Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/18/2019
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

As Cloud Adoption Grows, DLP Remains Key Challenge

As businesses use the cloud to fuel growth, many fail to enforce data loss prevention or control how people share data.

The cloud is no longer a mystery to today's companies, which capitalize on its benefits to fuel growth, but securing cloud-based data, applications, and infrastructure remains a challenge.

As part of its most recent "Cloud Adoption and Risk Report," researchers with McAfee polled 1,000 enterprise organizations around the world and combined their data with insight from billions of anonymized cloud events across their customer base. Most cloud adopters (87%) report business acceleration, and 52% claim to experience better security. A closer look at the numbers, however, reveals a need to better control information and applications in the cloud.

Only 26% of respondents say they can audit infrastructure-as-a-service (IaaS) configurations such as open access to storage buckets. One-third say they can control application collaboration settings. Slightly more (36%) can enforce data loss prevention (DLP) in the cloud. More than 35% of businesses with a cloud access security broker (CASB) are more likely to be able to launch new products and speed time to market — but only one-third of respondents use them.

"It's a matter of maturity," says Vittorio Viarengo, vice president of product for McAfee's cloud unit. Two years ago, security was the main obstacle to cloud adoption as companies hesitated to share data with providers. Now, with providers buckling down on security and business decisions accelerating the transition to the cloud, they've grown accustomed to the switch but fail to realize cloud providers don't cover all security. In some ways, they're still responsible.

As researchers point out in the report, the one element of security that cloud providers can't cover for their customers is how their services are actually used, specifically the data that is stored in those services, shared externally, and accessed from myriad devices and locations. For example, say confidential data is stored in an Office 365 file shared with a customer, Viarengo explains. "Of course, Microsoft isn't going to be responsible for that … that's user behavior."

It's worth noting only 40% of respondents can control access to cloud data for personal devices, meaning 60% have no knowledge of how employees are putting sensitive files on their phones or laptops and taking it out of the organization. Thirty percent enforce the same DLP policies across employee devices, the corporate network, and the cloud, researchers discovered.

The shared responsibility model dictates how businesses are responsible for data. Businesses need to know what data needs to be protected, where it goes, and who can access it based on internal policies and compliance requirements. First, they have to know where data resides.

Sensitive Data: Emerging from Shadow IT
One-third of respondents say they can discover and remediate shadow IT, but Viarengo points out that companies have taken steps to address this problem and officially sanction cloud apps and services. Researchers report only 10% of sensitive company data resides in unsanctioned applications, and the overall risk of sensitive data exposure via shadow IT has diminished.

So, where is sensitive data stored? Sixty-five percent is stored in collaboration and business apps, including Office 365, which holds 31% of sensitive enterprise data. Salesforce holds 16%, and Box and Dropbox together hold 7%. Overall, 25% of sensitive corporate data lives in IaaS platforms, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform.

When protecting data in the cloud, researchers recommend starting with apps that hold the majority of sensitive information and working your way down. Whether the business already uses those apps or is planning to launch them, the approach can help maximize risk mitigation.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.