Cloud Security University

The #1 resource on the web for cloud security education so you can stay ahead

McAfee Cloud Security University was launched to arm IT security professionals with knowledge around cloud computing and the controls they need to enable secure cloud usage. Here you’ll find results of various McAfee research and reports as well as learn about the best practices on how to securely adopt the myriad of cloud services available.

Whiteboard Walkthroughs

Cloud Usage Growth

Similar to previous shifts in technology, such as the rise of the PC and the Internet, the cloud creates new and significant concerns among business leaders about the potential for headline-making security incidents. To better understand these trends, McAfee analyzed aggregated, anonymized cloud usage data for over 30 million users worldwide at companies across all major industries.

Cloud Security Trends

The average organization now uses 1,154 cloud services, of which, 90% are unsanctioned, which leads to a host of cloud security challenges

Cloud Security Trends

Employees store all kinds of sensitive and regulated data in cloud services, signifying an increased level of trust in cloud security

Cloud Security Trends

What’s in a name? As recent high-profle data breaches demonstrate, cyber criminals are seeking out documents containing company budgets, employee salaries, and employee Social Security numbers

Cloud Security Trends

Owing to the scale of corporate data stored in the cloud today, security incidents are no longer isolated to PCs and applications on the network. The average organization experiences 19.6 cloud-related security incidents each month

Survey of IT leaders uncovers cloud opportunities and risks

Cloud apps offer several benefits that include lower cost, faster implementation, and a better user experience. The line of business is driving this technology shift in an unprecedented way, with end users frequently asking IT professionals within their companies for new cloud-based applications. Companies have responded with formal programs to assess and onboard cloud services. While cloud adoption started with cloud-native systems of engagement, we’re entering a new stage in which companies migrate their systems of record to the cloud.

As data leaves the company data center for the cloud, IT is caught between delivering technologies to support innovation and growth in the business and securing sensitive data against proliferating threats. This survey, conducted by the Cloud Security Alliance, asked over 200 IT and security professionals from across industries worldwide how their organizations are managing cloud adoption.

Onboarding cloud services

The CSA report found that employees and the line of business are key elements in driving corporate cloud adoption. IT professionals we surveyed receive, on average, 10.6 requests each month for new cloud services. Even considering there is likely overlap in these requests, that’s a tremendous number of cloud services that must be vetted. Perhaps that’s why 71.2% of companies now have a formal process for users to request new cloud services. However, these programs are still evolving. Of companies with a formal process, 65.5% indicated that they only partially follow it.

Rejecting cloud services

According to the CSA report, on average, it takes an IT security team 17.7 days to evaluate the security of a cloud provider. The most common reason for rejecting a cloud service request, identified by 55.5% of companies, is because they already have a comparable cloud solution in place (such as when a cloud collaboration service is rejected in favor of an enterprise ready service like Office 365). The next most common reason for rejecting a cloud service request is the provider is not trusted (53.6%), followed by a lack of encryption at 45.8% and a lack of data loss prevention at 43.9%. Smaller companies were more likely to decline a cloud service request due to a lack of budget (28.4%), while larger companies were more likely to reject a service because it didn’t encrypt data (51.5%) or the service did not support data loss prevention (44.1%).

The next wave of cloud adoption

As more companies experience the benefits of cloud computing, they are beginning to look toward extending these benefits to their systems of record. The most common system of record to be deployed in the cloud today (36.3%) is customer relationship management (CRM).

Benefits of cloud adoption

Across respondents the most common perceived benefit is lower up-front or ongoing costs (71.8%). Nearly as many respondents (69.2%) indicated that faster implementation was a benefit while 49.4% indicated better user experience as a benefit.

Cloud Ecosystem

While not explicitly identified by respondents, another potential benefit of cloud-based systems of record is the ability to integrate these applications with an expanding ecosystem of third party apps. There are over 2,000 apps on Salesforce’s AppExchange alone.

Security in cloud-based systems of record

Despite cloud security concerns, just 35.0% of IT and security professionals believe that cloud-based systems of record are less secure than their on-premises counterparts. 64.9% say that the cloud is either as secure or more secure than on-premises software.

