Thales reported Wednesday that 40% of organizations globally have experienced a cloud-based data breach in the past 12 months.
The new study, conducted by 451 Research, also found that despite an increase in cyber attacks in the cloud, about 83% of organizations still fail to encrypt half of the sensitive data they store in the cloud.
Even when companies protect their data with encryption, the study found that 34% leave control of the keys to service providers rather than keeping control of themselves. And in one of the security industry’s most sobering data points, 48% admitted their organization didn’t have a mistrust strategy, and 25% said they didn’t even consider one.
This research indicates that with today’s cloud and SaaS platforms, users no longer access data solely through the corporate network, said Brendan O’Connor, co-founder and CEO at AppOmni. O’Connor said that corporate users now access data through third-party applications, in-home IoT devices, and portals created for external users such as customers, partners, contractors and managed service providers (MSPs). When using these channels, they often bypass the corporate network completely.
“While companies are keen to use these access points to augment the functionality of their cloud and SaaS systems, they often neglect to secure and monitor them in the same way they have secured access from the corporate network, leading to major access vulnerabilities being completely unknown to the company,” O’Connor said. “As the complexity of cloud and SaaS environments — and their associated security configurations — will only continue to increase, companies will need to use automated tools to ensure that their security settings align with their business goals, and to constantly monitor security controls to prevent configuration skew. “
Sario Nayar, CEO of Gurucul, said collecting and storing sensitive data in the cloud represented a drastic change just a few years ago, as organizations tended to shy away from doing so. Now the dynamic has changed, Nayar said, as IT has found that storing data in cloud databases is cost-effective and convenient, and individual users don’t necessarily know where their data is coming from.
“Continuous training, awareness, and attention are keys to protecting sensitive data in the cloud,” Nayar said. “IT must have intimate knowledge of cloud security practices and how this affects their applications and data. Data consumers must know where their data is stored so they can make smart decisions about how they handle that data.”
Saumitra Das, chief technology officer at Blue Hexagon, added that there are two reasons for the increase in cloud security breaches: Cloud security is often left in the hands of developers who are not security experts. The pandemic created a very rapid transition to the cloud and each cloud has its own terminology and subtleties.
“There are limits to a left-shift-only security approach, so there needs to be more focus on actually detecting active attacks rather than just getting tough,” Das said. “Finding people who are qualified to write and publish apps in multiple clouds is a challenge and misconfigurations will continue to occur due to this underlying issue.”
The mysterious state of the lost geospatial cloud
Cloud computing: 3 reasons why it’s time to go to the cloud first