The cloud is no longer a mystery to today's companies, which capitalize on its benefits to fuel growth, but securing cloud-based data, applications, and infrastructure remains a challenge.
As part of its most recent "Cloud Adoption and Risk Report," researchers with McAfee polled 1,000 enterprise organizations around the world and combined their data with insight from billions of anonymized cloud events across their customer base. Most cloud adopters (87%) report business acceleration, and 52% claim to experience better security. A closer look at the numbers, however, reveals a need to better control information and applications in the cloud.
Only 26% of respondents say they can audit infrastructure-as-a-service (IaaS) configurations such as open access to storage buckets. One-third say they can control application collaboration settings. Slightly more (36%) can enforce data loss prevention (DLP) in the cloud. More than 35% of businesses with a cloud access security broker (CASB) are more likely to be able to launch new products and speed time to market — but only one-third of respondents use them.
"It's a matter of maturity," says Vittorio Viarengo, vice president of product for McAfee's cloud unit. Two years ago, security was the main obstacle to cloud adoption as companies hesitated to share data with providers. Now, with providers buckling down on security and business decisions accelerating the transition to the cloud, they've grown accustomed to the switch but fail to realize cloud providers don't cover all security. In some ways, they're still responsible.
As researchers point out in the report, the one element of security that cloud providers can't cover for their customers is how their services are actually used, specifically the data that is stored in those services, shared externally, and accessed from myriad devices and locations. For example, say confidential data is stored in an Office 365 file shared with a customer, Viarengo explains. "Of course, Microsoft isn't going to be responsible for that … that's user behavior."
It's worth noting only 40% of respondents can control access to cloud data for personal devices, meaning 60% have no knowledge of how employees are putting sensitive files on their phones or laptops and taking it out of the organization. Thirty percent enforce the same DLP policies across employee devices, the corporate network, and the cloud, researchers discovered.
The shared responsibility model dictates how businesses are responsible for data. Businesses need to know what data needs to be protected, where it goes, and who can access it based on internal policies and compliance requirements. First, they have to know where data resides.
Sensitive Data: Emerging from Shadow IT
One-third of respondents say they can discover and remediate shadow IT, but Viarengo points out that companies have taken steps to address this problem and officially sanction cloud apps and services. Researchers report only 10% of sensitive company data resides in unsanctioned applications, and the overall risk of sensitive data exposure via shadow IT has diminished.
So, where is sensitive data stored? Sixty-five percent is stored in collaboration and business apps, including Office 365, which holds 31% of sensitive enterprise data. Salesforce holds 16%, and Box and Dropbox together hold 7%. Overall, 25% of sensitive corporate data lives in IaaS platforms, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform.
When protecting data in the cloud, researchers recommend starting with apps that hold the majority of sensitive information and working your way down. Whether the business already uses those apps or is planning to launch them, the approach can help maximize risk mitigation.