Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/16/2018
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Large Majority of Businesses Store Sensitive Data in Cloud Despite Lack of Trust

Researchers report 97% of survey respondents use some type of cloud service but continue to navigate issues around visibility and control.

RSA CONFERENCE 2018 – San Francisco – Businesses relying on public cloud storage aren't entirely sure their data will be safe there, researchers at McAfee report. Eighty-three percent of companies surveyed store sensitive data in the public cloud, but only 69% trust the cloud will keep their information secure.

Results of the survey, which polled 1,400 IT professionals on cloud adoption and security, showed 97% of respondents are using some type of cloud service but continue to navigate issues around visibility and control. Some are moving to the cloud slowly, held back by poor visibility; others are moving ahead despite the risk of security issues.

Personal customer information is the most common form of cloud-based sensitive data, 61% of organizations report. About 40% use the cloud to store at least one of the following data types: internal documentation, payment card data, personal staff information or government identification. About 30% keep intellectual property, healthcare records, competitive intelligence, and network pass cards in the public cloud.

Survey results show once it's in the cloud, this information is at risk. One in four organizations using infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS) has had their data stolen. One in five has been hit with an advanced attack against their public cloud infrastructure.

McAfee researchers discovered an overall decline in the "cloud-first" mentality, with only 65% of respondents reporting a cloud-first strategy compared with 82% one year ago. This drop can be attributed to two factors, says Vittorio Viarengo, vice president of marketing for McAfee's Cloud Business Unit. The first is a growing awareness of the responsibility that comes with storing data in the public cloud.

"Customers are realizing they're still on the hook to provide security for some of the things that happen in the cloud," he explains. They're learning, for example, service providers don't ensure their logins are properly set up, or the security risks of remote employees using cloud services. They're learning what they're responsible for when they use IaaS platforms versus SaaS.

The second is an acceptance that they don't immediately need to move everything to the public cloud, an option especially appealing to institutions like the government, which is one of many industries that's still skeptical of the cloud, says Viarengo.

"They are realizing the hybrid cloud and private cloud they've been building for years, are going to be around for a long time," he says. If an organization has invested twenty years in on-prem processes, it might be easier to keep running them on-prem than move them into the cloud.

The combination of public and private cloud is the most common architecture, with 59% of respondents stating they use hybrid cloud. The larger the business, the more likely it is to go hybrid: in organizations with up to 1,000 employees, 54% relied on hybrid cloud; in enterprises with more than 5,000 employees, 65% use it.

As the cloud becomes more popular, security teams should be looking outside their organization's perimeter and rethinking their security models. Tasks IT used to do will be replaced as cloud continues to grow and businesses lose control over the networks, devices, and applications storing their data. Cloud-focused IT teams don't have the same visibility as they did with on-prem environments.

"User preference is in the cloud," Viarengo points out. "And in the cloud, you don't own anything but you're still on the hook for security … [organizations] need to ascertain visibility and control over enterprise data when they don't own the back end."

Companies leading the charge in cloud adoption are most concerned about visibility, which lets them adopt cloud sooner, and improved controls. Those who prioritize visibility are more likely to have a relaxed approach to shadow IT, researchers found. They view it not as something to shut down, but instead a sign of how the workplace will operate in the future.

Viarengo emphasizes three steps for companies to take when moving data and processes to the cloud. The first of these is to classify information. "As data is uploaded or created in the cloud, you need a mechanism to know what's inside it," he says, noting that the cloud holds credit card information, corporate secrets, patent data, or healthcare data, you'll need to know how to secure it.

Next up: define the policy, and what's acceptable and unacceptable as far as your company is concerned. Is it ok to share data that has confidential information? If so, with whom can that information be shared? Can people access confidential data from their personal devices?

His third recommendation is to "track everything that goes on." Know which users can access which applications, and from which locations and devices they access them. You'll be able to establish patterns for each user and, when something happens, you can go back and conduct forensics on the information you collected. If someone normally accesses data from Palo Alto, and ten minutes later they access the same data from China, it's a red flag.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Rocky7000
50%
50%
Rocky7000,
User Rank: Apprentice
4/18/2018 | 11:51:12 AM
Cloud computing
Cloud computing is a booming system in the area of technology, and many businesses organizations are saving their data in the cloud storage. Most of the industries also do not trust in the cloud computing but they are storing data in that. iPhone Support also uses cloud computing to store and save their data.
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32238
PUBLISHED: 2021-05-18
Epic Games / Psyonix Rocket League <=1.95 is affected by Buffer Overflow. Stack-based buffer overflow occurs when Rocket League handles UPK object files that can result in code execution and denial of service scenario.
CVE-2020-23851
PUBLISHED: 2021-05-18
A stack-based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c:513:28, which could cause a denial of service by submitting a malicious jpeg image.
CVE-2020-23852
PUBLISHED: 2021-05-18
A heap based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c (line 544 & line 545), which could cause a denial of service by submitting a malicious jpeg image.
CVE-2020-23856
PUBLISHED: 2021-05-18
Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service via the pointer variable caller->callee.
CVE-2020-24026
PUBLISHED: 2021-05-18
TinyShop, a free and open source mall based on RageFrame2, has a stored XSS vulnerability that affects version 1.2.0. TinyShop allows XSS via the explain_first and again_explain parameters of the /evaluate/index.php page. The vulnerability may be exploited remotely, resulting in cross-site scripting...