Oracle and KPMG cloud threat report 2018

The impact of the cloud-enabled workplace on cyber security strategies.

The broad adoption of cloud services, coupled with knowledge worker mobility, has created a new set of cyber security challenges. The agility of the cloud has created a strategic imperative to keep pace at scale.

Based on a survey of 450 cyber security and IT professionals, the "Oracle and KPMG cloud threat report 2018" reviews the cyber security implications and challenges of rapid cloud adoption.

Executive summary

Cloud computing truly is a fundamental paradigm shift that is disrupting established markets and challenging established brands to move faster to realize competitive advantages, if not to simply maintain competitive parity. The broad adoption of cloud services, coupled with knowledge worker mobility, has created a new set of cybersecurity challenges. The agility of the cloud has created a strategic imperative to keep pace at scale.  As organizations scale their infrastructure, applications, and users, the security requirements are lagging and further challenged to scale at the same rate. We’ll discuss the implications of the cloud-enabled workplace on cybersecurity priorities by exploring the following key findings of the Oracle and KPMG Cloud Threat Report, 2018:

• Cloud usage continues unabated. Cloud-first initiatives and an increasing level of confidence in the security posture of public cloud environments have fueled the broad adoption of cloud services, resulting in an appreciable portion of an organization’s sensitive data now being cloud-resident.
• The threat landscape is increasingly complex and varied. A range of threats, headlined by phishing, malware, and exploits, have been broadly experienced, with these and other threats such as business email compromises being top-of-mind concerns moving forward.
• Detection and response is critical—but not always easy in the cloud. Customers cite detecting and reacting to threats in the cloud as their top cybersecurity challenge. This creates a cloud “visibility gap” that customers must address.
• Customers don’t always understand their cloud security obligations. Confusion about the interpretation of the shared responsibility security model poses a risk to securing cloud infrastructure and applications as customers are often not clear where their provider’s role ends and theirs starts, creating gaps.
• Security professionals worry about the impact of attacks on business operations. While cybersecurity attacks result in financial loss, the top-cited impact is on business operations, including the ability to deliver core services.
• Cloud and mobile-centric employees beget the need for new identity and access management strategies. Knowledge worker mobility and the use of cloud-delivered applications have made identity management at scale a challenge, with aligning roles and permissions a strategic imperative.
• Technology alone isn’t enough. Organizations are funding retooling initiatives to secure the use of cloud applications and infrastructure with a set of best practices that focuses on people, processes, and technologies.
• Machine learning can help. Emerging technologies such as machine learning and security automation promise to improve the efficacy of detecting and preventing threats, as well as the operational efficiency with which cloud enabled workplaces are secured.

Closing the gap

We are now moving past security concerns about the cloud being an impediment to the use of cloud services, but appreciable risk remains. Lines of business have not only demanded the agility the cloud provides, but very often consume cloud services without the involvement, never mind approval, of the corporate IT and cybersecurity teams. This manifestation of shadow IT, which bypasses cybersecurity policies and processes, clearly threatens corporate cybersecurity strategies. As a result, many organizations are faced with the need to close the gap between their organization’s use of the cloud and their readiness to secure a growing cloud footprint, requiring a retooling of people, processes, and technologies. Participants in our study appreciate that closing the cloud security gap will require investments, with 89% of respondents expecting their organization will increase cybersecurity spending in the next fiscal year, and 44% of them anticipating a rise of 7% or more. And according to research conducted by ESG, cloud infrastructure security and cloud application security are two areas in which 43% of organizations expect to make the most significant cybersecurity investments in 2018.

While this report focuses on these important considerations of securing an increasingly cloud-centric data center, it is important to note, and be mindful of the fact, that tried and true IT systems such as on-premises client-server architected applications are still serving business-critical functions. Because today’s modern technology ecosystem is comprised of disparate infrastructures that span generations of computing technologies and practices, a holistic approach to security is required.