Migration to hyperscale providers is commonplace, but disconnect between cloud adoption and awareness of cloud security remains.
A new survey by global technology services provider Claranet has found that half of UK businesses do not have full in-house capability to manage security in the cloud. This is despite the fact that cloud adoption is now commonplace in the majority of organisations, and is showing no signs of abating. The findings illustrate how many companies have still not found an effective way to marry the full benefits of cloud with a comprehensive cybersecurity strategy.
The research was carried out by Vanson Bourne and surveyed 100 IT decision-makers from UK-based organisations with more than 1,000 employees. 50 per cent of those polled said that they do not have the skills in-house to manage cloud security, with 52 per cent saying that they have incomplete awareness of how their organisation’s security posture in the cloud affects their overall IT security. This is despite the fact that 79 per cent of businesses have either already migrated application workloads to hyperscale cloud providers, or are currently in the process of doing so.
Commenting on the findings, Sumit (Sid) Siddarth, Director at Claranet Cyber Security said:
Businesses that have not engaged with cloud in some way are now few and far between, with hyperscalers having established a dominant position in the cloud market. Organisations are making significant progress with planning and carrying out these migrations, but our research has shown that there’s a very real danger of security being left behind as part of this process.”
The self-provisioning aspects of public cloud are beneficial in many ways, but they can also lure businesses into a false sense of security. The big hyperscalers have a lot of sensible defaults to help guard against threats, but if internal IT teams without the requisite skills create these environments themselves, mistakes can still occur. We have already seen a number of security breaches due to insecure permissions set on cloud storage, be it S3 buckets or Azure blobs. Other examples include attackers compromising cloud infrastructure to spin up bitcoin mining rigs.”
To help plug this gap in in-house skills, Siddarth believes that businesses need to re-evaluate their approaches to both cloud and security, and make sure that they consider both as being part of the same IT ecosystem, rather than being separate challenges that are tackled independently of one another. This should include efforts to upskill in-house staff, and also the formation of collaborative partnerships with external experts who are well-versed in the specifics of secure cloud migration.
Migrating to cloud is often a complex process, so it’s important to invest a lot of manpower in it. However, there should be no excuse for neglecting security considerations, especially given the current threat landscape and the fact that hackers are seeing cloud as an increasingly lucrative target. Working with partners can be hugely advantageous here, as they can bring the added expertise needed to work through the more complex aspects of secure cloud migration, such as developing infrastructure as code to guard against mistakes being made.”
Also key to addressing this skills gap in the long term is engaging with third parties to implement holistic training programmes focusing on the unique challenges and intricacies of cloud security. By investing in this area, businesses can ensure that they build applications that are fully cloud-ready from the outset, and foster a philosophy which incorporates security into any cloud migration activity.”
Cloud’s continued rise is inexorable, so it’s important that organisations act now to shore things up from a security perspective. With the right focus on raising skill levels and sealing gaps in knowledge, this is very much a realistic aim.”