Jump-start your cloud adoption with modern cloud security

cloud adoption
cloud adoption


  • Companies whose cloud transformations are lagging put innovation and growth at risk.
  • It is tempting to "lift and shift" data, applications and networks, but the cloud has unique privacy and security requirements.
  • Business leaders, CISOs and CIOs must work together on the cloud security program.
  • Address five common challenges to help hasten your move to the cloud and accelerate business outcomes.

Why your enterprise cloud transformation strategy may be stuck, and what to do about it

On-premises-only work environments are so yesterday — rigid and boxed-in, limiting in scale and scope. Business happens largely in the cloud, a world that’s amorphous, shifting and accessible anytime and from anywhere.

Freed from the old constraints, cloud-based enterprises can enjoy more flexibility, scalability and productivity than ever — at less cost. So why isn’t everyone already there?

Just 17% of business and tech/security executives see their organizations benefiting from cloud adoption, according to PwC’s 2021 Global Digital Trust Insights survey.

They’re the fortunate ones. A quarter told us they’re using the cloud but haven’t yet benefited, and 29% are just starting to move functions and operations to cloud environments. Another 29% haven’t even begun the process.

Who’s adopted cloud and is reaping its benefits?
Circular chart: 29% have implemented at scale but not yet realizing its benefits; 29% started implementing

We see it all the time: clients convinced of the cloud’s potential but overwhelmed by the complexities of properly securing it. Instead of moving forward with their cloud programs, they get stuck in a quagmire of questions and concerns.

The good news is that a well-thought-out, step-by-step approach to security can jump-start your stalled migration and/or modernization. It can even hasten the move so you finish faster than originally planned.

Get your cloud strategy back on track: Questions and solutions

What are the challenges to cloud adoption? Here are the questions we hear most often, along with security solutions to help restart your cloud engine and put you in the fast lane.

1. What is the number-one reason why cloud transformations stall?

Lack of cloud governance.

Nearly half (48%) of organizations have a multi-cloud strategy. On average, organizations use three different cloud service providers (CSP), and 28 percent are using four or more. While using more than one CSP may be necessary and even beneficial, doing so can make security seem more challenging.

Cohesive governance is key: Each CSP may have different security abilities and requirements. And frequent releases of new features and updates means that, like the clouds in the sky, your enterprise cloud environment is continually changing.

PwC cloud security risk framework
8 secure cloud enablers


Bring together all your enterprise security controls so you can secure them from one location, and with as much automation as possible. Here are steps:

Create a cloud-platform-agnostic security controls framework, or use PwC’s (pictured above). Tailor it to your business and incorporate industry-standard security baselines and regulatory requirements.

Digitize the cloud adoption framework using collaborative tooling. By doing so, you create a living resource that’s available to the right people and is auditable, editable and traceable — so it’s as fluid as security and compliance requirements tend to be.

Design an overarching security architecture that includes all the cloud platforms your enterprise is using. Build infrastructure-as-code (IaC) and DevSecOps tooling to set the right security checks on all your cloud platforms using automation.

Using IaC offers immutability, meaning that each change to security settings and configurations occurs throughout your infrastructure, including your entire cloud environment. IaC also makes it easier for cloud administrators to test and deploy changes so that they take place cloud-wide, for faster, easier and more secure enterprise digitization.

DevSecOps ties in security so that application code is free of vulnerabilities and new code doesn’t go into production until its security gaps are resolved. DevSecOps also provides real-time feedback on security bugs while developers are writing code. With the right processes and tooling, there’s less need for lengthy reviews by information security teams — reviews that can slow and even stall changes that may be critical to innovation and new lines of revenue.

Automate your cloud compliance program. Verifying security controls manually can be difficult, costly and error-prone, and it can involve seemingly endless assessments and verifications. Using IaC and a holistic cloud-security framework lets you use code to run and monitor your compliance program. You won’t get stuck in an endless cycle of compliance assessments, but instead will get alerts in real-time when you slip out of compliance. And cloud-native tooling can revert any noncompliant changes to return your environment to its previous, compliant state.

A CISO-led, well-defined, automated cloud security program can benefit others in your organization, too. Your chief technology officer, for instance, may be able to measure, optimize and push changes to the enterprise cloud environment faster than ever before. In this way, the office of the CISO can not only remove governance roadblocks but also help accelerate your cloud transformation.


Appropriate alt text for the image - square card 2

Get more insight on trusted tech

Visit PwC’s Cyber & Privacy Innovation Institute

Dive into more executive research and perspectives on cyber, privacy and trust in technology

Learn more

2. What’s key to getting privacy right on the cloud?

Understand what’s required throughout your enterprise.

Seventy-five percent of organizations find it more complex to manage privacy and data protection regulations in the cloud. Previously, organizations stored and maintained information in local data centers, and so only needed to concern themselves with local requirements. The cloud allows authorized users to access your enterprise information anytime and from anywhere — a more efficient way of working.

The caveat: You must correctly configure your global security restrictions on data accessibility and storage. Without thoughtful security configuration, the cloud has no borders, and that could put your enterprise at risk of violating privacy laws in other countries.


