Steve Zurier | scmagazine.com »
Thales on Wednesday reported that 40% of organizations globally have experienced a cloud-based data breach in the past 12 months.
The new study, conducted by 451 Research, also found that despite the increase of cyberattacks in the cloud, some 83% of organizations still fail to encrypt half of the sensitive data they store in the cloud.
Even when companies protect their data with encryption, the study found that 34% leave the control of keys to service providers rather than retaining control themselves. And, in one of the more sobering data points for the security industry, 48% admitted that their organization does not have a zero-trust strategy, and 25% say they aren’t even considering one.
This research points out that with today’s cloud and SaaS platforms, users no longer access data solely through the corporate network, said Brendan O’Connor, co-founder and CEO at AppOmni. O’Connor said corporate users now access data through third-party apps, IoT devices in the home, and portals created for external users like customers, partners, contractors, and managed service providers (MSPs). In using these channels, they often completely bypass the corporate network.
“While companies are eager to use these access points to increase the functionality of their cloud and SaaS systems, they often neglect to secure and monitor them in the same way they’ve secured access from their corporate network, leading to major access vulnerabilities that may be completely unknown to the company,” O’Connor said. “Since the complexity of cloud and SaaS environments — and the associated security configurations — will only continue to increase, companies will need to use automated tools to ensure that their security settings match their business intent, and to continuously monitor security controls to prevent configuration drift.”
Collecting and storing sensitive data in the cloud represents a sea change from just a few years ago, where organizations tended to shy away from doing so, said Saryu Nayyar, CEO of Gurucul. Nayyar said now the dynamic has changed, as IT finds it cost-effective and convenient to store data in cloud databases, and individual users don’t necessarily know where their data comes from.
“Ongoing training, awareness, and attention are keys to protecting sensitive data in the cloud,” Nayyar said. “IT has to have an intimate knowledge of cloud security practices and how that impacts their applications and data. And data consumers should know where their data is stored so they can make intelligent decisions on how they treat that data.”
Saumitra Das, CTO of Blue Hexagon, added that there are two reasons for the increase in cloud security breaches: Cloud security has too often been left in the hand of developers who are not security experts. And the pandemic created a very fast transition to the cloud and each cloud has its own jargon and subtleties.
“There are limits to the shift-left only security approach, so there needs to be more focus on actual detection of active attacks rather than just hardening,” Das said. “Finding qualified people to write applications and deploy them in multiple clouds is a challenge and misconfigurations will continue to happen because of this fundamental issue.”