Companies must take a share of cloud security responsibility

Organisations are struggling to protect their data amid a growing number of security breaches, new research from Oracle and KPMG has warned.

Only 14% of the organisations surveyed said they are able to effectively analyse and respond to the vast majority (75-100%) of their security event data.

In the report, Mary Ann Davidson, chief security officer at Oracle, wrote: “Realistically, given the scope of patches released on a weekly basis, most organisations cannot patch everything they need to, much less do it fast enough. Cloud providers, with greater automation and the ability of DevOps to integrate new/improved components rapidly, can more quickly close the gap between vulnerability discovery, patch production and patch application.”

The study found that 90% of organisations say they are now storing sensitive data in the cloud. “We are now moving past security concerns about the cloud being an impediment to the use of cloud services, but appreciable risk remains,” Oracle and KPMG said in the report.

Despite defined security policies, eight out of 10 organisations worry about employee compliance and four out of 10 say detecting and responding to cloud security incidents is a top cyber security challenge, said Oracle and KPMG.

“Lines of business have not only demanded the agility the cloud provides, but very often consume cloud services without the involvement, never mind approval, of the corporate IT and cyber security teams,” the report said. “This manifestation of shadow IT, which bypasses cyber security policies and processes, clearly threatens corporate cyber security strategies.

“As a result, many organisations are faced with the need to close the gap between their organisation’s use of the cloud and their readiness to secure a growing cloud footprint.”

Oracle and KPMG found that the use of mobile devices and cloud applications has complicated the use of identity and access management controls and monitoring. In the survey, 45% said they review entitlements once a quarter, and 28% review them each month.

According to Oracle and KPMG, businesses could benefit from more frequent reviews of employee entitlements. “Entitlement review is especially relevant when comparing the process for removing a former employee’s access to an on-premise application versus the one for terminating access to cloud-delivered applications,” said the report.

“In the case of eliminating an ex-employee’s access to an on-premise application, the IT organisation typically follows an exit protocol that includes taking steps such as gaining possession of the employee’s laptop, disabling VPN access, removing the user from the domain, and more.

“However, a former employee does not need a VPN connection to access a company’s SaaS application and can do so from another device with his or her credentials. As such, eliminating a former employee’s entitlement to use cloud applications makes decommissioning cloud application credentials a critical step in the employee exit process and one that is especially important for business-critical applications such as ERP and CRM systems.”

Tony Buffomante, US leader of KPMG cyber security services, said: “The pace of innovation and change in business strategies today necessitates flexible, cost-effective, cloud-based solutions. As many organisations migrate to cloud services, it is critical that their business and security objectives align, and that they establish rigorous controls of their own, versus solely relying on the cyber security measures provided by the cloud vendor.”