Nearly 50% Of Businesses Had a Cloud-Based Data Breach or Failed Audit
In the 2022 Thales Global Cloud Security Study, commissioned by Thales and conducted by 451 Research, reported that 45% of businesses it surveyed have experienced a cloud-based data breach or failed audit in the past 12 months, up 5% from the previous year.
The new report also found that there’s been a notable expansion in the use of multiple infrastructure-as-a-service (IaaS) providers, with almost three-quarters (72%) of businesses using multiple IaaS providers, up from 57% the year before. And, the use of multiple providers has almost doubled in the last year, with 1 in 5 (20%) of respondents reporting using three or more providers.
Organizations leverage cloud computing to reduce compute costs and to rapidly provision new computing resources for the purpose of supporting evolving business needs. Cloud-based technologies provide opportunities to go to market quickly, allowing enterprises to reach stakeholders and customers faster.
Over the past 10 years, cloud computing has transformed into a foundation of the IT industry, adding the power of virtualization, storage, hosting, and other networking services. However, despite AWS, Azure, Google Cloud, and others’ attempts to secure their client’s data the cloud environment is vulnerable to cyber-attacks. In 2021, in the same report, forty percent of organizations reported cloud security breaches.
Most Organizations Fail to Encrypt Sensitive Data
Despite these incidents, the vast majority (83%) of businesses still fail to encrypt half of the sensitive data they store in the cloud. According to the study, one-fifth (21%) of businesses host most of their sensitive data in the cloud. The study found some common trends as to where companies turn when considering how to secure their cloud infrastructure, with 33% reporting multi-factor authentication (MFA) as a central part of their security strategy. However, only 17% of those surveyed have encrypted more than half of the data they store in the cloud. The percentage declines further to 15% when organizations leverage a multi-cloud approach.
Security leaders appear to share common concerns about the increasing complexity of cloud services as 51% of those surveyed agree that it’s more complex to handle privacy and data protection in the cloud. Further, because of the trend to multi-cloud, the transition has become more complex, with the percentage of respondents reporting that a simple any plug and play migration tactic has dropped from 55% in 2021 to 24% today.
Cloud services are extremely easy to acquire, and many employees sign up for free services including Box, Dropbox, Google Drive, and others that IT does not know they are using. Because of the increase in remote work and IoT It has become very common for elements of the business to operate using some degree of cloud storage and or applications that are not subject to the same controls as IT-managed ones.
Organizations Treat Cloud Security Different than On-Prem
Securing data in the cloud differently than security data that is stored in systems on-prem makes data breaches almost inevitable because it is much easier to share documents and data with people outside of the organization. As a result, many breaches have been the result of cloud storage with access permissions that IT would have shut down had they known the application was being used.
Treating cloud infrastructure differently than traditional on-prem is where many organizations start to create weaknesses in their security program, said Matthew Warner, co-founder, and CTO at Blumira, a detection and response organization that serves small businesses, said it’s often very easy to move into cloud services and assume that because you’re paying for the compute and support, it should also be secure by default.
“In reality, cloud becomes another vertical of infrastructure and effort that security teams must maintain, monitor, and validate by new processes in an environment,” Warner said. “CISOs must apply the same level of policy and process to cloud security and ensure that their environment aligns to baseline security expectations — otherwise the creation of unknown tech debt and risk will only grow. Instead of changing strategies to accommodate the evolution of infrastructure, update your existing policies and processes to mitigate risk and secure these complex cloud environments.”
Dominick Eger, Field CTO at Anjuna Security the maker of “Confidential” computing software geared to protect cloud-based data, said that “the industry needs to simplify the way teams can protect data in-use, data-in-transit, and data-at-rest so that security pros can minimize these types of exposures and the attack surfaces associated with them are reduced down to a smaller footprint.”
“What needs to change in our industry is the over-complexity of hybrid-cloud, trying to ‘lift-and-shift’ on-prem technologies into the cloud without sufficient protection, and having a baseline of security requirements that can be adaptable regardless of cloud or technology,” Eger said. “With numbers like 45% of companies experiencing data breaches it really shows that we still have a lot of work to do to protect data and people’s privacy.”
Multi-Cloud and Hybrid Environments are Increasing Security Complexity
Nearly half (46%) of global respondents claim managing privacy and data protection in the cloud is more complex than on-premises solutions.
Hybrid models have become standard as the majority of organizations have not moved completely to the cloud. According to the 451 study, the majority (55%) of businesses indicate a preference for a ‘lift & shift’ or plug and play approach to cloud adoption over re-architecting the network and subsequently their security strategy.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a cloud identity security vendor, says, “These findings are yet another reminder that as organizations transition to cloud services, which has accelerated as a result of the pandemic, cannot treat cloud services the same as traditional on-prem services. This is especially true for security. Organizations adopting cloud services must also adopt a cloud security strategy designed to reduce the risks of cloud assets, such as data encryption, multi-factor authentication (MFA), and privileged access security.
Carson adds, “Cybercriminals and nation-state attackers are targeting cloud services more than ever before, and consequently, organizations must prioritize cloud security to make it difficult for attackers to be successful. Cloud services typically have modern security by design; however, while it is by design, it is also off by default. Therefore, organizations must evaluate what security is available and ensure they move to security by default.”
Conclusion
We certainly don’t want this conclusion to be a commercial for MSSPs like us, however, as cloud adoption continues to grow and more and more workloads are migrated to cloud architectures, cybersecurity is only going to become more complicated. While it’s far too expensive and cumbersome for many businesses to handle all of their security in-house. Security in the cloud requires a clean integration of a patchwork of solutions, including identity management for mobile workforces, threat intelligence, DNS filtering, next-gen firewalls, and advanced endpoint protection that in many cases are different than on-prem security solutions.
Existing routers, firewalls, or SD-WAN edges can connect to the cloud-delivered security platform where policies are globally applied to ensure consistent security and a seamless user experience. Security teams should look for partners with a comprehensive secure access service edge (SASE) solution that enables consistent cloud-delivered security from the multi-cloud architecture and provides users with the best quality of experience. As digital transformation initiatives and cloud usage increase, organizations must ensure that any cloud strategy encompasses performance, connectivity, and security for branch offices, home offices, retail locations, and mobile users.
To Learn More About How to Secure Your Cloud Solution Please Call Us – as Always, We Are Happy to Help – 1 (888) 982-0678.
You Can Also Fill Out Our Contact Us Form Here to Talk with a Security Specialist – https://secureops.com/contact-us/