In September 2016, McAfee completed a survey of over 1400 senior technical professionals. The results offer a detailed understanding of the state of cloud adoption and security.
We interviewed Magi Diego, Global Editorial Director for the Content Editorial Team at McAfee -who lead the study- to get her perspective on what these results mean. The result was a colorful peek into the world of 1400 senior technical professionals from all over the world: why they trust public clouds over their own networks, the explosion of hybrid infrastructures, what it means to employ a cloudfirst strategy and one the thing they struggle with most.
IT LEADERS ARE PUTTING THEIR TRUST IN THE CLOUD
Last year, the sentiment around trust in public clouds reached a tipping point. “A year ago, only about fifty-percent of executives trusted the cloud. Now, five people trust their data to the cloud to every one person who won’t,” said Diego. In 2016, the number of IT leaders who completely distrust public clouds dropped to just four percent, while the number of leaders who have some, or all of their trust in public clouds grew by roughly eleven points (see fig. 1).
In fact, Almost eighty-five percent of professionals surveyed report they trust some or all of their sensitive data in the public cloud. But, this doesn’t mean that organizations are willing to send their valuable data to any cloud service. The survey data revealed that the average number of cloud providers per business dropped from 43 to 29 in the past year.
According to Diego, this indicates consolidation among providers as well as more care being taken by Chief Information Security Officers (CISOs) in selecting cloud services that offer the right safeguards and the lowest risk.
THE USE OF HYBRID CLOUD SERVICES SPIKED DRAMATICALLY IN 2016
More than 80% of the organizations surveyed stated that they are now following a cloud-first strategy. This means giving priority to applications purchased as-a-service or deployed in the cloud vs. applications that require hardware, physical services and systems to be in the data center. This preference has resulted in a spike in the use of hybrid cloud architectures last year:
According to figure 2, hybrid cloud usage grew by 38% in 2016, showing that more and more organizations moved their IT operations (and spend) to cloud service providers. This spike in demand undoubtedly created challenges for cloud service providers, who had to host and secure increasingly complex volumes of data in an intensely competitive marketplace.
ORGANIZATIONS ARE STILL WORKING OUT ISSUES WITH CLOUD SERVICE PROVIDERS
According to the study, top-tier providers like Amazon, Microsoft, Google, and Salesforce improved their security posture and expanded security resources - increasing the distance between them and smaller service providers. At the same time, the survey revealed that IT professionals still face the following issues with their cloud providers (see fig. 3).
Interestingly, the top issue has moved from ‘difficulty migrating services or data’ to ‘high cost/poor value,’ while concerns over data loss issues have cooled off. Does that mean companies are offloading the risk to their cloud providers?
“The risk is still yours for any data breach, so you must take responsibility and correctly manage risk,” said Diego. “This entails a different set of skills for IT.” By this, Diego is referring to the respondents who move forward with cloud initiatives despite the fact that they lack the appropriate cybersecurity skills (see fig. 4).
While the skills shortage is still a major challenge for most, the largest organizations were the least likely to have a shortage and in turn, were the least likely to slow cloud adoption plans.
THE MOST SUCCESSFUL ORGS EMPLOY A CLOUD-FIRST STRATEGY
“Cloud first has to permeate the culture,” said Diego. Cloud first means that organizations begin any IT initiative by first seeking out a viable cloud alternative to software or hardware they might typically deploy in a data center. They should only implement the solution on an internal server if nothing suitable is available in the cloud.
According to the study, participating CIOs and other C-level executives were more likely to be following a cloud-first strategy, and expected their budgets to be 80% cloud-based within the next twelve months. These senior executives were also aware of the security skills shortage, and the affect it was having on their cloud adoption rate. To help alleviate the workforce challenges, they were more likely to be operating an integrated or unified security solution. The good news is that organizations are dealing better with risk and executives now place more trust in the cloud than they ever have.
THAT ONE THING THAT WON’T GO AWAY: HOLES AND HACKERS
The study revealed one important recommendation: existing cloud security and data protection tools are not being used enough. Data Loss Prevention (DLP), encryption and cloud access security brokers remain underutilized. Harnessing such tools more effectively could go a long way toward shoring up existing security holes. “You should know before you put the data in the cloud exactly where you stand,” said Diego. “Everything should be thrashed out thoroughly in advance.”
The study discovered that as many as 40% of cloud services fall into the Shadow IT category. These are cloud services deployed by individuals or departments without the knowledge or consent of IT. 65% of IT professionals view this as a major barrier to keeping the cloud safe and secure.
DIEGO URGES IT TO THINK DIFFERENTLY ABOUT CLOUD SECURITY
Maybe in the past, IT could get away with developing a new application and adding security features later. Those days are gone. IT infrastructure may be better described as an ‘IT ecosystem’ since it is no longer static, and evolves constantly. With that in mind, security should no longer be added after a major technology initiative.
“Security must be developed into cloud applications from the beginning,” Diego says. “Understand the shared security model for each cloud service you use. Find all the data you have on any cloud service, network or endpoint and secure it. You must achieve complete visibility of all your data.”
The study echoes Diego’s sentiments in its final recommendation: The pressures of speed, efficiency and cost are pushing more applications and data outside the ‘trusted network’ and into a service provider’s clouds, where those benefits can be realized.
As enterprises cloud-enable their operations, gaps in control, visibility, identity, and security are the most likely paths to data breaches. Integrated or unified security solutions are a strong defense against these threats, giving security operations visibility across cloud in-use services and which data sets are permitted to traverse them.