The survey – of over 2,000 senior IT professionals – carried out by Intel Security has revealed that UK IT teams remain among the most risk-averse when it comes to cloud adoption, in part due to the growing skills shortage.
The report reveals that trepidation from the IT team is leading to risky shadow IT operations across UK businesses.
The UK
UK businesses are the least likely globally to have a cloud-first strategy, adopted by just 70% compared to over 80% across the globe.
They are also the least likely to allow their organisation’s public cloud service to store sensitive data
Indeed, 7% said all of their data is stored in the public cloud, compared to the global average of 25%.
An upskilling drive is key, with 24% of UK businesses claiming that having skilled staff, that understand cloud architecture, would increase public cloud adoption.
>See also: How the cloud will shape infrastructure this year
UK-based respondents were the least likely to have a DevSecOps (development, security, operations) function in the business (28% vs 44% globally).
However, this reservation is not translating to all elements of the business and the UK has a significant shadow IT problem: 74% of UK businesses claim their organisation has public cloud services in use that have been commissioned by departments other than the IT department; above the global average of 66%.
Raj Samani, CTO EMEA, Intel Security, commented on the report and said that “UK IT experts stands out as particularly cautious when it comes to public cloud adoption, but there is a risk that this trepidation simply leads to other departments embracing the cloud without consulting their IT team. Shadow IT is a significant issue in the UK especially and enterprises are leaving themselves more vulnerable than if they adopted a proactive cloud strategy.”
“Attackers will look for the easiest targets, regardless of whether they are public, private or hybrid. Integrated or unified security solutions that provide visibility across all of the organisation’s services could be the best defence. Rather than having to react to security threats brought about by unregulated cloud adoption from other departments, IT departments should consider working with the wider enterprise to adopt a cloud first strategy, which proactively builds security into its core.”
Despite a clear hesitation surrounding cloud adoption among UK businesses, the report identified that overall trust in public cloud is growing.
Trust in the cloud on the rise
The trust and perception of public cloud services continues to improve year over year.
Most organisations view cloud services as or more secure than private clouds, and more likely to deliver lower costs of ownership and overall data visibility.
Those who trust public clouds now outnumber those who distrust public clouds by more than 2-to-1.
Improved trust and perception, as well as increased understanding of the risks by senior management, is encouraging more organisations to store sensitive data in the public cloud.
>See also: Why not all clouds are created equal
Personal customer information is the most likely type of data to be stored in public clouds, kept there by 62% of those surveyed.
“The ‘cloud first’ strategy is now well and truly ensconced into the architecture of many organisations across the world,” said Samani.
“The desire to move quickly toward cloud computing appears to be on the agenda for most organisations. This year, the average time before respondents thought their IT budgets would be 80% cloud-based was 15 months, indicating that cloud first for many companies is progressing and remains the objective.”
However, as identified while analysing UK business statistics, as cloud adoption increases so does the risks.
Shadow IT and the cyber security skill shortage
The ongoing shortage of security skills is continuing to affect cloud deployments. Almost half of the organisations surveyed report the lack of cyber security skills has slowed adoption or usage of cloud services, possibly contributing to the increase in Shadow IT activities.
Another 36% report they are experiencing a scarcity but are continuing with their cloud activities regardless. Only 15% of those surveyed state they do not have a skills shortage.
Due to the ease of procurement, almost 40% of cloud services are now commissioned without the involvement of IT, and unfortunately, visibility of these Shadow IT services has dropped from about 50% last year to just under 47% this year.
As a result, 65% of IT professionals think this phenomenon is interfering with their ability to keep the cloud safe and secure.
This is not surprising given the amount of sensitive data now being stored in the public cloud and more than half (52%) of respondents reported that they had definitively tracked malware from a cloud SaaS application.
Data centre progression
The number of organisations using private cloud only has dropped from 51% to 24% over the past year, while hybrid cloud use has increased from 19% to 57%.
This move to a hybrid private/public cloud architecture requires the data centre to evolve to a highly virtualised, cloud-based infrastructure.
On average, 52% of an organisation’s data centre servers are virtualised, 80% are using containers and most expect to have the conversion to a fully software-defined data centre completed within two years.
>See also: The cloud in a digital age – an opportunity for growth and success
In this period of cloud infrastructure transition it is important to remain aware of the threats in the cyber landscape.
As such, Intel Security have provided some recommendations on the back of the report for businesses using the cloud, in all its forms.
Recommendations
Attackers will look for the easiest targets, regardless of whether they are public, private or hybrid.
Integrated or unified security solutions that provide visibility across all of the organisation’s services could be the best defence.
User credentials, especially for administrators, will be the most likely form of attack. Organisations need to ensure they are using authentication best practices, such as distinct passwords, multi-factor authentication and even biometrics where available.
Security technologies such as data loss prevention, encryption and cloud access security brokers (CASBs) remain underutilised.
Integrating these tools with an existing security system increases visibility, enables discovery of shadow services, and provides options for automatic protection of sensitive data at rest and in motion throughout any type of environment.
Organisations need to evolve toward a risk management and mitigation approach to information security.
They should consider adopting a cloud first strategy to encourage adoption of cloud services to reduce costs and increase flexibility, and put security operations in a proactive position instead of a reactive one.