McAfee has polled 1,400 IT professionals across a broad set of countries (and continents), industries, and organization sizes and has concluded that lack of adequate visibility and control is the greatest challenge to cloud adoption in an organization. However, the business value of the cloud is so compelling that some organizations are plowing ahead.
Cloud services nearly ubiquitous
According to the survey, the results of which have been unveiled at RSA Conference 2018, 97 percent of worldwide IT professionals are using some type of cloud service.
The combination of public and private cloud is the most popular architecture, with 59 percent of respondents now reporting they are using a hybrid model. While private-only usage is relatively similar across all organization sizes, hybrid usage grows steadily with organization size, from 54 percent in organizations up to 1,000 employees, to 65 percent in larger enterprises with more than 5,000 employees.
The majority (83%) of organizations store some or all of their sensitive data in the public cloud. The types of data stored run the full range of sensitive and confidential information:
- Personal customer information (61%)
- Internal documentation, payment card information, personal staff data or government identification data (around 40%)
- Intellectual property, healthcare records, competitive intelligence and network pass cards (about 30%).
Cloud-First is an IT strategy that states new projects should consider using cloud technology first as opposed to on-premises servers or software. According to the report, Cloud-First is the strategy for IT in many companies and remains a primary objective. Caution seems to have taken over for others, as the number of organizations with a Cloud-First strategy dropped from 82 percent to 65 percent this year. Despite all that, respondents with a Cloud-First strategy still believe that public cloud is safer than private cloud. They understand the risks, and yet the more they know, the more confident IT professionals are that Cloud-First is the course they want to be on.
Security incidents and skills shortage
1-in-4 organizations that uses IaaS, PaaS or SaaS has had data stolen, and 1-in-5 has experienced an advanced attack against its public cloud infrastructure.
As organizations prepare for the European Union’s General Data Protection Regulation (GDPR), slated for May 2018, they will be ramping up compliance efforts. Organizations that are more confident in the ability of their cloud providers are more likely to have plans to increase their overall cloud investments in the coming year, while those less confident plan to keep their investments at the current level. Fewer than 10 percent surveyed, on average, anticipate decreasing their cloud investment because of GDPR.
Malware continues to be a concern for all types of organizations and 56 percent of professionals surveyed said they had tracked a malware infection back to a cloud application, up from 52 percent in 2016. When asked how the malware was delivered to the organization, just over 25 percent of the respondents said their cloud malware infections were caused by phishing, followed closely by emails from a known sender, drive-by downloads and downloads by existing malware.
The shortage of cybersecurity skills and its impact on cloud adoption continues to decrease, as those reporting no skills shortage increased from 15 percent to 24 percent this year. Of those still reporting a skills shortage, only 40 percent have slowed their cloud adoption as a result, compared to 49 percent last year. Cloud adoption rates are highest in those reporting the highest skills shortages.
Best practices and recommendations
Based on findings, there are three best practices that all organizations should actively work towards:
- DevOps and DevSecOps have been demonstrated to improve code quality and reduce exploits and vulnerabilities. Integrating development, quality assurance and security processes within the business unit or application team is crucial to operating at the speed today’s business environment demands.
- Even the most experienced security professionals find it difficult to keep up with the volume and pace of cloud deployments on their own. Automation that augments human advantages with machine advantages, such as that found in tools such as Chef, Puppet or Ansible, is a fundamental component of modern IT operations and it is no different with cloud adoption.
- Multiple management tools make it too easy for something to slip through. A unified management platform across multiple clouds with an open integration fabric reduces cost and complexity and increases security.