The proliferation of data flowing outside of corporate firewalls is creating a security conundrum. Today’s cloud apps offer IT no visibility into who is accessing data, what devices data is being downloaded to, and where data goes after download.
A recent survey of over 1,000 IT security professionals proves that security remains the biggest barrier to cloud adoption. Ninety percent of organizations are concerned about their ability to secure their data in the cloud. For most security professionals, this number is not surprising. Just this week we learned that 52 percent of organizations say their company will most likely be hacked within the next 12 months. It is clear that security should be top of mind for all companies and that all board rooms should be looking to enforce a top-down strategy to protect company data.
Why the Concern?
“We all fear what we do not understand” – Dan Brown
The truth about the cloud is that not everyone values it and accepts its adoption. Some see the cloud as a nuisance rather than as a necessary tool for business enablement and competitive advantage. Some IT professionals believe that cloud adoption and security are diametrically opposed and are unwilling to explore what is necessary to ensure data protection for this new application delivery model. Public cloud apps represent a large, consolidated target for black hatters who have a clear and definite goal – to steal data and either sell it or use it to shame companies and strike fear into the public. Security pros must be willing step up to the front lines and prepare for battle.
Those who are up for the task must adapt quickly. By definition, IT security teams are tasked with protecting their company’s most valuable asset, sensitive data. However, they are running into a major security issue. Data is now accessible not only within a company’s network but also in rapidly growing cloud applications such as Office 365 (which will soon outpace Google Apps), Box and Salesforce. Thirty-six percent of professionals believe cloud applications are less secure than on-premises applications. In other words, the security landscape has changed.
This change has created a control vacuum that IT is attempting to fill by relying on existing security technology, causing them to fall victim to their own inabilities to innovate. “I used it before, I’m sure I can find a way to use it again.” While traditional premises-based security technologies have worked in the past, they are now the pieces of an old game and cannot readily extend to the cloud battlefield. For many in IT security, this is our worst nightmare. And it’s a reality.
What Are the Risks? The Great Misconception.
One of the greatest misconceptions of security is that outside attackers pose a greater risk to sensitive data than insiders. This is simply not true. The 2015 Cloud Security Report proves it. All of the top three security concerns involve improper use of data by employees. In fact, 63 percent of IT professionals believe that the greatest risk to data is compromised credentials and unauthorized access by employees.
Unauthorized access to company data only increases the number of access points that a cyber criminal can leverage to swipe data. It is not uncommon for employees to have access to sensitive data even after they switch roles or leave a company altogether. Combine this issue with the all-too-common weak password problem and you have a pretty tasty recipe for a data breach. This lack of IT hygiene can be the difference between a company that is breached and one that is not. Limit access and you can limit breaches.
This is a stark reminder that companies must have an inward-out security approach rather than an outward-in approach. They must concentrate on topics such as strengthening employee passwords, educating employees on data usage rights and most importantly, they must TAKE BACK CONTROL.
Identifying the Solution. Dipping The Heel In the River.
The first step to finding the solution is admitting that the status quo is not working. The investments IT has made in the past worked for that time, but they are now due for an upgrade. For instance, the perimeter-based approach is no longer effective. Sixty-eight percent of respondents admitted that this strategy is not the answer to cloud security.
The next step is to focus on regaining that control. Having consistent security across IT infrastructures so that you can set and enforce policies across clouds is a must. This will go a long way in helping you restore confidence in your cloud security.
Cloud adoption will inevitably lead to more security risk. This is a reality our industry must be able to come to terms with. Instead of getting hopes up on being able to prevent breaches altogether, companies must implement technologies that will allow them to reduce their level of exposure. IT teams should look at deploying a data leakage prevention tool that can classify data as either “sensitive” or “non sensitive” and put into place additional security measures for all sensitive data leaving the network. Contextual access-control policies are another must-have technology that will determine who should be allowed to see what data, when, and from where.
by Christopher Hines Product Marketing Manager, Bitglass
Bitglass found that more than one third of respondents have experienced more security breaches with the public cloud than with on-premises applications. Moreover, despite the overwhelming majority of respondents being concerned with security, 38% admitted to storing IP and 31% to storing customer data in the public cloud.
About Bitglass
In a world of cloud applications and mobile devices, IT must secure corporate data that resides on third-party servers and travels over third-party networks to employee-owned mobile devices. Existing security technologies are simply not suited to solving this task, since they were developed to secure the corporate network perimeter. Bitglass is a Cloud Access Security Broker that delivers innovative technologies that transcend the network perimeter to deliver total data protection for the enterprise – in the cloud, on mobile devices and anywhere on the Internet.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.