Cybersecurity teams need to catch up in public cloud space

01 July 2020 6 min. read
More news on

Following a survey of 750 respondents cross North America, Europe and Asia Pacific, KPMG and Oracle have concluded that cloud strategies across the globe are distinctly lacking an adequate security framework. 

The two firms report that the adoption of cloud technology has spiked in recent years. Transitioning to cloud tech can cut costs, increase efficiency, improve storage and dramatically expand the scalability of a business. It also typically is the first of many key steps in the overall digital transformation process.

So with the growing importance of digital transformation in nearly every sector, the adoption of cloud technology has skyrocketed. However, when transitioning to the cloud, many organisations appear to have overlooked key security considerations, leaving them susceptible to a variety of attacks.

Common cybersecurity attacksKPMG and Oracle for instance found that most organisations have either been targeted by an email phishing scheme that contains malware, or misuse of privileged IT access by an employee. Cyber business fraud is another type of crime experienced by many.

Denial of service attacks are also frequent, where actors disable key technology or networks within an organisation. Others include DNS attacks, exploitation of known vulnerabilities, business email compromise, stolen credentials, and ransomware.

Where is the threat?

The nature of cybercrime stretches across nearly every operational node of an organisation. The cloud extends these operations further to a number of remote devices, which increases the number of vulnerable points. This is without taking into consideration a host of new devices that have entered the fray as businesses transition to remote working under Covid-19.

Gaps in security readiness

Given the complexity and versatility of the threat landscape, it is understandable that organisations are often left blindsided. Most businesses are thought to have a skewed idea of where the threats originate from. For instance, business email compromise is far from the most frequent type of attack, although KPMG and Oracle report that it is the type of crime that receives the most attention.

Getting secured

This discrepancy is what the report seeks to address, as it accentuates the need for a more comprehensive security framework that can accurately navigate the threat landscape. At present, most respondents themselves feel that their security frameworks are inadequate.

The rapid rate of cloud adoption and the rapid business transformation that it enables has left many organisations playing catchup with their security frameworks. More than 90% of the respondents revealed that they have a security readiness gap when it comes to public cloud infrastructure, 44% of whom think this gap is wide while 48% consider it to be moderate.

According to the report, this gap is as much the result of skewed priorities as it is of skewed capabilities.

Which areas do you feel are the most important to improve security visibility for your organization’s use of public cloud services?

“For starters, cloud services and applications are often consumed by a business unit outside of the purview of the centralized IT and cybersecurity teams. Then, as lines of business realise rapid time to value, use expands. Collaboration with the cybersecurity team is perceived as threatening to throttle speed. Herein lies the issues of velocity outpacing security readiness and the need for a cultural shift in how organisations approach cybersecurity,” explained the report.

Many organisations, however, feel that the vulnerability has to do with the fact that their data is housed in a cloud centre, and is therefore out of sight and control. KPMG and Oracle found that many respondents are keen to improve visibility on key issues such as software vulnerabilities or non-compliant workforce configurations.

Organisations would also like to have an audit trail of system activity, or the ability to identiy misconfigured security groups. Unprotected severs, unprotected data and third party access to the public cloud resident-data are all areas where businesses seek more control in order to truly implement a comprehensive security framework.

What percentage of your business-critical applications are SaaS? How do you expect this to change over the next 24 months?These are some areas where businesses and cloud service providers could work to potentially improve cybersecurity frameworks. This is essential to the “cultural shift” that KPMG and Oracle describe, which has become all the more important in light of the growing reliance on cloud technology.

Most respondents expect anywhere between 20% and 50% of their business critical applications to fall within the Software-as-a-Service (SaaS) domain over the next two years, making the security landscape ever more complex. The intentions to transition indicate a degree of trust in the security mechanisms of cloud providers, although the authors urge businesses to take a strategic approach going forth.

"Disparate perspectives and agendas need to be unified into a cohesive strategy, with all constituents – lines of business, application development, IT operations, cybersecurity, risk, and compliance teams ­– internalising cybersecurity as a strategic priority and shared responsibility,” stated the researchers.