All over the world, organisations have started moving critical data and applications to the cloud to benefit from increased efficiency, better scalability, improved agility and advanced security.
CyberArk’s Global Advanced Threat Landscape Report 2019: Focus on Cloud found that 94 percent of the 1,000 global organisations surveyed used cloud services in some way, shape or form.
And while cloud adoption generates great benefits for the business, many companies tend to forget that migrating to cloud also disrupts the traditional cybersecurity models they have built up over years.
Traditionally, businesses utilised public cloud to store low-level, non-sensitive data, but as technology evolved and companies had to accelerate their digital transformation, an increasing number of organisations have started to store more and more sensitive data in the cloud – but their security strategies haven’t kept up.
The CyberArk report revealed that 49 percent of companies are storing SaaS-based business critical applications into the public cloud. These include customer facing (revenue generating) applications, ERP, CRM or financial management software. Furthermore, 45 percent put customer data subject to regulatory oversight (e.g. GDPR) into the public cloud and 39 percent use the cloud for internal development, including DevOps.
Unless on-premises security strategies are extended to the cloud, this leaves organisations open to significant risks for data loss and breaches, and unauthorised access to critical data and applications.
Keeping critical data safe
Confusion exists over who is responsible for security in the cloud. Although cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) continue to expand security services to protect their evolving cloud platforms, as they make abundantly clear, it is still the customers’ responsibility to secure their data within these cloud environments.
And yet, according to the report, three quarters of respondents entrust the security of their cloud workloads completely to the cloud vendor. At the same time, half this number realise that this will not provide them with broad protection – and yet, they do it anyway. As competition increases in the cloud vendor space, many players try to get ahead by cutting down on security costs. But organisations are leaving their entire cloud security strategy to vendors – a dangerous move.
A potential solution that might reduce the security risks companies are exposed to in the cloud is creating a privileged accesses security strategy that would prevent attackers from gaining access to sensitive data within the cloud infrastructure.
Unfortunately, only38 percent know that credentials, secrets and privileged accounts actually exist in the cloud. And most of them won’t take such measures until it’s too late – as the IT and cloud solution provider PCM found our earlier this year when hackers gained access to the company’s critical data with stolen PCM administrative credentials used to manage client accounts within Microsoft’s Office 365.
So, why are companies consistently placing the security responsibility on cloud vendors, rather than address the issue themselves? One reason is that the organisations’ security culture is not keeping pace with the threat landscape.
Without the right security culture and protection in place, many businesses and IT stakeholders are putting their applications and organisations at risk. A risk that can come at a very high price considering that the average cost of a data breach is around £2.9 million, according to IBM’s Cost of Data Breach Study.
To avoid such damaging costs, organisations should treat their cloud infrastructure just as they would their on-premises assets and apply the same security principles of vulnerability and security assessment.
Furthermore, security testing should be continuous across the entire digital ecosystem. By running automated and continuous testing companies will be able to identify if cloud data is being accessed by anyone maliciously in real-time and save the organisation from potential attacks.
As cloud-based infrastructures become mainstream, it is essential to understand the associated security vulnerabilities and how best to secure company data and the applications that house and manage it. Such considerations cannot be left solely to the responsibility of cloud vendors, especially when new cyber threats are emerging every day and criminals are becoming increasingly sophisticated. It’s high time for organisations to take ownership of their cloud security strategies and learn how to protect critical data while exploiting the speed and agility that cloud services provide.
About the Author
Nick Bowman, EMEA Senior Manager, CyberArk. I am a communications specialist working within the IT industry with a particular focus on cybersecurity and the enterprise IT initiatives it underpins, especially cloud and networking. I have over a decade’s experience in public relations and analyst relations, over traditional and digital channels.