Stay grounded as cloud security becomes more complicated.
The great migration advances as businesses continue to flock to the cloud for their IT and processing resources. The potential benefits are real; businesses have access to options they might not otherwise be able to afford, delivered with convenience and scalability.
Yet, no one should assume cloud adoption means information is automatically secure. Selecting a cloud service provider doesn’t eliminate security concerns; companies still must implement appropriate controls such as encryption, multi-factor authentication, access and key management, as well as CIA security controls for ensuring confidentiality, integrity and availability.
Still, even as cloud security becomes more complicated, new challenges arise. Internally, IT is now finding they not only lack control over data in the cloud, their budgets have changed as organizations reevaluate investment strategies. Then, there are external forces, an example being the European Union’s General Data Protection Regulation (GDPR), which could not only impact storage practices, it could shape cloud governance.
The one constant? Companies must protect corporate and customer data, and if they fail to do so, a deadly combination of fines, damaged reputation and backlash could bring everything crashing down to earth.
Recently, my employer, Gemalto, along with the Ponemon Institute, released the 2018 Global Cloud Data Security Study. First released in 2015, this year’s edition included findings from a survey of 3,200 IT and IT security practitioners worldwide regarding data governance and security practices for cloud-based services. In it, several key trends emerged, a few of which are detailed below to provide some insight into current and future challenges.
For starters, many organizations don’t appear to be fulfilling their commitment to cloud data security. According to the 2018 survey, 67 percent of respondents said their organizations are committed to protecting confidential and sensitive information in the cloud. However, 53 percent don’t agree their companies have a proactive approach to compliance, with 57 percent feeling their organizations aren’t careful enough when sharing sensitive information with third parties. Approximately half worry most about security of payment information (54 percent) and customer information (49 percent). Yet, 88 percent are concerned the European Union’s GDPR will demand even more – and that’s coming from many organizations that are already struggling.
Complicating this is a trend indicating IT departments are losing control of cloud security practices and budget. The average percent of corporate IT spending controlled by the IT department has declined from 53 percent in 2016 to 40 percent in 2017. Functions outside of IT are now deploying an average of 58 percent of cloud services, a significant increase since 2016. The average percent of corporate data stored in cloud environments and not managed by IT has also grown from 44 percent to 53 percent.
With greater challenges – set against diminishing IT control and less ability to do something about it – it’s only natural to assume that vulnerability is increasing.
There are signs of progress. In the recent study, respondents reported difficulty in protecting confidential information when using cloud services has decreased in some key areas. Fifty-four percent said it’s more difficult to defend cloud data – down from 60 percent the previous year. Difficulties in restricting end-user access also decreased from 53 percent to 51 percent. Even so, these minor gains are being offset. Seventy-one percent said it’s difficult to apply conventional information security principles to the cloud, 62 percent feeling cloud resources are increasing compliance risk. And while 61 percent noted their organizations now evaluate cloud provider security capabilities prior to engagement, 67 percent cite an inability to directly inspect cloud providers for security compliance as a source of “difficulty.”
So what tools and technologies are going to help? Encryption and access management solutions are showing promise. According to the survey, 77 percent of respondents think the ability to encrypt or tokenize sensitive or confidential data stored in the cloud is important; more than nine in ten said this will grow in importance in the next two years. As a baseline, 47 percent of respondents now say they use encryption or similar tools to secure data at rest in the cloud, with 58 percent reporting encryption is used for data sent and received by the cloud provider. Encryption or tokenization of data within cloud applications also increased from 28 percent to 36 percent during the past two years.
Another area growing in importance is user access control and access management to data stored in the cloud. The ability to control strong authentication prior to accessing data and applications in the cloud increased from 73 percent to 81 percent over the past few years. In addition, 53 percent of respondents report multi-factor authentication is used to secure access to data in cloud environments by their organizations. Just shy of that, 47 percent say they’re using multi-factor authentication for employee access to the cloud.
The cloud security landscape will continue to evolve and these findings are only a snapshot of the study. That said, the key takeaway is this: enlisting a cloud service provider does not eliminate security concerns and assuming it does could be the biggest mistake a company makes.
Stay grounded. Make sure your company doesn’t become lost in the hype, because even though there’s a lot to be gained, there’s everything to lose if you get cloud security wrong.
This article also appears on CSO Online here.