Half of UK businesses do not have full in-house capability to manage security in the cloud, according to an IT outsourcing company. This is despite the fact that cloud adoption is now common in most organisations, and is showing no signs of abating. The findings show many companies have still not found an effective way to marry the full benefits of cloud with a cybersecurity strategy, it’s claimed.
The research, by Vanson Bourne, saw 100 IT decision-makers surveyed from UK-based organisations with more than 1,000 employees. Half of those polled said that they do not have the skills in-house to manage cloud security, with 52 per cent saying that they have incomplete awareness of how their organisation’s security posture in the cloud affects their overall IT security. This is despite the fact that 79 per cent of businesses have either already migrated application workloads to hyperscale cloud providers, or are in the process of doing so.
Sumit (Sid) Siddarth, Director at Claranet Cyber Security said: “Businesses that have not engaged with cloud in some way are now few and far between, with hyperscalers having established a dominant position in the cloud market. Organisations are making significant progress with planning and carrying out these migrations, but our research has shown that there’s a very real danger of security being left behind as part of this process.
“The self-provisioning aspects of public cloud are beneficial in many ways, but they can also lure businesses into a false sense of security. The big hyperscalers have a lot of sensible defaults to help guard against threats, but if internal IT teams without the requisite skills create these environments themselves, mistakes can still occur. We have already seen a number of security breaches due to insecure permissions set on cloud storage, be it S3 buckets or Azure blobs. Other examples include attackers compromising cloud infrastructure to spin up bitcoin mining rigs.”
To help plug this gap in in-house skills, Siddarth believes that businesses need to re-evaluate their approaches to both cloud and security, and make sure that they consider both as being part of the same IT ecosystem, rather than being separate challenges that are tackled independently of one another. This should include efforts to upskill in-house staff, and also the formation of collaborative partnerships with external experts who are well-versed in the specifics of secure cloud migration.
He added: “Migrating to cloud is often a complex process, so it’s important to invest a lot of manpower in it. However, there should be no excuse for neglecting security considerations, especially given the current threat landscape and the fact that hackers are seeing cloud as an increasingly lucrative target. Working with partners can be hugely advantageous here, as they can bring the added expertise needed to work through the more complex aspects of secure cloud migration, such as developing infrastructure as code to guard against mistakes being made.
“Also key to addressing this skills gap in the long term is engaging with third parties to implement holistic training programmes focusing on the unique challenges and intricacies of cloud security. By investing in this area, businesses can ensure that they build applications that are fully cloud-ready from the outset, and foster a philosophy which incorporates security into any cloud migration activity.
“Cloud’s continued rise is inexorable, so it’s important that organisations act now to shore things up from a security perspective. With the right focus on raising skill levels and sealing gaps in knowledge, this is very much a realistic aim.”
