Organizations are getting more confident in their cloud security strategies, according to a recent Barracuda Networks survey of 850 security professionals. As per the survey, over 44% of respondents believe that public cloud environments are as secure as on-premises platforms, while 35% of respondents feel that on-premises environments were more secure than the public cloud.
When it came to cloud security confidence, nearly 60% of respondents were either very confident or somewhat confident in their cloud platform. Only 14% were either not very confident or not confident at all.
A Major Obstacle to Cloud Adoption: A Shortage of Skilled Workers
While security confidence has increased, many users are still hesitant to house certain types of data in the cloud. When asked which workloads, applications, or data they would not be comfortable hosting in the cloud, 56% cited data about company finances; 54% cited employee data, 53% said customer data, and 47% were concerned about proprietary product data.
A shortage of skilled employees is also impacting how companies approach the cloud. Roughly 47% of respondents agreed that a shortage of cybersecurity skills was significantly affecting how they implement cloud technology.
In response, companies have attempted several strategies to overcome that skills gap, including training current staff (60%), outsourcing to MSPs (35%), relying more on technology providers (32%), relying more on technology vendors (28%), and hiring more employees (25%).
Another 42% of respondents felt that cloud environments were difficult to gain visibility into, and 36% believe that cloud environments are a “headache” when it comes to compliance, while 31% believe that cloud environments are hard to secure.
For MSPs looking for new opportunities in this market, it’s clear that end users need security awareness training in regards to cloud security, visibility, and compliance tools. There’s also an enormous outsourcing opportunity as the gap between the supply of skilled staff and the demand for those employees grows.
Protecting Cloud-Based Data with WAF and patching best practices
To secure cloud data and apps against threats, 59% of respondents reported that they implemented automated systems such as web application firewalls (WAFs). Roughly 19% indicated that a human process was used to respond to new threats and apply patches, and 22% indicated that their cloud or hosting providers would handle web application threats.
Those using a WAF were relying on a mix of commercial products and cloud provider WAF solutions.
Interestingly, of those companies not currently using a WAF to protect cloud applications, 39% of respondents said their apps don’t process sensitive or business-critical information. This reflects a critical misunderstanding of the current cyber threat landscape — attacks aren’t only focused on stealing data. They can also affect mission-critical services, cause business disruption, and provide a gateway to launch other types of attacks. The good news is that 37% of respondents planned to install a WAF in the near future.
Patching activity showed a worrisome degree of variability. When asked how often they had applied security patches to their web application frameworks or servers in the past 12 months, 35% indicated they had done so 1-5 times, while 33% had done so more than 10 times. Shockingly, 13% reported they had never applied any security patches over the past year.
That type of patching complacency led to the Equifax breach a few years ago, which has now cost that company more than USD 1.4 billion.
For those who indicated they hadn’t applied patches at all, nearly 21% of respondents said it could take anywhere from 1 to more than 6 months to patch a vulnerability after it was disclosed.
Although it’s clear that users are finally getting the message that cloud platforms can be just as secure (or even more secure) than on-premises solutions, some companies aren’t taking critical security precautions, such as regularly applying patches and leveraging a WAF.
Web application security and cloud security best practices are vital components to helping customers safely continue their digital transformations while taking advantage of the benefits of the cloud.