One of the biggest issues with cloud security arguably has very little to do with technology. Most breaches involving the cloud are generally the result of one misconfiguration or another, or lack of processes for implementing and maintaining the best cloud security processes.
In theory, that shouldn’t be a big deal if the files being stolen are encrypted. Confidential data, from credit card numbers to health records to military secrets, should be able to move from one network to another without being compromised by data breaches, denial of services (DoS) attacks and other threats.
But new research from US company Vera Security confirms what most cybersecurity professionals already know all too well – installed encryption protects only 4 percent of breached files. It appears most end users can’t seem to be bothered with encryption.
Despite all warnings to the contrary, unencrypted data is strewn across the extended enterprise. In fact, only 35 percent of survey respondents have encryption built into security processes and procedures across the company. In addition, only 26 percent employ digital rights management, which could be employed to revoke access rights to a file.
Even when organisations do embed encryption into their processes, end users still seem to find a reason to evade whatever cloud security controls are in place. It’s little wonder that cybersecurity professionals consider cloud computing insecure.
The reason they feel that way has nothing to do with the cloud services being employed. Rather it’s about how end users employ those cloud services. Once an end user engages in risky behaviour in the cloud, cybersecurity professionals generally lack the tools to do anything about it.
In contrast, when a mistake gets made in an on-premises environment, cybersecurity professionals can usually limit access to any and all offending files.
Get on the right track
Unfortunately, this problem is only likely to get worse before it gets better. Recent research conducted by MarketCube (commissioned by Ping Identity) found that more than 27 percent of respondents experienced a breach of customer identity data stored in a public cloud, on-premises or in a SaaS application provider’s cloud. Among those respondents, 41 percent said a lawsuit was subsequently filed, while 29 percent dealt with the repercussions of a legal investigation.
Both studies would suggest that when it comes to securely storing data many organisations are their own worst enemies. Internal IT organisations are often part of the problem.
Conducting a security audit is a great way to get a company on the right track towards protecting against a data breach and other costly security threats, however, a lot of organisations we speak with either aren’t putting them into practice or don’t do them frequently enough. The problem is that most of these audits are conducted by internal IT organisations rather than third-parties. This is roughly equivalent to internal IT organisations grading themselves.
Audits can also be disruptive. Just about every IT professional views an audit of any kind as a waste of their limited time. In fact, many of them would almost rather be doing almost anything else.
It’s time for IT organisations to start thinking about security audits as a continual process rather than an event. These audits shouldn’t be seen as a chore or unwelcome interruption to day-to-day network administration. They fulfil an important role in ensuring policies and procedures are being followed and the business is in compliance with relevant standards and legislation.
Of course, it helps tremendously if organisations invest in artificial intelligence (AI) or visualisation tools that help automate a lot of the discovery process.
Avoiding the next major breach
Between the willingness of IT organisations to cut corners and poor end-user behaviour, cybersecurity professionals are clearly in a tough spot. There’s much work to be done when it comes to securing business processes that extend to the cloud. Cloud computing obviously isn’t going away any time soon.
The challenge cybersecurity professionals face when it comes to the cloud is getting their organisations to first take basic reasonable precautions at the very least and then actually check to make sure policies are being followed. Otherwise, it’s simply a matter of when, rather than if, before the next major cloud security breach inevitably occurs.
Andrew Huntley is the regional director for ANZ and the Pacific Islands for Barracuda Networks.