Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/20/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

As Businesses Move Critical Data to Cloud, Security Risks Abound

Companies think their data is safer in the public cloud than in on-prem data centers, but the transition is driving security issues.

More business-critical data is finding a new home in the public cloud, which 72% of organizations believe is more secure than their on-prem data centers. But the cloud is fraught with security challenges: Shadow IT, shared responsibility, and poor visibility put data at risk.

These insights come from the second annual "Oracle and KPMG Cloud Threat Report 2019," a deep dive into enterprise cloud security trends. Between 2018 and 2020, researchers predict the number of organizations with more than half of their data in the cloud to increase by a factor of 3.5.

"We're seeing, by and large, respondents are having a high degree of trust in the cloud," says Greg Jensen, senior principal director of security at Oracle. "From last year to this year, we saw an increase in this trust."

It's a definite shift from a time in the not-so-distant past when businesses felt the cloud was less secure than their on-prem data centers. Cloud services are no longer nice-to-have elements of IT; they handle core functions related to all aspects of business operations. Software-as-a-service (SaaS) applications, in use among 84% of respondents, help remove cost and complexity of on-prem infrastructure.

Organizations have begun to test business-critical services in the cloud in recent years, Jensen says. Within the past couple of years there has been a "tipping point" at which a large percentage of businesses are diving in. More than 70% of survey respondents say the majority of their cloud-based data is sensitive, an increase from 50% who said the same last year.

The rise of automation has contributed to a change in mindset and businesses' sense of safety, Jensen continues. And while the cloud brings several benefits, the expectation that it solves all problems is flawed. "Cloud does still take work," he adds, and does require human effort.

CISOs on the Cloud Security Sidelines
Most (82%) of respondents polled have experienced security events due to confusion in the shared responsibility model. It's not for lack of effort: Nintey-one percent have formal methodologies for cloud use; however, 71% think employees violate policies and lead to malware and data compromise.

While many cloud security providers offer native security controls, it's up to the organization to apply and manage those controls or ones offered by third parties. Researchers found the less customers are responsible for, the more confused they are about security responsibilities. For instance, 54% of respondents expressed confusion with how they should be securing SaaS, even though their responsibility is limited to two things: data and user access and identity.

People who should know about this responsibility are in the dark. Only 10% of CISOs polled fully understand the shared responsibility model, compared with 26% of CIOs who reported no confusion. Researchers attribute the gap to CISOs' lack of involvement in cloud services.

"CISOs are really one of the newer C-level roles of the cyber enterprise today, and they've struggled attaching themselves in more of a collaborative way," Jensen says. And while CISOs, CIOs, data privacy officers, and other executives should share responsibility to protect data, it's typically the person in charge of security who takes the fall when there's a major cyberattack.

Of course, it doesn't help when different cloud providers have different models. Eighty-nine percent of respondents say the varying models have been a "significant challenge," and 46% have had to dedicate one or more resources to it; 43% are managing with existing resources.

The Problems with Poor Visibility
Visibility remains the top cloud security challenge, report 38% of respondents. Thirty percent say they are challenged by the inability of existing network security controls to provide visibility into public cloud workloads. Jensen says this finding is consistent with 2017 findings.

"What we're seeing is this issue, very similar to last year, the No. 1 security challenge cloud organizations are dealing with is detecting and reacting to what we call security event telemetry in the cloud," he adds. Security teams' inability to detect and respond to events has been at the center of several high-profile data breaches, researchers note in the full report.

Only 12% of respondents can see more than 75% of security event data. Nineteen percent can analyze 61% to 75% of security data, and 27% (the highest percentage) can view 41% to 60%.

Third parties that have access to an organization's cloud data can drive risk. Business partners, supply chain partners, contractors, auditors, part-time employees, customers, and other individuals all use different devices and operate under different policies than full-time workers. Enterprise file sync-and-share (EFSS) services, one of the most common types of shadow IT applications, are often used to share data inside and outside organizations.

"There are challenges around how companies are losing control of their intellectual property," which increases their exposure to data breaches, says Jensen. About half (49%) of businesses were hit with malware due to third-party compromise; 46% reported unauthorized data access.

Shadow IT is a key driver of cloud security challenges. Most organizations report having a formal policy to review and approve cloud applications; however, 92% of this year's respondents are concerned those policies are being violated. Nearly 70% are aware of a "moderate or significant" amount of shadow IT apps in use, and 50% say the use of unsanctioned cloud apps has led to unauthorized access to corporate data.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
2/21/2019 | 8:33:11 AM
Advice from Woz
Steve Wozniak - the savant from Apple so long ago - said simply that there is "no security in the cloud."  There is none to the extent that the cloud is nothing really than a longer RJ-45 cable or Fibre or Wireless connection from systems to a "server" somewhere in the world that is managed by God knows who and unknown hands are on THAT keyboard doing whatever they want with the data.  It's FAR safer in a secure data center but going to the cloud means you can fire Data center staff, tear it apart as much as you can can to make a cafeteria out of the new space or coffee lounge for staff. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17123
PUBLISHED: 2019-12-13
The eGain Web Email API 11+ allows spoofed messages because the fromName and message fields (to /system/ws/v11/ss/email) are mishandled, as demonstrated by fromName header injection with a %0a or %0d character. (Also, the message parameter can have initial HTML comment characters.)
CVE-2019-19774
PUBLISHED: 2019-12-13
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential...
CVE-2019-19790
PUBLISHED: 2019-12-13
Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. NOTE: RadChart was discontinued in 2014 in favor of RadHtmlChart. All...
CVE-2019-19793
PUBLISHED: 2019-12-13
In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 on Windows, a local or remote user from the same domain can gain privileges.
CVE-2019-19722
PUBLISHED: 2019-12-13
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.