Middle East CISOs Fear Disruptive Cloud Breach

As organizations in the Middle East increasingly adopt cloud services, business leaders worry that their cloud-security measures are falling short. 

Seven-in-ten organizations say their "cloud security is lacking" and could not stop an attack, higher than the 63% of companies globally worried about the security of their cloud infrastructure, according to a cloud survey of CISOs in the Mideast by network security firm Illumio this week.

"This is much higher than the global average, which suggests a higher degree of vulnerability when it comes to cloud security in the Middle East," says Raghu Nandakumara, senior director of industry solutions at Illumio.

Running in the Cloud

The worries arise as organizations in the Middle East accelerate their cloud adoption. More than three-quarters of organizations in Saudi Arabia and the United Arab Emirates (UAE) run high-value applications in the cloud, and almost all (98%) store sensitive data in the cloud. 

The combined cloud adoption in the UAE and Saudi Arabia is setting the pace for growth in the region with a projected compound annual growth rate of approximately 24% from 2022 to 2027, says Manish Ranjan, senior research manager for IDC's software, cloud, and IT services (META) group, who notes that hyper-scale cloud providers, such as Amazon and Google, have expanded their data centers in the area.

"These investments in cloud data centers have led many organizations to adopt a 'Cloud First' and 'Cloud Only' strategy, significantly boosting cloud adoption in the Middle East," he says. "Various industries, including government, banking, finance, retail, manufacturing, education, and transportation, are embracing cloud services to accelerate their digitization efforts."

Unique Approaches to Cloud Security

Each country has taken its own approach in adopting cloud services, with cybersecurity concerns and geopolitics resulting in country-specific trends.

Data sovereignty regulations and de-globalization trends, for example, have led to the deployment of multi-cloud infrastructures that can support regional regulations and business mandates, according to the March research report, The Future of Cloud Security in the Middle East.

"You will have your own cloud service provider within each country and already countries are adopting that culture — be it in the UAE or Saudi Arabia or any other country in the region," Rajesh Yadla, director head of information security for Al Hilal Bank, stated in that report. "The reason is to make sure that the cloud service providers are compliant with all these regulations."

Business and government leaders have taken cybersecurity seriously, however, with security the top factor in choosing a cloud provider, with 43% of companies prioritizing security, compared to 19% prioritizing cost, according to the report. 

Both Saudi Arabia and the UAE rank in the top 10 nations for cybersecurity, as measured by the Global Cybersecurity Index 2020, the most recent cybersecurity rankings of countries across the globe compiled by the International Telecommunication Union (ITU).

Attacks Ramp Up Against Cloud

Despite prioritizing cloud security, organizations remain worried. An increasing amount of business operations happen in the cloud, resulting in attackers more likely targeting cloud services, and cloud-focused exploitation nearly doubling last year.

Most critically, nearly half (46%) of organizations in Saudi Arabia and the UAE fear that a cloud breach would severely disrupt business operations, according to Illumio's data. Compared to their Middle Eastern peers, fewer organizations in other regions (63%) are worried that their cloud security falls short, but slightly more (48%) believe that a cloud breach would make normal operations impossible. 

"To drive agility, which is often a key reason for cloud migration, organizations are dependent on more third-party developed components, and if one or more of those components are compromised, attackers can easily gain access to the company's cloud environment and move laterally," says Illumio's Nandakumara.

While the average organization worldwide lost nearly $4.1 million to cloud breaches in the last year, the losses were more modest for firms in Saudi Arabia and the UAE, about $2.3 million, the report found.

The lesson in the trend, however, is not necessarily to slow deployment of cloud services, but to understand security controls and each parties' responsibilities for security, says Jim Reavis, CEO and co-founder of the Cloud Security Alliance (CSA).

Attackers are moving naturally to the cloud, not because of any weakness, but because the cloud is increasingly where companies are keeping their critical assets, Reavis says, who noted that every corporate member of the CSA from the Middle East has joined in the last five years.

"This is not a function of any inherent cloud architectural issue, but rather the reality the threat actors are adapting their tools and techniques in compliance with the Willie Sutton Law — 'Because that's where the money is,'" he says.