Many cybersecurity leaders today express greater levels of confidence than ever before in their cloud security posture. Cloud security tools have greatly matured over the last few years and that, combined with the inevitability of cloud dominance in modern IT, has helped them reach a wary acceptance of the new normal. Nevertheless, recent research indicates that security pros are still dealing with some significant cloud risk factors that justifiably give them heart palpitations now and again.
Released just this week, the 2019 Cloud Security Report written by Cybersecurity Insiders on behalf of Delta Risk found that 84% of security pros are at least moderately confident in their cloud security posture, with more than one in three organizations stating they’re very or extremely confident. However, that good news was tempered by the study’s additional findings.
The report showed that the number of organizations experiencing public cloud-related security incidents in the last year rose by 10 percentage points up to 28%. Those incidents were fairly evenly split up between data exposures at 27% of organizations, malware infections at 20%, account compromises at 19%, and vulnerabilities exploited at 17% of impacted organizations.
This rise in incidents is likely a reflection of the rapid growth in cloud proliferation, along with the growing pains security teams are experiencing as they scramble to keep up with the changes.
“Security teams must reassess their security posture and strategies, and address the shortcomings of legacy security tools to protect their evolving IT environments,” Holger Shulze, CEO of Cybersecurity INsiders.
According to Enterprise Strategy Group’s 2019 Public Cloud Trends report, public cloud is no longer the domain of nice-to-have SaaS applications and tertiary QA systems running on IaaS or PaaS environments. The percentage of enterprises running production applications in the cloud has almost doubled in the last four years, with nearly half of organizations now running live software in the public cloud. What’s more, almost four in 10 organizations now say they work under a cloud-first mentality where they will stand up new applications in the public cloud by default, unless someone in business or IT argues compellingly not to do so.
These numbers show why the security sticking points that still remain in cloud environments are higher stakes than ever. The following are the three biggest problem areas.
Worries about data leakage have consistently ranked as the number one security concern by those interviewed by Cybersecurity Insiders reports over the years. The 2019 study showed 64% of security professionals name that as a top concern, with the corollary concern of data privacy and confidentiality right on its heels with 62% of respondents naming it a problem.
That level of concern is understandable given how much sensitive data now resides within public cloud environments today. According to the SANS Institute’s 2019 Cloud Security Survey released last month, approximately 76% of organizations today run business apps and data on cloud resources. The most prevalent types of data stored in the cloud by these organizations include business intelligence, intellectual property, and customers’ personally identifiable information (PII)
Lack of Visibility
One of the big issues that exacerbates data leakage worries is the lack of visibility and control organizations are able to extend out into the cloud. A different study released by the Cloud Security Alliance last month found that three-quarters of organizations with public cloud assets report security visibility as a challenge. It’s a problem whose root cause is likely wrapped up in the ineffectiveness of traditional security tools within cloud environments. Approximately 66% of respondents to the Cybersecurity Insiders report said that traditional security solutions either don’t work or have limited functionality in the cloud. According to the SANS study, the penetration of API usage to implement security controls in the cloud is still fairly low, with just 44% of organizations working on those integrations.
SANS also found that fewer than 28% of organizations have been able to integrate the forensics and incident response tools they use internally with their public cloud environments. That’s a big factor in stymying visibility and slowing down incident response times when attacks target cloud-based assets. Frustrations around incident response were echoed by respondents to the Cybersecurity Insiders report, 29% of whom voted incident response as one of their biggest cloud security concerns. Tellingly, some 25% were hard pressed to even know whether their cloud environments had ever been hacked.
Identity and Access Control
Identity and access management (IAM) fears still abound in the cloud. The most recent Cybersecurity Insiders report showed that 39% of security pros say that accidental exposure of cloud credentials is one of their top security concerns and the report found that improper access controls are the biggest perceived vulnerability to cloud security, named by 42% of respondents. And, indeed, the number of unauthorized access by outsiders into cloud environments is on the rise—these incidents according to SANS has risen from impacting 19% of organizations two years ago to 31% of organizations today. The SANS report showed tht credential hijacking is now the number one type of security incident to affect organizations today. SANS also found that the approaches to extending IAM to the cloud is still all over the map with no one dominant front-runner. For example, 24% of organizations use IAM suites in-house that integrates with public cloud, 35% use an IDaaS provider for federated access, and 52% synchronize in-house directories to public cloud directory services.
In addition to IAM, misconfigurations of cloud platforms are also one of the top perceived vulnerabilities in the cloud. That was named by 40% of the Cybersecurity Insiders survey participants as a big flaw today. That perception isn’t misplaced. According to SANS, security misconfigurations were the number two cause of security incidents in the last year.