Nearly one-third of IT security budgets are now allocated to mitigating cloud security threats, McAfee reports, an investment only set to grow as organizations run everything from development workloads to IoT applications in IaaS environments.
In a recent report Navigating a Cloudy Sky: Practical Guidance and the State of Cloud Security, McAfee said that in 12 months, 37 percent of IT security budgets on average will be allocated to cloud security, up from today’s 27 percent.
Though McAfee did not ask respondents to detail whether their overall security budgets were growing, other market data indicates that security spending will increase in 2018. Research from Gartner forecasts worldwide enterprise security spending will reach $96.3 billion in 2018, an increase of 8 percent from 2017.
The growing investment in cloud security comes as organizations are using more public cloud services – 31 public cloud services compared to 29 services last year – and storing sensitive data in the cloud. Sixty-one percent of organizations store personal customer information in the cloud, while 30 percent of respondents said they keep intellectual property, healthcare records, competitive intelligence, and network passwords in the cloud.
Only 16 percent of respondents said they don’t store any sensitive data in the cloud.
Those who work in IT can attest that there's no relationship between a technology's increased adoption and its security budget. An example in this report is containers and serverless computing. McAfee notes that while 80 percent of respondents are using or experimenting with containers and serverless computing, only 66 percent have a container security strategy, and 65 percent of a security strategy for serverless.
“I think it follows a pattern that we’ve seen in IT all along. There’s a new architecture or a new way of developing applications and people go crazy with it, especially the developers,” Vittorio Viarengo, VP of marketing of McAfee’s Cloud Business Unit said. “Then IT and security come along and say, ‘hold on, how do we make this work and make it secure?’ so I think containers are following the same pattern. What I think is happening though is these patterns are happening faster … but there’s always a little lag between when a new disruptive and innovative technology hits the developers and when security catches up with it.”
Increased budgets can only do so much to prevent cloud security threats when human error remains a factor, which is part of what makes visibility into cloud apps and automating some security functions so important.
“The move to cloud by definition makes IT lose some control. I think investing in security is the way for IT to stay relevant and regain control in this new world that is driven by the cloud and by the device,” Viarengo said.
Since its acquisition of SkyHigh Networks in November McAfee has added more tools for organizations to take stock of their cloud applications and place appropriate controls on them.
“When you go to the cloud, the best practices that we recommend is first you need to fully embrace the proper tools, like a CASB platform, like McAfee has through the Skyhigh acquisition, to gain visibility into what’s going on,” Viarengo said. “That means you need to know which applications are being used by your employees, what is the data that is contained in these applications … now you can track who has access to what data on what cloud so then you can apply data protection.”
Viarengo said one area that McAfee found surprising when looking at the climate of cloud security threats was that the number of companies that have a cloud-first strategy has dropped, from 82 percent a year ago to 65 percent today. Organizations with a cloud-first strategy are more than twice as likely to rank CASB as their first step in monitoring shadow IT activity, according to McAfee.
There are a couple of reasons organizations are backing off a cloud-first strategy, Viarengo said.
“The first one is that they are realizing that although they are now using somebody else’s backend and somebody else’s application, they are still on the hook for security,” he said.
“I think the second reason why the cloud-first strategy has seen a drop is that I think especially large organizations are realizing that they have systems in their data centers that will be around for a long time, so we must live in this hybrid cloud model,” he said.
McAfee said in its report that 59 percent of respondents use a hybrid model, up from 57 percent in 2016. Hybrid usage increases with organization size, from 54 percent in organizations with up to 1,000 employees, to 65 percent in larger enterprises with 5,000 employees or more. McAfee notes that for organizations operating in a hybrid cloud environment, the decision to go cloud or not is based on the specific needs of the application and data.
With the deadline for GDPR compliance coming up one month from now, part of the report also explores the impact the regulation may have on cloud adoption. It turns out, only a small minority of organizations plan to slow down cloud adoption because of concerns around GDPR.
Fewer than 10 percent on average plan to decrease their cloud investments because of GDPR, Viarengo said, which “means that the advantages of cloud outweigh the cost and complexity of complying with the new regulations.”
“Visibility is the first step. You need to know where your data is, and what it contains. Once you add that you can put the policies in place so you don’t break these regulations,” he said.