How enterprises can lead the way on cloud data security

Security-savvy enterprises approach everything-as-a-service differently

As the demand for everything-as-a-service (XaaS) grows, it’s imperative that organizations focus on data security. Some security-savvy enterprises are already leading the way in choosing trustworthy XaaS vendors and establishing strong processes and policies to deal with data security.

How enterprises can lead the way on cloud data security

by

Susanne Hupfer
Sayantani Mazumder
Faruk Muratovic

Share by email

Many technology companies are shifting to a service-based model for providing products and capabilities, with some major players planning to transition the bulk of their portfolios over the next few years.¹ At the same time, many leaders across industries are moving from traditional IT to everything-as-a-service (XaaS) for improved agility, new capabilities, and better management of capacity and costs.² They view XaaS as critical to their digital transformation and to creating new solutions and business models—with cloud as the preferred platform for enabling XaaS and spurring innovation.³

To understand how companies are adopting service-based IT, including their objectives, outcomes, and challenges, Deloitte surveyed 600 IT and line-of-business professionals responsible for XaaS at US organizations.⁴ Three-quarters of our respondents reported that their organization already runs more than half of its enterprise IT as-a-service.⁵ According to these leaders, the biggest challenge to scaling up their use of XaaS involves data security and privacy concerns—the same obstacle that topped adoption challenges in our 2018 XaaS study.⁶

Learn more

With so much IT shifting to the cloud, organizations could be wise to focus on security. According to a 2021 report, 73% of cybersecurity incidents involve external cloud assets (vs. on-premise assets), and there are signs that cloud security incidents are increasing.⁷ Cloud data breaches can have serious consequences, including regulatory and legal problems, response costs, reputational damage, and even erosion of market value. According to another analysis, the average cost of a data breach incident in 2021 was US$4.24 million, a 10% increase over 2020.⁸

Are any enterprises cracking the code for mastering data security with XaaS and cloud? Fortunately, yes—and others may be able to follow their lead. Our analysis suggests there’s a group of “security-savvy XaaS adopters”—companies that not only feel they have established adequate processes and policies to deal with data security, but have also chosen XaaS vendors that can satisfactorily deliver strong data security and privacy safeguards. Nearly one in five (19%) of the professionals we surveyed in our XaaS study represent these security-savvy companies, which are more confident about keeping a wide range of enterprise data—even highly sensitive data—entirely in the cloud (see figure).

Security-savvy XaaS adopters have a differentiated approach to managing XaaS security and compliance:

They assume more responsibility for security. Almost half of the executives from such companies (46%) reported that it’s entirely the responsibility of their organization to manage and ensure data security of their XaaS initiatives (vs. 33% of leaders from other companies). They’re also more mindful about regulatory compliance: 56% strongly agree that their organizations have adequate processes and policies in place to deal with regulatory compliance for XaaS (vs. 39% of executives from other companies).
They’re more proactive about monitoring security. Two in three executives from security-savvy companies reported that their organizations continually monitor the security of XaaS IT applications and data (vs. half from other companies). Moreover, 65% of the security-savvy companies evaluate their XaaS providers regularly⁹ to ensure they're meeting data security requirements (vs. 57% of the other companies).

Considerations for TMT executives

To provide a differentiated, higher-value customer experience, cloud and XaaS providers should strive to help their customers become more like the security-savvy XaaS adopters.

Become a security partner. The complexity of securing cloud-based IT is likely to accelerate as many organizations turn to a hybrid, multi-cloud, multi-vendor strategy to increase access to best-in-breed technologies, optimize costs, improve resilience and reliability, and minimize vendor lock-in.¹⁰ Tech providers can build trust by helping their customers rethink security models and capabilities and take a more integrated approach to cloud and security—for instance, by establishing a cloud security controls framework.¹¹
Clarify security responsibilities. Managing the security risks of multi-cloud environments should be a shared endeavor between service providers and user organizations, yet nearly 6 in 10 cloud adopters cite establishing shared security models as a major challenge.¹² Service providers can supply their customers and auditors with system and organization controls (SOC) reports to help build risk assurance, but clarifying expectations and responsibilities is crucial.¹³
Continuously assess risks. Cloud providers can help their customers identify and use the right tools to continuously monitor cloud security. For instance, adopters can use comprehensive dashboards to track security of data and applications across several environments, thereby increasing visibility into risks.¹⁴ Additionally, advanced security tools based on artificial intelligence and automation can be helpful in sensing threats and responding to them in a timely manner.¹⁵

