More than 80 percent of IT professionals in Sweden are concerned with the security of the public cloud, and almost 40% do not deploy security for sensitive data stored outside the company’s infrastructure, according to a recent Bitdefender survey. More than half of CISOs admit cloud migration has significantly expanded the size of the border they have to defend, while only one in eight percent encrypt already migrated data.
These are some of the findings of a survey released today by security firm Bitdefender. The study explores the pressures cloud migration place on 1,051 IT security professionals from large enterprises with 1,000+ PCs and data centers, based in the US, the UK, France, Italy, Sweden, Denmark, and Germany. As EU’s General Data Protection Regulation (GDPR) goes into effect on May 2018 — roughly eight months away — many organizations still find themselves struggling to comply. The new requirements include that data be protected adequately, and when breaches do occur organizations had better have notification capabilities in place that align with GDPR standards.
The increasing adoption of hybrid cloud -- a mix of public cloud services and privately owned data centers, already in place for 70 percent of companies on a global level – is giving rise to new security challenges and prompting CISOs to adopt different technologies to fight zero-day exploits, Advanced Persistent Threats, and other devastating types of cybercrime.
Hybrid cloud brings hybrid issues
Some 75 percent of Swedish CISOs say security software is the most effective security mechanism to secure public-cloud-stored data, followed by encryption (mentioned by 62 percent of respondents) and backups (trusted by almost half of those surveyed).
According to the survey, most companies in Sweden – more than half - secure 21 to 50 percent of data stored in the public cloud, while only 12% encrypt all data stored there. Another area of concern is that ten percent of CISOs do not deploy security in the public cloud, while 32 percent do not encrypt in-transit data from their own data center to an external one.
Bitdefender security specialists recommend that any data transfer between the client and the cloud service provider be encrypted to avoid man-in-the-middle attacks that could intercept and decipher all broadcasted data. Beyond that, any data stored locally or in the cloud should be encrypted to make sure cybercriminals cannot read it, in case of data breaches or unauthorized access.
To become GDPR compliant, companies need to identify data that falls under the regulations’ control – “any information relating to an identified or identifiable natural personal” –, document how this data is secured, and create incident response plans.
The survey also shows that 82 percent of IT decision makers use a security solution developed for endpoints to protect physical and virtual infrastructures, but 16 percent have implemented separate tools. Out of those, 63 percent cite compliance with internal and regulatory requirements, 84 percent do it to protect sensitive customer and consumer data, and 52 percent want to prevent service interruptions resulting from attacks.
Tailor-made security against crafted cyber weapons
Bitdefender security specialists strongly advise CISOs to use a security solution specifically designed for the infrastructure it will run on (physical or virtual) instead of a single tool for three main reasons:
- It generates overhead: installing an endpoint solution on different virtual machines hosted on the same servers impacts resources by continuously running redundant apps, like security agents
- It significantly reduces performance: security tools tailored for virtual environments use optimized agents that integrate with a security virtual appliance on server/servers, so previously scanned files are not rescanned each time a user needs them
- The typology of attacks is different: boot time security-coverage gaps leave the system vulnerable to malware attacks. As a result, virtual environments often face more sophisticated cyber weapons, such as advanced persistent threats, and targeted attacks, aiming at both companies and government entities (such as APT-28 and, just recently, Netrepser). In this respect, security for virtualized environments is by far the most effective way to detect and fight these complex tools.
What’s stored in the public cloud must not go public
Companies in Sweden mostly store in the public cloud financial information (55 percent), information about clients (48 percent), and product information and specification (44 percent) and avoid storing off-premise what they perceive to be more sensitive data, such as research about competition – 37 percent; backups – 36 percent; intellectual property – 31 percent. Thus, companies encrypt more often financial information, product info and specs, and information about clients, than backups (34%), research into competitors (26%) and intellectual property (25%).
“The risk of being GDPR non-compliant means not only negative publicity and damage to the companies’ reputation as it has been until now, but also penalties that can total up to 4% of a company’s global annual revenue,” Bitdefender’s Senior eThreat Analyst Bogdan Botezatu says. “With 2017 having already set new records in terms of magnitude of cyberattacks, boards should be aware that it’s only a matter of time until their organization will be breached since most still lack efficient security shields.”
Bitdefender security specialists recommend that, when opting for a hybrid cloud solution, an organization must analyze the type of data it handles and evaluate it based on its sensitivity – both for the company and its clients. Critical, personal and private data related to intellectual property must be stored on premise, with access only to authorized personnel. Organizations that handle sensitive or confidential data, or data related to intellectual property, need to ensure their private cloud infrastructure remains private. No one outside the local network should be able to access that data and only authorized personnel should be vetted for handling it. The private cloud needs to be completely isolated from public internet access to prevent attackers from remotely accessing the data through security vulnerabilities.
In terms of security challenges, 42 percent of Swedish CISOs say that public cloud is their major concern, while 39 percent are concerned by private cloud. Another 3 percent say they are equally concerned about both, and 14 percent admit hybrid cloud is their major area of concern.
Lack of infrastructure-agnostic security, lack of predictability, lack of control over backups and snapshots and lack of visibility are perceived as top security challenges of cloud adoption by half of the companies surveyed.