The Information Security Community on LinkedIn has published a fascinating Spotlight Report on trends in cloud adoption, security-related concerns, and tools and best practices being considered or adopted to deal with the threats. The report was based on a survey of 2,200 individuals in different types and sizes of organisation, across various sectors, and in roles ranging from technical executives to managers and practitioners. 91% of organisations surveyed have security concerns – with 44% being “very concerned”.
In terms of the general landscape, the top three barriers to cloud adoption were reported as general security risks (53%), legal and regulatory compliance (42%) and data loss and leakage risks (40%). The biggest cloud security headaches were seen as verifying security policies (51%), visibility to infrastructure security (49%) and compliance (37%). Even so, 18% of respondents said their organisations had more than 50% of applications deployed in the cloud: double from last year.
The most common information stored in the cloud was email (44%) followed by customer data (32%), sales and marketing data (31%) and employee data (30%). The most popular cloud app categories were web apps, collaboration, productivity, IT operations and custom - with the most popular cloud apps reported as Microsoft Office 365, Salesforce, Exchange, Google Apps, Dropbox, ServiceNow, Box, Workday and SuccessFactors. None of this is hugely unexpected; it’s a very similar picture to what we’re finding in our own interactions with customers and cloud security partners.
There also remains a significant degree of confidence, with 52% of respondents believing cloud apps are as secure or more secure as on-premises apps. Interestingly, 22% of respondents believed that cloud actually reduced the chance of security breach while 21% believed it increased the chance. While 55% of respondents said they hadn’t yet experienced a cloud-related security incident, the remaining 45% had either experienced an incident (9%), weren’t sure (21%) or couldn’t disclose the information (15%). The biggest threats included “unauthorized access through misuse of employee credentials and improper access controls” (53%) followed by account hijacking (44%), insecure interfaces/APIs (39%) and external data sharing (33%). So, if that’s the state of play, what are organisations actually doing to mitigate the risks? I’ll cover that aspect of the Spotlight Report in my next blog.