Risk Disconnect in the Cloud

Cloud adoption may be hopping, but many enterprises still wrestle with how to identify and manage their security risks with these services.

A new study conducted by the Cloud Security Alliance (CSA) and Google Cloud underscores that while the cloud ideally could help bolster security for organizations, many aren't adeptly handling their risk management in the cloud just yet. 

"Organizations are not taking advantage as aggressively of the capabilities to have a more secure environment" with cloud, says Jim Reavis, CEO of the CSA. "They're not being as proactive in monitoring and managing risk."

Interestingly, it appears many organizations may not know for sure the extent of their cloud adoption. Some 51% say that they now run 41% of their workloads in the public cloud, but it turns out most of them (85%) are not using cloud discovery tools to quantify that but, rather, estimating their use via manual methods. Those who use discovery tools including a cloud access security broker, or CASB (15%), to map their cloud workloads report 31% more cloud usage than those who performed manual assessments — a clue that most organizations relying on manual tracking don't have a complete inventory of what's running in their cloud services, according to the study.

"You can't manage the risk of things you don't know about. The basic things lead to either breaches or data exposure, exfiltration, or a ransomware attack if you are not keeping your cloud assets updated and there are gaps in your usage of cloud," Reavis notes. But the cloud offers a better way to manage assets, he says, than traditional IT networks.

“There are tools there," and automated ways to detect and secure cloud assets, he says.

The study confirms a significant rise in cloud adoption. The average number of software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) services used by organizations was more than 147, up from 38 in 2020. Some 66% of organizations say they have 100 or fewer services; 32%, from 101 to 999; and 3%, 1,000 or more services.

The most commonly used infrastructure-as-a-service (IaaS) cloud platform is Azure (70%), followed closely by AWS (65%), and then Google Cloud at 24%, according to the study.

"Enterprises interviewed intend on increasing their workloads in the cloud over the next 12 months. With enterprises continuing to add production in the cloud and using more cloud services, managing cloud and digital assets will be critical in the management and measurement of risk in the cloud," according to the report.

The goal of the study was to gauge organizations' challenges of risk management in public cloud services, and Google and the CSA gathered survey data as well as interviews in 2021 with 600 IT and security professionals.

Cloud Escape

While the cloud is becoming more pervasive for IT operations, there has not been a correlation or increase in data breaches, Reavis notes.

To date, nearly all publicly disclosed breaches in the cloud have stemmed from misconfigurations, not cyberattacks, says Phil Venables, CISO at Google Cloud. "To prevent and address the risk of misconfigurations and compliance violations earlier in the development process, security leaders have started to embrace security as code to achieve the speed and agility of DevOps, reduce risk, and more securely create value in the cloud," Venables says.

For its part, Google offers a series of blueprints for its customers to help avoid misconfigurations and other cloud mistakes, such as its Risk and Compliance as Code (RCaC), Secure Foundations guide, and Cloud Architecture Center, for example.

"Blueprints help our customers rapidly configure cloud environments in a secure and compliant manner," notes Venables. "And ultimately, this level of secure hygiene helps prevent misconfigurations becoming a security risk or attacker entry point to cloud workloads."

According to the report, some 70% of organizations in the study say they don't have solid processes for mapping risk to their cloud assets. A tiny percentage — 4% — report that they have "highly effective" risk management in the cloud. Slightly more than 20% use cloud data-classification tools.

Meanwhile, the main security worries over applications in the cloud include loss of sensitive data (64%), improper configuration and security settings (51%), and unauthorized access (51%).