Companies are increasingly moving IT workloads to the cloud, but are they doing it at the risk of exposing themselves to a data breach?
Multiple studies confirm that businesses of all sizes and across all verticals are migrating a significant portion of their IT infrastructure to the public cloud. This isn’t a big surprise; there are often big cost-savings to moving IT workloads to the public cloud along with other benefits such as increased efficiencies, faster deployment time and increased flexibility. And let’s not forget another prominent benefit of the cloud: eliminating the headaches that come with managing on-premises IT systems.
According to a 2018 study conducted by Ponemon Institute, titled Closing the Cloud Security Gap, there’s several potentially harmful tradeoffs that go along with moving IT resources off premises. Here are four takeaways from the report along with tips for avoiding these potential pitfalls:
- Companies Lose Visibility in the Cloud. According to the survey, only 23% of the 1,670 IT security practitioners who participated in the research said their organizations had 360-degree visibility of the sensitive or confidential data collected, processed and/or stored in the cloud. Additionally, 50% said they weren’t confident that their IT organization knows all cloud applications in use today. And 69% rate the level of risk associated with not knowing all the cloud applications and platforms in use today as very high (33% of respondents) or high (36% of respondents).
- There’s a Lack of Concern about Cloud Security. Besides IT security personnel losing visibility of cloud apps and workloads, oftentimes line of business managers are given responsibilities for these tasks, which creates another problem — apathy. According to the report, 29% of respondents say the lines of business personnel are selecting and using cloud applications without the approval of IT or IT security. Additionally, 47% of lines of business respondents admit they select and use cloud applications without permission from IT.
- Lack of Security Controls. Another concern revealed in the survey was that most respondents say their organizations are not conducting rigorous security auditing and testing practices to verify the security of cloud applications prior to deployment. Only 30% of respondents say always or most of the time this step is taken.
Where this problem is particularly noticeable is with SaaS (software as a service) and PaaS (platform as a service) workloads. Per the study, only 20% of IT security respondents said they were responsible for ensuring the security of SaaS and PaaS. Twenty-nine percent said the cloud service provider was responsible for ensuring the security of SaaS and only 28% of respondents said the IT function was responsible for PaaS security.
The fact is that public cloud providers only protect their platforms — not the data that’s housed inside. The public cloud is built on a “shared responsibility model,” which means the provider has some security responsibilities, but customers bare part of the burden, too.
- Cloud Provider Breaches are a Real Thing. Cloud providers’ track record for securing their customers’ data is far from spotless. For example, a 2017 study by SkyHigh Networks found 7% of all Amazon S3 servers were exposed, which was believed to be a leading factor behind numerous data leaks, such as leaked personal information on 198 million American voters, 14 million Verizon customers and several Viacom networks.
The Ponemon study further confirms these security concerns. Fifty percent of respondents said their organizations experienced a data breach caused by one of their cloud providers (39%) or they were unsure (11%). More than one-third of respondents said that as a result of the data breach their organizations terminated the relationship with the cloud service provider. Additionally, almost half of respondents said the cause of the cloud providers’ data breach was due to human error and 43% said it was the result of a cyber-attack.
What is Safe – and What Isn’t – in the Public Cloud?
In the shared responsibility model used by vendors like AWS, Microsoft Azure and Google Cloud Platform, the cloud providers are responsible for protecting the physical infrastructure, network infrastructure and virtualization layer that comprise the cloud platform. The user’s share of security responsibility includes: network security, identity and access control, operating systems and data encryption.
Must-Haves for Cloud Security Protection
Based on the report findings, organizations must make cloud security a top priority, and they can’t expect their cloud providers to handle this responsibility. Additionally, organizations need to have 360-degree visibility of the sensitive or confidential information collected, processed or stored in the cloud which entails clear accountability and centralized control.
The IT security team must ensure lines of business personnel are getting approval to select and use cloud applications.
Once the proper policies are in place, organizations should strive to create one interface to identify and authenticate users in both the on-premises and cloud environments, an encryption platform to secure sensitive and confidential data in motion and at rest, multifactor authentication before allowing access to data and applications in the cloud and event monitoring of suspicious and/or anomalous traffic in the cloud.
Companies also should assess the impact of cloud services on the ability to protect and secure confidential information, assess what information that might be considered too sensitive to be in the cloud and conduct audits or assessments of cloud resources before deployment.
The challenges of keeping up with today’s security demands is overwhelming to many organizations — especially for small to midsize companies and especially in light of the cybersecurity skills shortage crisis.
Offloading cloud security responsibilities to a leading managed security services provider (MSSP) gives you peace of mind when it comes to data protection, compliance and system uptime. Not to mention the cost savings compared to implementing (and maintaining) industry-leading solutions and services internally.
The real challenge is finding a managed services provider that you can trust. One that will act as a true partner to deliver the best possible cybersecurity and disaster recovery.
We’d love to help you with your cloud migration and data protection initiatives. Contact us today and learn how we can make a difference for your organization.