Jessica Lyons Hardcastle, “HPE partners with Google Cloud, pledges entire portfolio ‘as-a-service’ by 2022 ,” sdxcentral, June 19, 2019; Gina Narcisi, “Cisco CEO Chuck Robbins: COVID-19 forcing as-a-service transition ” CRN, August 12, 2020.View in Article
Susanne Hupfer et al., Enterprise IT: Thriving in disruptive times with cloud and as-a-service , Deloitte Insights, February 22, 2021.View in Article
Ibid.View in Article
Ibid. To obtain a cross-industry view of how organizations are adopting and benefiting from as-a-service enterprise IT, Deloitte conducted the Everything-as-a-Service (XaaS) Study, 2021 edition, surveying 600 IT and line-of-business (LoB) professionals from US-based companies in Q4 2020. All respondents were chosen from organizations that consume 15% or more of their IT as a service (i.e., all were XaaS adopters) and were required to have responsibility for enterprise IT and specifically for XaaS—for example, spending, strategies, deployments, and vendor selection and evaluation. Respondents were evenly split between IT and LoB professionals, and 89% were executives. Six industries were represented: technology, media, and telecom; energy, resources, and industrials; consumer, retail, and automotive; financial services; life sciences and health care; and education.View in Article
Respondents were asked to consider their organization’s current enterprise IT products/services and estimate what proportion is being purchased and consumed as as-a-service IT vs. traditional IT.View in Article
Gillian Crossan et al., Accelerating agility with everything-as-a-service , Deloitte Insights, September 17, 2018.View in Article
The researchers noted that there’s nothing in their data to indicate that on-premise IT is more secure. The fact that so much IT infrastructure has moved to the cloud may be a contributing factor, as well as attackers targeting cloud credentials. See: Maria Korolov, Cloud security breaches surpass on-prem ones for the first time , Data Center Knowledge, May 20, 2021; Alicia Hope, “Almost all organisations suffered at least one data breach in past 18 months, the State of Cloud Security Report found ,” CPO Magazine , July 20, 2021.View in Article
Chris Brook, “How much does a data breach cost in 2021? ,” Digital Guardian blog, August 4, 2021.View in Article
Our survey defined “regularly” as annually or more frequently.View in Article
David Linthicum, Want more multicloud success? Here are some key strategies , Deloitte, accessed November 9, 2021.View in Article
Deborah Golden et al., “A controls framework for integrated cloud security ,” Wall Street Journal Risk & Compliance Journal , May 26, 2021.View in Article
Dan Yachin, “State of cloud security 2021: More aware yet very exposed ,” Ermetic, July 1, 2021.View in Article
Charlie Willis and Lining Ge, Assurance in the cloud: Don’t settle for a check-the-box approach , Deloitte, 2021; Curtis Stewart, Dan Zychinski, and Alan West, Third-party reporting proficiency with SOC 2+: An integrated approach gains traction , Deloitte, 2021.View in Article
Doug Bourgeois and Sean VanDruff, Integrated multi-cloud management for the federal government , Deloitte, 2017.View in Article
Satta Sarmah Hightower, “Want to avoid a multi-million dollar data breach? You need these three things ,” Forbes , September 21, 2021.
View in Article

Thanks to Brooke Auxier, Gautham Dutt, and Shubham Oza for their support.

Cover image: Jaime Austin

Technology, Media & Telecommunications

Deloitte’s Technology, Media & Telecommunications (TMT) industry practice brings together one of the world’s largest group of specialists respected for helping shape many of the world’s most recognized TMT brands—and helping those brands thrive in a digital world.