New Survey of More Than 450 IT Professionals Identifies Confusion Over Cloud and Security Responsibilities

Companies continue to move business critical workloads and their most sensitive data to the cloud, yet security challenges remain, according to new research.

While 72% of respondents feel the public cloud is more secure than what they can deliver in their own data center and are moving data to the cloud, there is also a significant visibility gap remains, making it hard for businesses to understand where and how their critical data is handled in the cloud. 

The survey conducted by Oracle and KPMG identified a 3.5X increase in the number of organizations with more than half of their data in the cloud from 2018 to 2020. In addition, 71% of organizations indicated that a majority of this cloud-data is sensitive, up from 50% last year. However, the vast majority (92%) noted they are concerned about employees following cloud policies designed to protect this data.

The report found that the mission-critical nature of cloud services has made cloud security a strategic imperative. Cloud services are no longer “nice-to-have tertiary elements of IT”—they serve core functions essential to all aspects of business operations.

The 2019 report identified four key areas where cloud security challenges remain for many organizations.

  1. Confusion about the shared responsibility security model has resulted in cybersecurity incidents. Eighty-two percent of cloud users have experienced security events due to confusion over the shared responsibility model.  While 91% have formal methodologies for cloud usage, 71% are confident these policies are being violated by employees, leading to instances of malware and data compromise.
  2. CISOs are too often on the cloud security sidelines. Ninety percent of CISOs surveyed are confused about their role in securing a SaaS environment versus the cloud service provider.
  3. Visibility remains the top cloud security challenge. The top cloud security challenge identified in the survey is detecting and reacting to security incidents in the cloud with 38% of respondents naming it as their top challenge today. Thirty percent cited the inability of existing network security controls to provide visibility into cloud-resident server workloads as a security challenge.
  4. Rogue cloud application use and lack of security controls put data at risk. Ninety-three percent of respondents indicated they are still dealing with “shadow IT” in which employees use unsanctioned personal devices and storage or file share software for corporate data. Half of organizations cited lack of security controls and misconfigurations as common reasons for fraud and data exposures.  Twenty-six percent of organizations cited unauthorized use of cloud services as their biggest cybersecurity challenge today.

The second annual Oracle and KMPG Cloud Threat Report 2019 is based on a survey of 450 cyber security and IT professionals from private and public-sector organizations in North America (United States and Canada), Western Europe (United Kingdom), and Asia (Australia, Singapore). For more information, go to