By: Alan Zeichick
Is the cloud ready for sensitive data? You bet it is. Some 90% of businesses in a new survey say that at least half of their cloud-based data is indeed sensitive, the kind that cybercriminals would love to get their hands on.
The migration to the cloud can’t come soon enough, as 66% of companies in the study say at least one cybersecurity incident has disrupted their operations within the past two years, and 80% say they’re concerned about the threat that cybercriminals pose to their data.
The good news is that 62% of organizations consider the security of cloud-based enterprise applications to be better than the security of their on-premises applications, and another 21% consider it as good. The caveat: Companies must be proactive about their cloud-based data and can’t naively assume that “someone else” is taking care of that security.
Those insights come from a brand-new threat report, the first ever jointly conducted by Oracle and KPMG. The “Oracle and KPMG Cloud Threat Report 2018,” to be released this month at the RSA Conference, fills a unique niche among the vast number of existing threat and security reports, including the well-respected Verizon Data Breach Investigations Report produced annually since 2008.
The difference is the Cloud Threat Report’s emphasis on hybrid cloud, and on organizations lifting and shifting workloads and data into the cloud.
“In the threat landscape, you have a wide variety of reports around infrastructure, threat analytics, malware, penetrations, data breaches, and patch management,” says one of the designers of the study, Greg Jensen, senior principal director of Oracle’s Cloud Security Business. “What’s missing is pulling this all together for the journey to the cloud.”
Indeed, 87% of the 450 businesses surveyed say they have a cloud-first orientation. “That’s the kind of trust these organizations have in cloud-based technology,” Jensen says.
- Related: Try Oracle Cloud for free
Here are data points that break that idea down into more detail:
- 20% of respondents to the survey say the cloud is much more secure than their on-premises environments; 42% say the cloud is somewhat more secure; and 21% say the cloud is equally secure. Only 21% think the cloud is less secure.
- 14% say that more than half of their data is in the cloud already, and 46% say that between a quarter and half of their data is in the cloud.
That cloud-based data is increasingly “sensitive,” the survey respondents say. That data includes information collected from customer relationship management systems, personally identifiable information (PII), payment card data, legal documents, product designs, source code, and other types of intellectual property.
Cyberattacks Reveal the Pace Gap
Two-thirds of organizations in the study report some type of past interruption due to a security incident, such as losing the ability to provide service, diminished employee productivity, or delays to IT projects. Just more than half of the businesses say they’ve experienced a financial hit as a result, including a loss of shareholder value, the cost of data loss, or the costs of reputational damage.
Oracle’s Jensen says there’s a growing realization of a “pace gap” between how fast organizations can create and/or deploy new business applications and how fast they can secure those applications to meet an organizations security and compliance target”. Security is lagging behind. This gap is exacerbated by agile application development methodologies.
So should businesses slow down their deployment of new software? Jensen laughs at that suggestion. Instead, he calls for improving security training, processes, and technology.
“A priority area that falls down is training the average end users, because they’re the most vulnerable point of attack, and some of the most successful attacks leverage social engineering, such as phishing,” Jensen says.
When it comes to processes, companies must understand the security responsibility they share with their cloud providers.
As the Oracle-KPMG study explains, the line of demarcation between what cloud vendors and customers are responsible for securing differs when it comes to software as a service, infrastructure as a service, and platform as a service. With IaaS, for example, service providers “are generally responsible for securing the physical infrastructure up to and including the virtualization layer with the customer, then responsible for protecting the server workload,” the report says. “However, regardless of consumption model—IaaS, PaaS, and SaaS—the customer is generally responsible for data security and user access and identity management.”
Machine Learning and Automation Can Help
Meantime, emerging technologies can help close the pace gap, by finding and addressing security issues in on-premises data centers, the cloud, and hybrid environments.
The study shows that 38% of organizations use behavioral analysis and anomaly detection tools, which can instantly determine when a user is acting in a suspicious manner. For example, if an employee has never tried to download a customer database to her laptop before but is suddenly doing so at 2:00 a.m.—well, even if she has the authority to do so, something doesn’t appear to be right there.
Machine learning is another effective tool at reacting quickly to threats, ML algorithms can study tremendous quantities of data (such as transaction logs) and identify patterns. The Oracle-KPMG study shows that 47% of organizations are using machine learning for cybersecurity purposes.
Automation is also key: The more that software can handle routine security tasks, the fewer human errors can creep into system configurations and alert responses. In the study, 84% of companies say they’re committed to increased levels of security automation.
Overall, the future of the cloud is bright when it comes to security. When the majority of organizations rate cloud security as better than their on-premises security, and when 90% of organizations categorize at least half of their cloud data as sensitive, we’re past the tipping point. Organizations must always remain vigilant, but the cloud has earned their trust.
Alan Zeichick is principal analyst at Camden Associates, a tech consultancy in Phoenix, Arizona, specializing in software development, enterprise networking, and cybersecurity. Follow him @zeichick.
Powered by WPeMatico