Cloud

2/20/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

As Businesses Move Critical Data to Cloud, Security Risks Abound

Companies think their data is safer in the public cloud than in on-prem data centers, but the transition is driving security issues.

More business-critical data is finding a new home in the public cloud, which 72% of organizations believe is more secure than their on-prem data centers. But the cloud is fraught with security challenges: Shadow IT, shared responsibility, and poor visibility put data at risk.

These insights come from the second annual "Oracle and KPMG Cloud Threat Report 2019," a deep dive into enterprise cloud security trends. Between 2018 and 2020, researchers predict the number of organizations with more than half of their data in the cloud to increase by a factor of 3.5.

"We're seeing, by and large, respondents are having a high degree of trust in the cloud," says Greg Jensen, senior principal director of security at Oracle. "From last year to this year, we saw an increase in this trust."

It's a definite shift from a time in the not-so-distant past when businesses felt the cloud was less secure than their on-prem data centers. Cloud services are no longer nice-to-have elements of IT; they handle core functions related to all aspects of business operations. Software-as-a-service (SaaS) applications, in use among 84% of respondents, help remove cost and complexity of on-prem infrastructure.

Organizations have begun to test business-critical services in the cloud in recent years, Jensen says. Within the past couple of years there has been a "tipping point" at which a large percentage of businesses are diving in. More than 70% of survey respondents say the majority of their cloud-based data is sensitive, an increase from 50% who said the same last year.

The rise of automation has contributed to a change in mindset and businesses' sense of safety, Jensen continues. And while the cloud brings several benefits, the expectation that it solves all problems is flawed. "Cloud does still take work," he adds, and does require human effort.

CISOs on the Cloud Security Sidelines
Most (82%) of respondents polled have experienced security events due to confusion in the shared responsibility model. It's not for lack of effort: Nintey-one percent have formal methodologies for cloud use; however, 71% think employees violate policies and lead to malware and data compromise.

While many cloud security providers offer native security controls, it's up to the organization to apply and manage those controls or ones offered by third parties. Researchers found the less customers are responsible for, the more confused they are about security responsibilities. For instance, 54% of respondents expressed confusion with how they should be securing SaaS, even though their responsibility is limited to two things: data and user access and identity.

People who should know about this responsibility are in the dark. Only 10% of CISOs polled fully understand the shared responsibility model, compared with 26% of CIOs who reported no confusion. Researchers attribute the gap to CISOs' lack of involvement in cloud services.

"CISOs are really one of the newer C-level roles of the cyber enterprise today, and they've struggled attaching themselves in more of a collaborative way," Jensen says. And while CISOs, CIOs, data privacy officers, and other executives should share responsibility to protect data, it's typically the person in charge of security who takes the fall when there's a major cyberattack.

Of course, it doesn't help when different cloud providers have different models. Eighty-nine percent of respondents say the varying models have been a "significant challenge," and 46% have had to dedicate one or more resources to it; 43% are managing with existing resources.

The Problems with Poor Visibility
Visibility remains the top cloud security challenge, report 38% of respondents. Thirty percent say they are challenged by the inability of existing network security controls to provide visibility into public cloud workloads. Jensen says this finding is consistent with 2017 findings.

"What we're seeing is this issue, very similar to last year, the No. 1 security challenge cloud organizations are dealing with is detecting and reacting to what we call security event telemetry in the cloud," he adds. Security teams' inability to detect and respond to events has been at the center of several high-profile data breaches, researchers note in the full report.

Only 12% of respondents can see more than 75% of security event data. Nineteen percent can analyze 61% to 75% of security data, and 27% (the highest percentage) can view 41% to 60%.

Third parties that have access to an organization's cloud data can drive risk. Business partners, supply chain partners, contractors, auditors, part-time employees, customers, and other individuals all use different devices and operate under different policies than full-time workers. Enterprise file sync-and-share (EFSS) services, one of the most common types of shadow IT applications, are often used to share data inside and outside organizations.

"There are challenges around how companies are losing control of their intellectual property," which increases their exposure to data breaches, says Jensen. About half (49%) of businesses were hit with malware due to third-party compromise; 46% reported unauthorized data access.

Shadow IT is a key driver of cloud security challenges. Most organizations report having a formal policy to review and approve cloud applications; however, 92% of this year's respondents are concerned those policies are being violated. Nearly 70% are aware of a "moderate or significant" amount of shadow IT apps in use, and 50% say the use of unsanctioned cloud apps has led to unauthorized access to corporate data.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
2/21/2019 | 8:33:11 AM
Advice from Woz
Steve Wozniak - the savant from Apple so long ago - said simply that there is "no security in the cloud."  There is none to the extent that the cloud is nothing really than a longer RJ-45 cable or Fibre or Wireless connection from systems to a "server" somewhere in the world that is managed by God knows who and unknown hands are on THAT keyboard doing whatever they want with the data.  It's FAR safer in a secure data center but going to the cloud means you can fire Data center staff, tear it apart as much as you can can to make a cafeteria out of the new space or coffee lounge for staff. 
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.