carloscastilla - Fotolia
Enterprise IT has more than a decade of experience in cloud computing, yet many organizations still report significant struggles when it comes to securing their cloud deployments.
The reasons for the continued vulnerability to cloud cybersecurity threats are many, and they're persistent. For one, cloud use has created a shift in its cybersecurity responsibilities as it has become more complicated.
"In traditional data centers, the responsibility is with IT; with the cloud, it's shifting more to engineering, developers and DevOps," said Arick Goomanovsky, chief business officer and co-founder of Ermetic, which with research firm IDC recently released a cloud security report.
"With the shift of responsibilities, some things have gotten missed, and it will take time for organizations to address all the issues."
Adoption of public cloud, private cloud and SaaS offerings continues to ramp up, as does the pace of change. Given these numerous changes, security experts said they're not surprised by recent reports that indicate ongoing security issues with cloud deployments.
"The cool thing about the cloud is you can build really cool things really fast, but you can make a lot of mistakes really, really fast as well," said Chad Willaert, principal consultant at the business and IT consulting firm Open Systems Technologies.
Sources of cloud cybersecurity threats
Several recent studies indicated widespread cloud-related cybersecurity issues: The aforementioned 2020 study conducted by IDC for Ermetic, a security firm, reported that 79% of the 300 CISOs surveyed had at least one cloud data breach in the prior 18 months with 43% reporting 10 or more in the same time frame.
A January 2020 report from security firm McAfee titled Enterprise Supernova: The Data Dispersion Cloud Adoption and Risk Report also found that 52% of companies use cloud services that have had user data stolen, while 25% of companies have had sensitive data downloaded from the cloud to unmanaged personal devices that lacked oversight over the security of the downloaded data.
Meanwhile, Oracle and KPMG reported in their Cloud Threat Report 2020 that, although 75% of responding IT professionals considered public cloud more secure than their own data centers, 92% do not think their organization is well prepared to secure public cloud services. The study further found that 75% experienced data loss from a cloud service more than once, and 59% said employees with privileged cloud accounts have had their credentials compromised by a spear phishing attack.
Sources of cloud security issues
According to security leaders, there are several notable reasons for such findings:
- a continued reliance on security programs developed for an on-premises IT stack rather than specifically for cloud deployments;
- policies that allow overly broad and unnecessary access to privileged or sensitive data or systems;
- shadow IT, which has expanded as business units can now easily obtain SaaS and other cloud-based resources without going through enterprise IT and security department reviews; and
- technological advances that have led to delivery security features that often lag behind business capabilities.
Other factors further exacerbate the challenges of securing enterprise cloud deployments, said Steve Barlock, principal with KPMG's Cyber Security Services.
Sekhar SarukkaiVP of engineering, McAfee
Scale is one such factor, he said. More enterprises are moving increasing amounts of their workloads to the cloud. They're also moving more sensitive workloads to the cloud. That scale -- just by sheer size -- increases the potential for something to go wrong.
Many organizations also lack the skills and personnel needed to handle all the cloud cybersecurity threats, he said.
Furthermore, experts said many enterprise security teams still struggle with understanding where the cloud providers' security responsibilities end and where the organization's own begins.
"We see a lot of cloud breaches happen because of the mismatch between what customers expect [is] being done and what is actually done," added Sekhar Sarukkai, vice president of engineering at McAfee. "Third-party bad actors are exploiting the seams between the shared responsibility model."
Findings from the Oracle-KPMG report confirmed that challenges remain significant. It found that 69% of CISOs are involved with cloud projects only after a security incident and that only 8% of overall respondents fully understand the shared responsibility model for cloud security.
How to improve cloud cybersecurity
Despite the recent reports highlighting security issues, experts said organizations are indeed making improvements to offset cloud cybersecurity threats.
Goomanovsky said he sees more enterprise security teams advancing their use of cloud-native tools instead of trying to adapt older security solutions. They're also speeding the adoption of automation to better keep up with the volume and velocity that comes with modern security operations.
Additionally, enterprise security is continuing to shift its focus away from building parameters -- a tactic that worked when everything was contained within one's own corporate IT infrastructure -- toward implementing more expansive access and identity management controls that are better suited to cloud security, Willaert said.
Willaert advises enterprise security teams to invest in access solutions that enable connections only for "the right resources at the right times and for the right reasons." To do that, he said organizations need role-based access controls, attribute-based access controls, the principle of least privilege and multifactor authentication.
"Identity is the new parameter, so having the discipline in place to enable the right things is critical," he added.
Others also stressed the need for stronger security governance through a cloud center of excellence that includes security experts and a push to bring security into cloud initiatives earlier in the cycle -- something known as the shift-left principle.
"You need a clear understanding of what you and what the cloud provider [are] bringing to the table," Barlock said, adding that the onus to understand that shared responsibility model and, ultimately, to ensure the data is protected remains with the enterprise itself.