Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/16/2017
09:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Public, Hybrid Cloud Security Fears Abound

Most CISOs say encryption is the most effective security tool for data in the public cloud, but only one in six encrypt all data stored there.

The transition to the public cloud is a major concern for security leaders, but many haven't adopted the tools to address their biggest fears.

Security firm Bitdefender polled 1,051 IT security pros to learn more about the pressures of cloud migration as part of its report "Virtualization's hidden traps: Security has become a battlefield for CISOs." Respondents represent large businesses (1000+ PCs and data centers) based in the United States, the UK, France, Italy, Sweden, Denmark, and Germany.

Senior eThreat analyst Bogdan Botezatu says the high number of respondents concerned with public cloud security doesn't hold within the bigger picture: when asked about the most concerning data points, 22% of respondents encrypt already-migrated data.

"This was the first finding that took us a little bit by surprise," he says. "Twenty-two percent of information encrypted is very, very low."

To put that number into context, about 82% of CISOs surveyed say encryption is the most effective security mechanism to protect public-cloud data. Security software was next, cited by 75% of those surveyed, followed by backups, trusted by half of respondents.

Researchers found one-third of US companies secure 31% to 60% of data stored in the public cloud. Only 20% encrypt all data stored there. Fifteen percent of CISOs don't deploy security in the public cloud, and 17% don't encrypt data in transit from their data center to an external one.

Why only encrypt part of the data? "Some companies only encrypt information they are legally required to encrypt," says Botezatu. This usually includes financial information but does not extend to emails, chats, communications, or anything beyond financial data.

"It's something we have seen in the past and could have anticipated … encryption requires more processing power and is more complicated than storing information in plaintext," he continues. "Companies that don't have access to hardware will prioritize what they encrypt and where they will store that information … it's a security versus performance tradeoff."

Security leaders' biggest security concern is information stored in the public cloud will unintentionally be made public. They are focusing more on data leaks and less on other types of cyberattacks like malware, phishing, or other threats that could affect their infrastructure.

A data leak could potentially be devastating, especially to an organization with fewer resources, says Botezatu, who cites the Ashley Madison incident as an example.

"There are plenty of other examples of smaller companies who don't have the financial powers of the big companies to defend their users against identity theft or misuse of their personal information," he explains.

Hybrid Cloud, Hybrid Problems

The rise of hybrid cloud, already in place at 70% of global companies, is giving way to a new set of security challenges. CISOs are exploring new technologies to fight zero-days, advanced persistent threats (APTs), and other types of related threats.

Some of the biggest challenges in securing the hybrid cloud include synchronizing the public and private clouds, determining what happens with interconnectivity in case of an outage, meeting legislation to ensure information doesn't illegally transfer to another data center, and protecting all of this information stored under such a large attack surface, Botezatu explains.

"People have realized backups are tricky and rarely validated, and access to the backup is also often not restricted," he continues. "When you have a cloud you can take backups everywhere -  chances are at some point, you forget about those backups and who has access to them."

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

The question of who has access to backups, and who has access to virtual machine snapshots, are considered some of the biggest issues with virtualization. All of the virtual machines you create have users that could use them as backdoors if they become disgruntled employees.

Botezatu suggests perhaps encryption will become more broadly used when the EU's GDPR goes into effect in May 2018. Many businesses still struggle to comply with new regulations, which require data be adequately protected. When breaches occur, businesses must have notification capabilities that align with GDPR standards. Gartner anticipates by the end of 2018, more than half of companies affected by GDPR will not fully comply with the requirements.

More CISOs have started to become part of the board, which Botezatu says could help them implement good practices. Many CIOs and CISOs are confronted with underfunding because they typically answer to the financial department; not the board. A company should spend 20% of their revenue on ensuring security, he says, but "this never happens."

If the board understands security should be an important discussion, like a business operation, those 20% of investments will be granted. Securing the data center is as important as securing your own premises.

"They need to be very careful about their budgets and the way they invest in security," says Botezatu of business leaders. "They need to understand the days where companies operate in a brick-and-mortar building are over now."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2002-0390
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.