Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Only 40% of organizations have more than 10% of their workloads in public cloud platforms. — McKinsey, 2018
  • 80% of organizations plan to have more than 10% of their workloads moved to public cloud platforms in the next three years, or plan to double their cloud penetration. — McKinsey, 2018

Cloud adoption is on the rise, but remains in its infancy in most organizations, according to a Tuesday report from McKinsey. Only 40% of organizations have more than 10% of their workloads in public cloud platforms, while 80% plan to have more than 10% of their workloads moved to these platforms in the next three years, or plan to double their cloud penetration, the report found.

McKinsey surveyed some 100 enterprises to determine how organizations are adopting the cloud and the security challenges they face in the process.

Security has long been a top barrier to cloud migration for many enterprises. However, CISOs now say that cloud service providers’ (CSPs) security resources are far more secure than their own, the report found. Today, they are asking how to adopt cloud services in a more secure way, as many of their existing security practices and architectures may be less effective in the cloud.

SEE: Cloud migration decision tool (Tech Pro Research)

Here are 10 steps for your company to begin strengthening cybersecurity in the cloud, according to McKinsey.

1. Decide which workloads to move to the public cloud.

The workloads you choose to migrate will determine what security requirements are needed. For example, many companies choose to initially move customer-facing applications or analytical workloads to the cloud, and keep core transaction systems on-premises.

2. Identify at least one CSP that is capable of meeting security requirements for the workloads.

Companies may select multiple cloud providers for different workloads, but these selections should be consistent with the objectives of the company’s overall cloud strategy.

3. Assign a security archetype to each workload based on the ease of migration, security posture, cost considerations, and internal expertise.

Companies can, for example, choose to re-architect applications and use default CSP controls for customer-facing workloads, and lift and shift internal core transaction applications without re-architecting, while backhauling for data access.

4. For each workload, determine the level of security to enforce for each of the controls.

Companies should determine whether identity and access management (IAM) needs single-factor, multi-factor, or more advanced authentication.

5. Decide which solutions to use for each workload’s controls.

Companies can determine each CSP’s capabilities for each workload, and decide whether to use existing on-premises security solutions, CSP-provided solutions, or third-party solutions.

SEE: Quick glossary: Hybrid cloud (Tech Pro Research)

6. Implement the necessary controls and to integrate them with other existing solutions.

The company will need to gain a full understanding of each CSP’s security capabilities and security enforcement processes. This also means that CSPs need to be transparent about their security practices.

7. Develop a view on whether each control can be standardized and automated.

Companies must analyze the full set of controls, and make decisions on which controls to standardize across the organization and which ones to automate for implementation.

8. Prioritize the first set of controls to implement.

Organizations might choose to prioritize based on which applications a company migrates, and which security model it chooses to apply.

9. Implement the controls and governance model.

For controls that can be standardized but not automated, companies can develop checklists and train developers on how to follow them. For controls that can be standardized and automated, companies can create automated routines to implement the controls and to enforce standardization, using a secure DevOps approach.

10. Use the experience gained during the first wave of implementation to pick the next group of controls to implement.

Learning from this experience can help improve the implementation process for future sets of controls.

“Our experience and research suggest that public-cloud cybersecurity is achievable with the right approach,” the report stated. “By developing cloud-centric cybersecurity models, designing strong controls in eight security areas, clarifying responsibilities with CSPs, and using secure DevOps, companies can shift workloads into the public cloud with greater certainty that their most critical information assets will be protected.”