Your chief privacy officer as well as privacy officers in all your locations should make sure that their geographical requirements are included in your overarching cloud-platform-agnostic framework. You also must make sure that your architecture includes identity and access management considerations. Some regulatory requirements may restrict who can access your organizational data.

Being familiar with privacy requirements at the county, state and national levels can help your enterprise to reduce risk and design transparent solutions that people can trust.

3. Who’s responsible for securing what?

The provider and you, but you’ll have to be clear on areas of responsibility and control.

Of more than 3,000 IT and IT security practitioners surveyed in 2019, only one in three respondents said protecting data in the cloud is their responsibility. CSPs bear the most responsibility for sensitive data in the cloud, 35% said, and 33% said the responsibility is shared.


Responsibility for cloud security is almost always shared. CSPs are responsible for securing the platform itself — but the task of keeping your organization’s data and intellectual property safe is yours. Get familiar with each set of requirements and make sure your security teams and CIO are up to speed as well.

Cloud security shared responsibility model
Stacked bar chart showing what security aspects IaaS, PaaS and SaaS are responsible for

4. Who’s got a stake in accelerating and securing our cloud migration/modernization?

The entire C-suite — not just the CISO and the CIO.

A lack of buy-in from C-suite executives is one of the most common reasons why cloud adoptions slow down or stall. You’ve probably approached your CISO, but what about the CFO, COO, chief risk officer, and chief legal officer? Cloud solutions exist for each of these roles and their organizations. Seeing cloud migration as only a security or IT problem misses the opportunity to engage key portions of the enterprise.


For each element in your cloud-agnostic security framework, define who’s responsible and accountable and who’s to be consulted and informed. Use a single framework and regularly report back to these individuals on your progress. Doing so can help you avoid duplicating tasks and help your cloud migration proceed smoothly and on schedule.

5. How can talent issues affect you beyond the risk implications?

Not being able to make the most of all the features and benefits of the cloud.

The cyber skills shortage is real, and it’s expected to worsen — especially for cloud engineers. These professionals need the “full stack” of skills and knowledge. They need to know how all the technology components work and how they interact: databases, applications, operating systems and networks.

But people with this level of expertise are in short supply. Without cloud engineers on staff, businesses may take a lift-and-shift or rehosting approach to cloud adoption — simply moving applications to the cloud without redesigning them.

For example, they may use “compute services” to spin up virtual machines in which to place their code — just as they did when everything was in the data center. A lift-and-shift approach not only misses the point of cloud migration, but it also robs you of the opportunity to use all of the features and enjoy all of the benefits your CSP can provide.


Absent full-stack cloud engineers on staff, consider training one or more of your existing engineers in cloud technologies — but don’t do this yourself. Elegant technologies such as the cloud almost always seem simpler than they are. Trial and error can be an expensive way to learn, and will take much more time than working with someone who already knows the ins and outs of the cloud.

Partnering with an organization or individual with cloud migration/modernization and management experience is the best and most-efficient way to move your project forward.

A CISO-led strategic partnership could benefit other members of the C-suite, too. For instance, your CTO might save money on personnel if you can upskill the engineers you already have on staff and automate infrastructure and application changes to the cloud environments you use — a win-win.

Also, make sure you know what your CSP offers. Take advantage of every possible resource, such as platform as a service (PaaS), which allows you to scale up or down as needed.

Automating cloud security

The cloud is always on and always changing—so your cloud security program must be as well. Automation is key. Here are steps to take for powerful and effective automated cloud security.

Design secure cloud blueprints

Draw common cloud-architecture blueprints that include security controls. Standardize your approved security architecture solutions.

Build hardened IaC templates

Define secure resource configuration patterns using IaC tooling. Establish “golden templates” for infrastructure to establish security and architecture boundaries.

Test/scan your application and infrastructure security (DevSecOps)

Test against defined security baselines and detect misconfigurations before deploying to the cloud. Identify and address vulnerabilities and weaknesses in the codebase before release.

Post-deployment, use drift and runtime detection to manage your cloud security

To enable compliance with cloud frameworks, use continuous configuration monitoring. Monitor for any changes that diminish your compliance with security standards, as well as for nascent threats so you don’t have to continually assess your cloud environment’s security.

Use governance for continued cloud security hygiene

Monitor adherence to life-cycle management standards, to detect out-of-policy cloud resources. Collect cloud security hygiene metrics in a centralized dashboard to encourage self-monitoring.

Bottom line

Cloud security can seem overwhelming — but it is manageable. With the recommendations outlined here, you’ll be well positioned to reap the rewards that motivated your migration to the cloud in the first place. You’ll also position your organization for the coming evolution of cloud security, one that’s poised to include prevalent machine learning, cloud security posture management and confidential computing — topics we shall turn to in future thought leadership.

This article first appeared in the PwC Cyber and Privacy Innovation Institute.


How can we help you foster cloud security?

Cybersecurity, Privacy and Forensics solutions

Learn more

Fast forward your business with cloud. Ready to get started?

PwC’s Cloud Transformation solution

Learn more

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US


Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US


Nitesh Dhanjani

Principal, PwC US


Rich Kneeley

Managing Director, Cyber, Risk and Regulatory, PwC US


Next and previous component will go here

Follow us