Barriers to cloud adoption

When asked about the barriers to moving systems of record to the cloud, the primary obstacle noted by 67.8% of companies was the ability to enforce their corporate security policies. Next, 61.2% of companies said that concern about complying with regulatory requirements was a barrier. Budget-related constraints do not appear to be a major hurdle to replacing an on-premises system of record with a cloud-based one.

The role of the CISO

Recognizing the importance of security, more companies are appointing a senior executive, the Chief Information Security Officer (CISO), to manage the information security team. Today, 60.8% of companies have a CISO. A CISO’s role can vary, but it often includes setting security policies, overseeing regulatory compliance, and taking responsibility for data privacy.

Likelihood of hiring a CISO correlated with concern for data loss


Data loss concerns and CISO

As systems of record move from on-premises data centers to the cloud, 26.3% of companies are very concerned about data loss while 32.2% are somewhat concerned about data loss. When you look at the companies that have a culture of security, or at least concern about security, these organizations are significantly more likely to have a CISO.

Company security culture and CISO

The CSA report uncovered that an impressive 65.7% of organizations that are concerned about data loss have a CISO, while only 50.0% of companies that aren’t concerned about data loss have a CISO. It’s not clear if a culture of security makes it more likely that a company will invest in hiring a CISO, or if a CISO instills a stronger culture of security, or if both reinforce the other.

Barriers to detecting data loss

Across the board, there’s a skills shortage. Companies are finding it challenging to recruit and hire people to fill information security positions. The lack of security professionals to maximize the value of technology investments is the top barrier to detecting and stopping data loss, respondents say.

 Security challenges facing companies with and without CISOs

For companies with a CISO, the lack of technology professionals is an even greater perceived barrier to stopping data loss than those companies without a CISO. This means that one of the biggest challenges of CISOs today is recruiting and retaining talented security analysts. It also means that the role of security analyst is quickly becoming a hot career path as companies invest in expanding information security initiatives, with more jobs available than qualified applicants to fill them.


Incident response plan

One of the reasons that companies with a CISO may be more confident about their internal strategy is that they are more likely to have an incident response plan. Across all companies, 82.2% have some form of an incident response plan that details how the company would respond to a serious breach, including security remediation, legal, public relations, and customer support. However, fewer than half of these companies have a complete plan that covers all of these areas.


Cyber security insurance

Companies with a CISO are also more likely to have cyber insurance to protect against the cost of a data breach. Across all companies, 24.6% have cyber insurance. However, just 17.2% of companies without a CISO have insurance compared with 29.2% of companies with a CISO.


Cyber attack preparedness

When asked how prepared their company is for a major cyber attack on a scale from 1-5, with 1 being not at all prepared and 5 being very prepared, respondents on average rated their preparedness at 3.31. However, responses varied widely depending on whether the company has a formal incident response plan. Companies with any form of incident response plan indicated they were significantly more prepared for a major cyber attack, compared with those without a plan. Companies with a comprehensive plan felt they were the most prepared.


Cyber attack concerns

The greatest concern companies have when it comes to a cyber attack is loss of reputation and trust. That’s followed by financial loss, which in the case of Sony is estimated to be roughly $35 million to handle the immediate aftermath of the breach. External analysts estimate it could cost the company another $83 million to completely rebuild its damaged IT infrastructure. Next, companies are concerned about data loss and the destruction of data, followed by loss of intellectual property and manipulation of their data.


Willingness to pay ransom

The willingness of a company to pay a ransom to stop a catastrophic release of stolen information is correlated with whether the company has cyber insurance. Companies without cyber insurance are less likely than average to pay a ransom. Just 22.6% of these companies would pay a ransom. Across companies with cyber insurance, 28.6% would pay a ransom, higher than 24.6% average. Across all companies 14% would be willing to pay a ransom in excess of $1 million to prevent the release of information.


Securing data in the cloud

As more corporate data moves to the cloud, companies are looking to enforce corporate security policies and meet regulatory compliance requirements from a single control point. One of the capabilities that respondents say is important is access control (87.3%). 83.4% indicated encryption is important for cloud security, while 73.9% indicated data loss prevention as an important element of cloud security.