Security Think Tank: Stopping data leaks in the cloud
By Cath Goulding
It seems that rarely a day goes by that an organisation isn’t pulled up for a data leak, and often the culprit is misconfigured cloud environments. This is an issue that seems to transcend business size, sophistication and industry.
In the past few months alone we have seen recruitment companies, major hotel chains and even Facebook fall foul of misconfiguration errors that have left very sensitive data open to potential abuse.
This issue hasn’t passed security professionals by – according to a recent report, 62% of cyber security and IT professionals described misconfiguration as the biggest threat to cloud security. The scale of the problem raises serious questions for how enterprises can maintain data security while utilising the cloud.
Cyber security concerns with the cloud
Cloud adoption has long been on the rise. Indeed, the vast majority (88%) of respondents to Nominet’s recent survey on cyber security in the cloud reported that their organisation was currently engaged in adopting cloud solutions.
A key factor in this growth is that the perception of the cloud being less secure than on-premise storage – one of the early barriers to its adoption – appears to be subsiding. Three in five security professionals now believe the risk of a security breach in a cloud environment is the same or lower than on-premise.
However, that does not mean that security professionals’ security concerns around the cloud have been completely overcome. Some 71% remain either “moderately”, “very” or “extremely” concerned about malicious activity in cloud systems.
Given the number of misconfiguration leaks in the news, it is unsurprising that exposure of customer data was the greatest concern – cited by 56% of security professionals. This beat out the sophistication of cyber criminals (54%), demonstrating that – for security professionals – misconfiguration is actually a bigger worry than attacks.
The safest cloud approach
So how can security teams reduce the risk of a data leak through the cloud? One possible solution goes straight to the foundation of an organisation’s cloud strategy. The data suggests that opting for a single cloud or hybrid cloud approach, rather than a multicloud approach, can reduce the chance of a data breach.
Multicloud – where organisations source their cloud solutions from more than one provider – is the most popular approach businesses are taking, with almost half of the respondents to Nominet’s survey stating that their organisation had a multicloud approach. By comparison, only 24% used a hybrid solution and 29% used cloud services from a single provider.
Yet organisations adopting a multicloud approach were almost twice as likely to have suffered a data breach in the past 12 months than hybrid cloud users and single cloud users. After all, the greater the number of parties handling an organisation’s sensitive data, the greater that organisation’s exposure to risk is likely to be.
Quickly, organisations can lose track of the data they have spread out across multiple providers, each with their own data security settings to configure. This is where mistakes can happen, and sensitive data left exposed.
Bringing security into the cloud
Whatever cloud model a business chooses to use, the crucial message is that organisations need to keep data security in mind from the very start when formulating their cloud strategy. Of course, a key issue here is that security teams are rarely consulted this early on, as cloud transformation isn’t often thought of as the remit of the security team.
If there is anything to be learnt from the recent spate of security incidents, it is that security teams need to be brought into the fold, and gain visibility over the cloud services the organisation is using, to be able to secure it. Failure to do so results in alarming gaps of security visibility, with recently released statistics revealing that 99% of misconfiguration incidents that occurred in a public cloud environment were missed, leaving enterprises and other organisations open to the risk of undetected data breaches.
All cloud service providers offer assurance through their service level agreements (SLAs), of course, but it should fall to an organisation’s security team to take responsibility for protecting its cloud deployment and scrutinising the detail of those SLAs. After all, it is the organisation, and not the cloud provider, that is responsible if a data breach takes place. Internally, the ultimate responsibility will fall on the heads of the security team.
As Greek philosopher Heraclitus said so well, “the only constant in life is change” – cloud adoption and security will be no exception to this. What is clear, however, is that organisations, IT and security teams must take ownership and responsibility to ensure a successful and secure cloud transition project – however large or small, new or similar.
Arguably, securing cloud environments compared to on-premise is not wildly dissimilar, it’s just a different set of questions that need to be asked.