How to address and close the cloud security readiness gap
Cloud security readiness remains a shortcoming for companies despite the majority using cloud services. Here are three steps they can take to close the cloud security gap.
The adoption and use of cloud services has increased significantly over the past few years -- and this trend is only expected to grow as organizations embrace a remote workforce in light of COVID-19.
Yet, according to KPMG and Oracle's third-annual Cloud Threat Report, while 88% of organizations currently use public cloud services, 92% of IT and security professionals do not trust that their organization is well prepared to secure public cloud services. And 44% of respondents said they have a wide gap.
Why do IT and security teams feel so unprepared? Beyond struggling with an overall lack of talent and a rise in the number of bad actors targeting corporate cloud services are increasingly complex hybrid, multicloud environments that have led to confusion around the cloud-shared responsibility model and a high number of specialty cybersecurity tools.
If companies don't put in place the proper processes and controls, as well as build a culture that encourages broad security awareness, vital information on the public cloud may be vulnerable to theft, hacking or worse.
Build a culture of cloud security from the design phase
Security too often has been an afterthought with developers. Usually, developers build a product or service and then bring in security to assess it and fix any issues that they uncover. This process can lead to unnecessary vulnerabilities and add extra work to a team already under tight deadlines and potentially short-staffed.
One way to fix this is by bringing security into the design process early on via a Secure DevOps approach (also known as DevSecOps). By building security into the design of cloud-based services or products, companies can help mitigate early-stage vulnerabilities, which can save time and cost, and ultimately support better cloud security controls.
Secure DevOps helps companies leverage skills, and pool resources, as well as build awareness beyond security practitioners. Essentially, by offering a means to automate the integration of security into DevOps processes, Secure DevOps can serve as a cultural catalyst that treats security as a business requirement and a responsibility shared by all members of a project team.
Similar to the mindset change that was required for DevOps, culture will be the starting point for integrating security into DevOps processes. Not surprisingly, the journey to Secure DevOps is still a work in progress. Only over one-third of Oracle/KPMG survey respondents whose organization employs, plans to employ, or is interested in employing DevOps noted that their organization has already integrated security into their DevOps process.
Identify and automate repeatable processes
Given the sheer volume and complexity of attacks, and the lack of cybersecurity professionals with extensive experience in the cloud, companies will need to look to automation to help drive efficiencies -- especially as IT budgets continue to shrink.
Companies should identify repeatable processes that can be automated, looking for areas where intelligent automation can solve challenges and manage risks. For example, automation can help with proactive enforcement of static and dynamic security scans in the development/preproduction environment.
Another area where automation can help is the executional aspect of a cybersecurity program, such as monitoring in the production environment. By automating cloud monitoring activities, companies can respond quickly when a breach happens and help mitigate potential damage.
Simplify cloud security tools and responsibilities
Only 8% of IT security professionals stated that they fully understand the shared responsibility security model, according to the Oracle/KPMG report. This lack of clarity is a key contributor to the cloud security readiness gap -- and has left security teams scrambling to address a growing number of threats that they initially assumed would be the responsibility of the public cloud service providers.
Part of the reason for such confusion is the vast number of services and components that companies use today from the cloud services providers -- and some companies may employ over 30 from each IaaS/PaaS cloud service provider at a time. These services each require a nuanced set of cybersecurity controls or tools. In fact, on average, Oracle/KPMG research respondents report using over 100 discrete cybersecurity controls.
While the contract with cloud service providers is a good starting point to build that understanding, companies also need to better understand responsibilities associated with the services and components being used. To tackle the challenges associated with the shared responsibility model, companies need to consider consolidating a disparate set of tools into an integrated platform and aligning responsibilities. Organizations today are even considering buying most of their cybersecurity tools from a single vendor in a bid to simplify processes.
Lastly, it's important to build a strategy around both current and planned cloud services and to make sure to clarify everyone's responsibility for each of those services in addition to the overall responsibility model.
The time is now to address your cloud security issues
The cloud security gap is not a new challenge. But with the recent spike in bad actors taking advantage of cloud vulnerabilities, and an expected rise in cloud adoption, closing this gap has become more vital than ever. While there is no panacea, by taking these steps, organizations can begin to reduce the gap and help decrease the risk of data leaks or hacks in the public cloud.
About the author
Sailesh (Sai) Gadia is a partner of Cyber Security Services at KPMG. He has more than 20 years of information technology risk and management advisory experience. Gadia's current and past clients include some of the leading entities in insurance, healthcare and banking. Gadia is a thought leader in cloud computing security and risk management and co-authored a book titled Control Objectives for Cloud Computing that was published by ISACA in 2011. He is the architect of KPMG's global Cloud Governance and Controls methodology that has been deployed on client engagements around the world.