Canadian organizations are increasingly moving data and workloads to the cloud. But if a recently-released study is representative, the leading firms in this movement are among the least secure.

“They think security is being taken care of soup-to-nuts,” said David Senf, founder of the consulting firm Cyverity and author of the study. But, he added, “there is a shared responsibility between the organization and its cloud provider. That means I have to do something as well as you. And organizations have to understand what their side of the equation looks like. Because clearly there is an abdication of responsibility by organizations as they rush into the cloud.”

Senf came to that conclusion after looking at the results of a Cyverity-commissioned online survey last fall of 226 Canadian organizations of various sizes.

‘From the responses he divided them into three groups:
–“Cloud last” (23 per cent of respondents, who said they have less than five per cent or their data in the cloud)’
–“Cloud alsos” (46 per cent of respondents, who have between five and 50 per cent of applications and infrastructure in the cloud)
–and “Clout first” (nearly one-third of respondents, who have greater than 50 per cent of applications and infrastructure in the cloud.)

The “cloud first” group are moving fastest into the cloud. One might think they are therefore the most likely to have security foremost in mind, as the cloud can be trickier to secure than on-premise workloads.

Not so, Senf said, judging by responses to certain questions. It seems that cloud firsters “believe the cloud provider is going to take on all the risk for them,” he said. “You can see that in their adoption of cyber insurance. For example, they are half as likely to have cyber insurance than the rest of the Canadian market. Generally speaking three in 10 organizations have some level of cyber insurance, but only 14 per cent of cloud-first organizations buy it.

“The other thing that really surprised me was the lack of understanding around shared security responsibilty: Is it my responsibility. is it the cloud provider, both of us?” But only 13 per cent of respondents said they really understand what their security responsibilities are in their cloud environments.

“It surprised because we’ve been talking about this for how long?” asked Senf rhetorically. “I didn’t expect it to be that low. It says to me, one, that organizations need to continue to figure out what they should be doing. But it’s also incumbent among cloud providers to educate the marketplace about what they’re going to do and not going to do for their clients

“They need to evangelize [about] shared security responsibility more.”

It’s not that organizations are completely assuming security is in the hands of cloud providers. Survey respondents said the portion of their security budgets aimed at cloud security is increasing. They expect that by the end of this year spend allocated towards security of cloud activity will grow by 32 per cent.

Respondents also forecast that by the end of this year cloud security will occupy almost half the time of their staff, compared to 34 per cent today.

But Senf notes that despite cloud’s advantages — for example, providers look after installing updates, not the organization — there isn’t a one-to-one relationship as workloads move to the cloud. Or, to put it another way, shifting one server to the cloud doesn’t mean the on-prem staff has one less server to look after.

For this and other reasons as cloud workloads increase its important for CISOs to elevate the importance of managing credentials and privileges in hybrid and multi-cloud environments, the report says.

What all organizations moving workloads to the cloud have to do, Senf said, is start with basic risk assessment: What is valuable, will it stay on-prem, how will it be secured at all layers of the technology stack.

Use a cyber security framework like NIST (the U.S. National Institute for Standards and Technology) or the ISO 27001 to set out a risk management plan. Smaller organizations could look at the Octave-S (Operationally Critical Threat, Asset, and Vulnerability Evaluation ) framework.