Key findings from McKinsey's public cloud research included:
- Adopting security controls administered via cloud services providers (CSPs) is the perimeter security model of choice for 36 percent of cloud-aspirant companies.
- 40 percent of the companies studied have more than 10 percent of their workloads on public cloud platforms, and nearly 80 percent plan to have more than 10 percent of their workloads on public cloud platforms in three years or plan to double their cloud penetration.
- More than 50 percent would like their CSPs to be jointly responsible for compliance with regulatory mandates.
- 60 percent anticipate their companies will use a third-party identity and access management (IAM) service that supports multiple public cloud environments and unifies security controls across on-premises and public cloud resources in the next three years.
- 65 percent leverage security information and event management (SIEM) tools for monitoring cloud apps, and 30 percent use native monitoring tools provided by CSPs or request logs from CSPs.
In addition, McKinsey identified four priorities for collaboration between companies and CSPs:
- Transparency on controls and procedures. CSPs should provide full visibility into their security controls and procedures, security audits and penetration testing.
- Regulatory compliance support. CSPs should offer detailed descriptions about how they stay informed about regulatory changes and update their compliance mechanisms.
- Integrated operations monitoring and support. CSPs should deliver security reports, insights and threat alerts.
- Multicloud IAM capabilities. CSPs should provide IAM roadmaps that focus on behavioral authentication, role-based access and other IAM capabilities.
Ultimately, companies and CSPs must divide cybersecurity responsibilities for public cloud environments, McKinsey said. With a clear understanding of the support that CSPs provide, companies can design and configure security controls for multiple cloud environments and integrate these controls with various tools, processing models and operating models.
How to Strengthen Public Cloud Cybersecurity
McKinsey offered several best practices to help businesses launch effective public cloud cybersecurity programs, and these practices included:
- Determine which workloads to move to the public cloud and the security requirements for these workloads.
- Find at least one CSP that is capable of meeting a company's public cloud workload security requirements.
- Classify each public cloud workload based on ease of migration, cost considerations and other factors.
- Explore ways to standardize and automate security controls.
- Deploy a security controls and governance model.
Setting up a public cloud cybersecurity program can be difficult. However, the aforementioned best practices empower businesses to coordinate program design, development and implementation and find ways to optimize the value of public cloud platforms.