Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/18/2019
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

As Cloud Adoption Grows, DLP Remains Key Challenge

As businesses use the cloud to fuel growth, many fail to enforce data loss prevention or control how people share data.

The cloud is no longer a mystery to today's companies, which capitalize on its benefits to fuel growth, but securing cloud-based data, applications, and infrastructure remains a challenge.

As part of its most recent "Cloud Adoption and Risk Report," researchers with McAfee polled 1,000 enterprise organizations around the world and combined their data with insight from billions of anonymized cloud events across their customer base. Most cloud adopters (87%) report business acceleration, and 52% claim to experience better security. A closer look at the numbers, however, reveals a need to better control information and applications in the cloud.

Only 26% of respondents say they can audit infrastructure-as-a-service (IaaS) configurations such as open access to storage buckets. One-third say they can control application collaboration settings. Slightly more (36%) can enforce data loss prevention (DLP) in the cloud. More than 35% of businesses with a cloud access security broker (CASB) are more likely to be able to launch new products and speed time to market — but only one-third of respondents use them.

"It's a matter of maturity," says Vittorio Viarengo, vice president of product for McAfee's cloud unit. Two years ago, security was the main obstacle to cloud adoption as companies hesitated to share data with providers. Now, with providers buckling down on security and business decisions accelerating the transition to the cloud, they've grown accustomed to the switch but fail to realize cloud providers don't cover all security. In some ways, they're still responsible.

As researchers point out in the report, the one element of security that cloud providers can't cover for their customers is how their services are actually used, specifically the data that is stored in those services, shared externally, and accessed from myriad devices and locations. For example, say confidential data is stored in an Office 365 file shared with a customer, Viarengo explains. "Of course, Microsoft isn't going to be responsible for that … that's user behavior."

It's worth noting only 40% of respondents can control access to cloud data for personal devices, meaning 60% have no knowledge of how employees are putting sensitive files on their phones or laptops and taking it out of the organization. Thirty percent enforce the same DLP policies across employee devices, the corporate network, and the cloud, researchers discovered.

The shared responsibility model dictates how businesses are responsible for data. Businesses need to know what data needs to be protected, where it goes, and who can access it based on internal policies and compliance requirements. First, they have to know where data resides.

Sensitive Data: Emerging from Shadow IT
One-third of respondents say they can discover and remediate shadow IT, but Viarengo points out that companies have taken steps to address this problem and officially sanction cloud apps and services. Researchers report only 10% of sensitive company data resides in unsanctioned applications, and the overall risk of sensitive data exposure via shadow IT has diminished.

So, where is sensitive data stored? Sixty-five percent is stored in collaboration and business apps, including Office 365, which holds 31% of sensitive enterprise data. Salesforce holds 16%, and Box and Dropbox together hold 7%. Overall, 25% of sensitive corporate data lives in IaaS platforms, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform.

When protecting data in the cloud, researchers recommend starting with apps that hold the majority of sensitive information and working your way down. Whether the business already uses those apps or is planning to launch them, the approach can help maximize risk mitigation.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...