How secure is the cloud in 2020?
By Laura Valentine
Despite increasing levels of adoption by organisations of all sizes, cloud solutions continue to be plagued by misconceptions about their security. It’s still commonly assumed that the cloud offers a less secure option compared to on-premises infrastructure. So, how does it really shape up, and what security challenges face the cloud in 2020?
Mythbusting the cloud
While businesses that keep their data on-site often feel as though they have more control over its security, the flaw in that plan is usually a lack of in-house expertise. The cyber-skills gap is widely documented, leaving almost half of UK businesses unable to deal with even basic security tasks. Unless you can afford a dedicated, specialised on-site security team, chances are your data would be as safe, if not safer, stored by a public cloud provider with access to the best resources and expertise.
The UK 2020 Databerg Report shows that the perception of cloud security is slowly changing. In 2015, 77% of businesses expressed concerns about cloud security, and this has seen some improvement over the last five years – although 59% remain unconvinced. According to the report, the likely reason this mistrust persists is unconnected to the physical capabilities of the cloud. Instead it lies with the fact that data stored in the cloud always remains the responsibility of the organisation, rather than the cloud provider. If a data breach occurs, the financial and reputational repercussions fall directly to the organisation.
It’s therefore important that businesses seek out a vendor they can trust, with the knowledge and expertise to best secure their sensitive data. Equally important is that businesses educate their employees on best-practice protocols and procedures – human error remains one of the biggest causes of data breaches. With the rise of remote working and BYOD, more and more data is accessed via the cloud, making it harder for organisations to keep an eye on data security. In 2020, 31% of employees took business information outside of the organisation via cloud storage, up from 21% in 2015.
Threat actors are still targeting the cloud
While the cloud does not inherently provide additional risk, it remains a target for cybercriminals. Back in the beginning of 2020, as hackers scrabbled to take advantage of the pandemic, cloud-based attacks rose by 630% between January and April. In Verizon’s 2020 Data Breach Investigations Report however, we can see that cloud security still compares favourably to on-premises alternatives. This year, cloud assets accounted for 24% of breaches, compared to 70% of on-prem assets.
Of those cloud breaches recorded, 77% involved compromised credentials. Rather than being a demonstration of inherent weakness in the cloud’s security, this serves to illustrate the huge growth in social engineering attacks, such as phishing scams, that aim to steal privileged access credentials. The quickest and easiest way for cybercriminals to access systems (cloud-based or otherwise), credential theft is fast becoming one of the worst offenders for causes of data breaches. According to the latest Ponemon Institute Cost of a Data Breach Report, a fifth of all data breaches are now the result of stolen or compromised credentials. Worryingly, this was found to impact the average cost of a breach by almost $1 million.
The Ponemon report also states that misconfigured cloud servers tie with compromised credentials as the most frequent threat vector. This is confirmed by Verizon’s findings which show that misconfiguration errors have increased since 2017, to the point where they are now more common than malware and outranked only by hacking. With these statistics in mind, it’s easy to understand why those 59% of organisations remain wary of the cloud. The result of human error during setup, cloud misconfiguration can leave data exposed or present vulnerabilities that could later be exploited by threat actors. It’s important to make sure your cloud is configured by experts, regularly audited, updated and patched. Responsibility and configuration of the cloud is shared between an organisation and their service provider, so it’s important to make sure you’re working with the right partner.