Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/16/2018
10:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Large Majority of Businesses Store Sensitive Data in Cloud Despite Lack of Trust

Researchers report 97% of survey respondents use some type of cloud service but continue to navigate issues around visibility and control.

RSA CONFERENCE 2018 – San Francisco – Businesses relying on public cloud storage aren't entirely sure their data will be safe there, researchers at McAfee report. Eighty-three percent of companies surveyed store sensitive data in the public cloud, but only 69% trust the cloud will keep their information secure.

Results of the survey, which polled 1,400 IT professionals on cloud adoption and security, showed 97% of respondents are using some type of cloud service but continue to navigate issues around visibility and control. Some are moving to the cloud slowly, held back by poor visibility; others are moving ahead despite the risk of security issues.

Personal customer information is the most common form of cloud-based sensitive data, 61% of organizations report. About 40% use the cloud to store at least one of the following data types: internal documentation, payment card data, personal staff information or government identification. About 30% keep intellectual property, healthcare records, competitive intelligence, and network pass cards in the public cloud.

Survey results show once it's in the cloud, this information is at risk. One in four organizations using infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS) has had their data stolen. One in five has been hit with an advanced attack against their public cloud infrastructure.

McAfee researchers discovered an overall decline in the "cloud-first" mentality, with only 65% of respondents reporting a cloud-first strategy compared with 82% one year ago. This drop can be attributed to two factors, says Vittorio Viarengo, vice president of marketing for McAfee's Cloud Business Unit. The first is a growing awareness of the responsibility that comes with storing data in the public cloud.

"Customers are realizing they're still on the hook to provide security for some of the things that happen in the cloud," he explains. They're learning, for example, service providers don't ensure their logins are properly set up, or the security risks of remote employees using cloud services. They're learning what they're responsible for when they use IaaS platforms versus SaaS.

The second is an acceptance that they don't immediately need to move everything to the public cloud, an option especially appealing to institutions like the government, which is one of many industries that's still skeptical of the cloud, says Viarengo.

"They are realizing the hybrid cloud and private cloud they've been building for years, are going to be around for a long time," he says. If an organization has invested twenty years in on-prem processes, it might be easier to keep running them on-prem than move them into the cloud.

The combination of public and private cloud is the most common architecture, with 59% of respondents stating they use hybrid cloud. The larger the business, the more likely it is to go hybrid: in organizations with up to 1,000 employees, 54% relied on hybrid cloud; in enterprises with more than 5,000 employees, 65% use it.

As the cloud becomes more popular, security teams should be looking outside their organization's perimeter and rethinking their security models. Tasks IT used to do will be replaced as cloud continues to grow and businesses lose control over the networks, devices, and applications storing their data. Cloud-focused IT teams don't have the same visibility as they did with on-prem environments.

"User preference is in the cloud," Viarengo points out. "And in the cloud, you don't own anything but you're still on the hook for security … [organizations] need to ascertain visibility and control over enterprise data when they don't own the back end."

Companies leading the charge in cloud adoption are most concerned about visibility, which lets them adopt cloud sooner, and improved controls. Those who prioritize visibility are more likely to have a relaxed approach to shadow IT, researchers found. They view it not as something to shut down, but instead a sign of how the workplace will operate in the future.

Viarengo emphasizes three steps for companies to take when moving data and processes to the cloud. The first of these is to classify information. "As data is uploaded or created in the cloud, you need a mechanism to know what's inside it," he says, noting that the cloud holds credit card information, corporate secrets, patent data, or healthcare data, you'll need to know how to secure it.

Next up: define the policy, and what's acceptable and unacceptable as far as your company is concerned. Is it ok to share data that has confidential information? If so, with whom can that information be shared? Can people access confidential data from their personal devices?

His third recommendation is to "track everything that goes on." Know which users can access which applications, and from which locations and devices they access them. You'll be able to establish patterns for each user and, when something happens, you can go back and conduct forensics on the information you collected. If someone normally accesses data from Palo Alto, and ten minutes later they access the same data from China, it's a red flag.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Rocky7000
50%
50%
Rocky7000,
User Rank: Apprentice
4/18/2018 | 11:51:12 AM
Cloud computing
Cloud computing is a booming system in the area of technology, and many businesses organizations are saving their data in the cloud storage. Most of the industries also do not trust in the cloud computing but they are storing data in that. iPhone Support also uses cloud computing to store and save their data.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...