Who is responsible for security in the Public Cloud? asks Nick Bowman, EMEA Senior Manager, CyberArk.
For a long time, companies have avoided storing any sensitive data in the cloud for fear of data loss or breaches. But as the pressure is mounting to deliver digital transformation and keep pace with market trends, an increasing number of organisations have relaxed their policies and started storing critical data in the public cloud.
The CyberArk Global Advanced Threat Landscape Report 2019: Focus on Cloud revealed that 49 percent of companies are storing SaaS-based business critical applications into the public cloud. These include customer facing (revenue generating) applications, ERP, CRM or financial management software. Furthermore, 45 percent put customer data subject to regulatory oversight (e.g. GDPR) into the public cloud and 39 percent use the cloud for internal development, including DevOps.
Moving data to the cloud is positive news for digital transformation initiatives, but the risk for organisations is to jump towards it too quickly without considering security, and who is responsible for it.
Who is in charge of security?
Indeed, the CyberArk report showed that 36 percent of companies believe that the burden of risk concerning information security is borne entirely or in part by the cloud provider. In reality, cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) continue to expand security services to protect their evolving cloud platforms – but it is still the customers’ responsibility to secure their data within these cloud environments. In the event of a data breach, the business will be held accountable and answer to regulators, customers and other stakeholders – not the cloud provider. And yet, three quarters of respondents from the CyberArk report entrust the security of their cloud workloads completely to the cloud vendor, ignoring the shared responsibility policies cloud providers adopt. At the same time, half this number realise that this will not provide them with broad protection – and yet, they do it anyway.
This leaves organisations open to significant risks for data loss and breaches, and unauthorised access to critical confidential information. The study further showed that 94 percent of companies have actually reported some kind of security vulnerability in their public cloud usage.
So, why are companies consistently placing the security responsibility on cloud vendors, rather than address the issue themselves? A plausible answer is that most organisations haven’t evolved their security culture to keep up with emerging cyber threats. Cloud security should be a multi-layered approach, incorporating both security tools and protocols the enterprise and employees need to follow. These security protocols help ensure workers don’t become a security risk themselves. Unfortunately, most organisations are still stuck with outdated, legacy security systems and policies that simply can’t adapt to the cloud environment
Privileged access
A potential solution that could reduce the security risks companies are exposed to in the cloud is creating a privileged accesses security strategy that would prevent attackers from gaining access to sensitive data within the cloud infrastructure. Unsecured credentials pose a significant threat to businesses – even a low-level credential like username and password to a person’s work station is enough for a sophisticated criminal to gain access to confidential data. On top of this, attackers gaining access to unsecured privileged credentials can easily move across the entire cloud infrastructure, gaining full access to an organisation’s data and assets.
Surprisingly, the CyberArk study shows that only 38 percent know that credentials, secrets and privileged accounts in IaaS and PaaS environments actually exist. And most of them won’t think of protecting them until it’s too late. But considering that the average cost of a data breach is around £2.9 million, according to IBM’s Cost of Data Breach Study, it is not in the companies’ best interest to ignore securing privileged credentials and only rely on the cloud vendor to protect organisations’ sensitive data.
Increasing awareness and developing a privileged access security strategy must be a business initiative for any company that wants to protect its sensitive data in the cloud and leverage the full potential of transformative technologies. Furthermore, security testing should be continuous across the entire digital ecosystem. By running automated and continuous testing companies will be able to identify if cloud data is being accessed by anyone maliciously in real-time and save the organisation from potential attacks.
Such considerations cannot be left solely to the responsibility of cloud vendors, especially when new cyber threats are emerging every day and criminals are becoming increasingly sophisticated. It’s high time for organisations to take ownership of their cloud security strategies and learn how to protect critical data if they want to enjoy long term success.
