Survey Reveals 92% of Organizations have Cloud Security Gaps

Oracle and KPMG have released the 2020 Cloud Threat Report. The report offers insights into the state of cloud security, with data for the report gathered in a recent survey of 750 cybersecurity and IT professionals. The report includes an analysis of cloud adoption trends and explores the current threat landscape and the steps that have been taken by companies to secure their cloud infrastructure and data.

Currently, 88% of organizations said they currently use public cloud infrastructure services and 50% believe all of their data will be migrated to the cloud within the next two years. One of the most worrying findings is cloud adoption is outpacing cloud security.

An increasing number of workloads are being migrated to the cloud, even though appropriate security protocols have yet to be implemented. 92% of respondents said they have a cloud security readiness gap and 44% of those respondents said they have a wide cloud security readiness gap.

The survey explored attitudes to cloud security and showed that most employees understand the cloud can be secure. 75% of respondents believe that the cloud is actually more secure than their data center, but even though there is confidence that the cloud can be made secure, IT professionals were three times more worried about cloud security than they were about the security of on-premises systems and data. This is not surprising given that three quarters of respondents said they have experienced cloud data loss on more than one occasion.

78% of respondents said the security policies and processes they have in place to protect on-premises systems and data are different from the policies and processes necessary for securing cloud data and that they are struggling to adapt. On average, research respondents have implemented more than 100 discrete cybersecurity controls for the public cloud and the complexity is causing a problem, with misconfigurations commonplace. 70% of respondents said too many specialized tools are required for securing their cloud footprint.

In 2019 when the survey was last conducted, only 18% of respondents said they understood the shared cloud security responsibility model, where the cloud service provider is responsible for securing the cloud and securing any data uploaded to the cloud is the responsibility of customers. This year, the percentage dropped to just 8%.

The massive increase in cloud consumption has been causing problems for many organizations. One of the biggest complaints is a lack of visibility into all of the public cloud services used by the organization. With many blind spots created, it becomes difficult to identify and correct misconfigurations. Some of the misconfigurations would allow lateral movement of malware and near-instant port scanning by malicious bots.

37% of organizations have over-privileged accounts and are not following the rule of least privilege. 33% have not implemented multi-factor authentication on their cloud consoles and only 51% use MFA on their most critical workloads. This is especially worrying given the volume of phishing attacks that are occurring. 59% of respondents said cloud credentials had been obtained through phishing attacks. When attacks occur, investigations to find out what attackers have done can be difficult. 31% of respondents had disabled logging which hampers investigations. The threat of malicious insiders is also not being addressed. Only 49% of respondents said they have implemented a user activity monitoring system.

“The lift-and-shift of critical information to the cloud over the last couple of years has shown great promise, but the patchwork of security tools and processes has led to a steady cadence of costly misconfigurations and data leaks,” said Oracle Cloud’s Senior Vice President Steve Daheb. “Positive progress is being made, though. Adopting tools that leverage intelligent automation to help close the skills gap are on the IT spend roadmap for the immediate future and the C-level is methodically unifying the different lines of business with a security-first culture in mind.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of