The Increasing Need for Security in the Cloud
October 29, 2019
Cloud, IT Security
Disaster recovery. Business acceleration. Speed to market. Collaboration. Innovation. If you go by what many pundits, industry analysts, and cloud services providers say, everything is better in the cloud — particularly as is relates to businesses.
Cloud resources can scale up and down to meet demand instantaneously, creating unlimited opportunities for businesses and their customers. They enable easier collaboration across different, often very widespread locations. They help reduce costs because businesses are only charged by their cloud service provider when customers are using the platform.
So, it’s not surprising that the amount of cloud activity, as well as the number of cloud services and cloud users, continues to grow. The average organization today generates more than 3.2 billion unique transactions in cloud services each month, ranging from user logins to downloading documents.
More Cloud Usage. More Security Threats.
As is often the case, better doesn't mean perfect. With the increase in cloud usage comes an increase in security threats. It’s not that the cloud isn’t safe. In fact, most cloud services are more secure than most on-premises setups. That’s because keeping their customers’ data secure is the central mission of cloud service providers (CSPs), so they invest in advanced security tools to protect that data.
Nonetheless, the McAfee™ 2019 Cloud Adoption and Risk Report notes that:
- The average enterprise organization experiences 31.3 cloud-related security threats each month. That’s a 27.7% increase over same period last year.
- Organizations experience 12.2 incidents each month in which an unauthorized third party uses stolen account credentials to access corporate data stored in the cloud.
- Organizations experience 14.8 insider threat incidents each month; 94.3% experience at least one per month on average.
- Privileged user threats occur monthly at 58.2% of organizations, at an average of 4.3 each month.
The Rise of Sensitive Data
When security incidents occur, there’s a lot at stake. Much of it has to do with sensitive data. The McAfee™ 2019 Cloud Adoption and Risk Report further notes that:
- Approximately 83% of organizations worldwide store sensitive data in the cloud.
- The percentage of files that contain sensitive data has grown, today standing at 21% with an increase of 17% over the past two years.
- Nearly a quarter of data in the cloud is sensitive.
- Sharing sensitive data in the cloud has increased 53% year-over-year.
- Personal healthcare information (PHI) and password-protected data in the cloud has increased by 16% and 13% respectively over the past two years.
Factors Affecting Cloud Security
If the cloud is so secure, what’s behind the growing security risks? Obviously, with increased cloud usage comes the opportunity for more cloud threats. But the McAfee report also points out some contributing factors.
- Collaboration. It’s one of the business activities that the cloud makes easier. But collaboration means sharing, and cloud users share a lot. The McAfee reports that 22% of cloud users actively share files in the cloud, and 48% of all files in the cloud are eventually shared. Any time sensitive data is shared, the risk to it increases.
- Misconfigurations. Today, 65% of organizations use some form of Infrastructure-as-a-Service (IaaS), while 52% use Platform-as-a-Service (PaaS), such as AWS Lambda serverless computing. The McAfee report found that, on average, enterprises using IaaS and PaaS have 14 misconfigured services running at any given time. That translates to an average of 2,269 misconfiguration incidents per month.
- Too Much Trust; Not Enough Knowledge. In McAfee’s survey, 69% of respondents said that they trusted their CSPs to keep their data secure. Furthermore, 12% claimed their CSPs are solely responsible for securing their data, even though cloud security is a shared responsibility between customers and their CSPs. It’s likely that these companies are leaving security entirely up to their CSPs and not applying their own controls.
- Inadequate CSP Security. CSPs invest in leading-edge security, but not all use comprehensive security. The McAfee noted fewer than one in ten CSPs encrypt data stored at rest. Even less support the ability for their customers to encrypt data using their own encryption keys. Only 19.2% support multi-factor authentication.
Enhance Your Security Posture
There are things you can do to mitigate cloud security risks. The McAfee report cites three:
- Audit all IaaS and PaaS configurations.
- Understand which cloud services hold most of your sensitive data. Extend data loss prevention (DLP) policies to control what can enter or exit them.
- Lock down data sharing. Collaboration controls allow for eliminating risk exposure.
You can also increase your security profile by aligning with the right CSP. Look for one that is audited annually to meet SSAE 18, SOC 1, Type 2, and has completed the SOC 2, Type 1 attestation, which provides third-party assurance to customers that it has the appropriate internal controls and operational procedures in place to protect customer data. If it’s also audited for HIPAA compliance and meets PCI’s standard secure data hosting and processing practices for card holder data, all the better. The CSP should also conduct regular employee IT security training and have a vendor due diligence program.
In addition, make sure you understand the CSP’s shared security responsibility model. Ask about the managed security services it offers, as well as any data protection services, along with the service level agreements that accompany those services.
Things can be better for businesses in the cloud – even data security. The key is to never let your guard down and keep data security a priority.
Learn More
To learn how where your data security and data protection stand, contact US Signal to schedule a technology assessment. Our solution architects will also be happy to discuss managed security services and other solutions to protect your data and optimize your technology assets.