Enterprises muddled over cloud security responsibilities

Close to half of large UK enterprises expect to be cloud-only by 2021, and 5% believe they are already there today, heralding a massive expansion of cloud services in the next 12 months, bringing with it new security risks, according to research from McAfee.

The study, which explored the attitudes of 1,000 respondents from the UK, France and Germany, showed that 86% of UK IT leaders say they are already cloud-first, and 70% anticipate going cloud-only.

Some 12%  do not think their organisations would ever adopt a cloud-first posture, with security cited as a top concern. This was despite a high proportion of respondents claiming that a cloud-first strategy had improved their security postures.

Nigel Hawthorn, director of McAfee’s EMEA cloud security business, said there was a clear dichotomy between those who saw cloud security as a problem, and those who saw it as better than their internal IT security.

“There’s this question about security that comes up every time, and what scares me about this is that the answers are all over the place,” said Hawthorn.

“This is why cloud security is not necessarily being addressed in a holistic manner, because it has to have an owner, it has to have a team who are led by someone to actually make sure that it’s being addressed.”

McAfee’s study surfaced a diverse range of views about who should take responsibility, whether that’s a dedicated data protection officer or CISO, a head of compliance, or even the CEO.

“We are in a dangerous place if we’re going to cloud as fast as possible, but we haven’t decided who’s responsible for the security piece. That will lead us unfortunately into some dangerous areas,” he said. “Cloud security needs to be recognised as a discipline that has the investment and people, because it is the pre-eminent way of delivering computing.”

Hawthorn cited one workshop conducted by McAfee in a large, unnamed organisation, in which two different people from different departments stood up and claimed to have responsibility for General Data Protection Regulation (GDPR) compliance in the cloud. They had never met before.

McAfee’s statistics suggest that some of this confusion stems from general ignorance over what services are being used in an organisation. Just under a fifth of respondents who used cloud-based apps admitted they used services that have not been approved by their IT departments, but a similar number of IT leaders thought that less than 5% of staffers used unapproved apps and services.

Miscommunication in enterprises was identified as a major factor in cloud-native security breaches in a previous McAfee report issued in September 2019. This report showed that a lack of visibility into cloud apps and services meant that security risks were being vastly under-reported.

“Non-cloud computing is a thing of the past,” said Hawthorn. “Whether businesses are close to cloud-only status or still shifting towards a cloud-first approach, the age of cloud is already here. While this heralds major leaps in enterprise innovation, agility and productivity, it could also lead to serious security lapses if not handled correctly.”

“Data and applications have shifted to the cloud – and where they go, cyber criminals will try to follow. We’re now in a new era of cloud-native data breaches,” added McAfee chief scientist and fellow, Raj Samani.

“As we shift towards a cloud-only or cloud-first business environment, organisations must adapt their security technology and processes to close the gap between cloud adoption and secure enablement in the enterprise. Businesses will need to adopt cloud-native security tools that are purpose-built for cloud security. If not, they run the risk of becoming an easy target for cyber criminals.”