By implementing security measures that allow organizations to regain visibility and control of their data in the cloud, businesses can leverage the cloud to accelerate their business and improve the security of their data.”
Almost all organizations are well into cloud adoption. According to the survey, 97% of worldwide IT professionals are using some type of cloud service and are concurrently working through issues related to visibility and control.
The combination of public and private cloud is also the most popular architecture, with 59% of respondents now reporting they are using a hybrid model. While private-only usage is relatively similar across all organization sizes, hybrid usage grows steadily with organization size, from 54% in organizations up to 1,000 employees, to 65% in larger enterprises with more than 5,000 employees.
According to the report, Cloud-First is the strategy for IT in many companies and remains a primary objective. Caution seems to have taken over for others, as the number of organizations with a Cloud-First strategy dropped from 82% to 65% this year.
Despite all that, respondents with a Cloud-First strategy still believe that public cloud is safer than private cloud. They understand the risks, and yet the more they know, the more confident IT professionals are that Cloud-First is the course they want to be on.
The majority of organizations store some or all of their sensitive data in the public cloud, with only 16% stating that they store no sensitive data in the cloud. The types of data stored run the full range of sensitive and confidential information. Personal customer information is by far the most common, reported by 61% of organizations.
Around 40% of respondents also store one or more of internal documentation, payment card information, personal staff data or government identification data. Finally, about 30% keep intellectual property, healthcare records, competitive intelligence and network pass cards in the cloud.
Managing the risk of storing sensitive data in the cloud means ensuring the organization has visibility to it and control of it. A focus on fundamental governance and technological steps, such as requiring departments and personnel to participate in asset identification, classification and accountability helps build visibility. Data Loss Prevention integration with cloud providers, including the use of Cloud Access Security Brokers, manual or automated data classification and other technology steps, will help reduce the risk of sensitive information being compromised through cloud services.
Security Incidents Still Widespread
Prominently, 1-in-4 organizations that uses IaaS, PaaS or SaaS has had data stolen, and 1-in-5 has experienced an advanced attack against its public cloud infrastructure. As organizations prepare for the European Union’s General Data Protection Regulation (GDPR), slated for May 2018, they will be ramping up compliance efforts.
Organizations that are more confident in the ability of their cloud providers are more likely to have plans to increase their overall cloud investments in the coming year, while those less confident plan to keep their investments at the current level. Fewer than 10% surveyed, on average, anticipate decreasing their cloud investment because of GDPR.
Malware continues to be a concern for all types of organizations and 56% of professionals surveyed said they had tracked a malware infection back to a cloud application, up from 52% in 2016.
When asked how the malware was delivered to the organization, just over 25% of the respondents said their cloud malware infections were caused by phishing, followed closely by emails from a known sender, drive-by downloads and downloads by existing malware.
The shortage of cybersecurity skills and its impact on cloud adoption continues to decrease, as those reporting no skills shortage increased from 15% to 24% this year. Of those still reporting a skills shortage, only 40% have slowed their cloud adoption as a result, compared to 49% last year. Cloud adoption rates are highest in those reporting the highest skills shortages. – Telecom Asia