Security executives recognize that most business technology systems will be maintained in a cloud environment moving forward but are concerned that security teams are not equipped to manage the associated risk, according to a recent study from CyberRisk Alliance Business Intelligence (CRA BI).
Even as some organizations learn and adopt “cloud-first” frameworks and procedures, others simply lift and shift their current applications to the cloud with little to no customization, creating the potential for significant long-term risks to their security posture. The data and insights in the report are based on a survey conducted in April 2022 of 300+ IT and cybersecurity decision-makers and influencers in the United States, with respondents drawn from organizations of all sizes and industries. Key findings:
- Thirty-seven (37%) percent of respondents reported their organization experienced a cloud-based attack or breach in the last two years. On average, this amounted to four attacks per victim since 2020.
- The number of cloud assets/workloads is growing among companies, with 55% of respondents running up to 50 assets/workloads in the public cloud and 56% on hosted clouds; on average respondents maintain 66 assets in either public or hosted clouds.
- As cloud-based assets/workloads increase, 50% of respondents are very concerned about their ability to secure their cloud systems, with 72% “extremely” or “very” concerned.
- When it comes to the top data security concerns in the cloud, respondents cite the following: Lack of detection/response, compromised users, misconfiguration, and inability to monitor changes within cloud environments.
CRA BI recommendations, compared with those from Sophos
The CRA BI report offers a range of suggestions to help organizations strengthen their cloud security. To increase confidence and deploy their security budget properly, organizations must focus on securing their systems in the right way, and not just buying tools and haphazardly throwing money and technology at the challenges. Respondents would specifically benefit by:
Continuously monitoring and hardening cloud assets: Get to know where all cloud assets reside. New cloud assets are always being added, changed, dropped. As settings and configurations change, so does security posture. Enterprises must be able to continuously monitor to discover their cloud assets, identify vulnerabilities in those systems, and then remediate those vulnerabilities.
Identifying where sensitive data resides in the cloud: Organizations can’t secure data that they don’t know is out there, but consistently monitoring for their data is the first step. Ensure sensitive and regulated data is stored and accessed on more secured cloud workloads, and that data is encrypted when travelling and stored. Use strong authentication when accessing sensitive data.
Considering a cloud security gap assessment: It’s very difficult for organizations to objectively look at the status of their cloud security programs. Turning to a trusted services provider to conduct a cloud security gap assessment can help to identify the objective state of the program, areas that need to be in place or improved, and then prioritize them for implementation.
Focusing on workload, application configurations: Most cloud attacks focus on poor configurations, such as loosely configured storage buckets and publicly facing databases. Strictly enforce configuration policies, and whenever possible automate the remediation of any out of policy and at-risk workloads or assets.
Reviewing identity and permissions: It’s not just people who have access rights to cloud applications and cloud resources, it’s also other applications and even robotic processes that need access. Constantly scour cloud systems and workloads to make sure that people and systems have only the access they need and that excess privileges (any access not necessary to do one’s job or perform their role) are reduced.
Moving up the Cloud Security Maturity Model: The Cloud Security Maturity Model is a framework that helps organizations understand the security maturity of their organization. From a high level, increasing cloud security maturing is about moving from manual and decentralized processes to automated, centralized and more integrated cloud security operations.
At a more technical level, security provider Sophos recently outlined 10 steps to bolster cloud security, which fit in well with the CRA BI recommendations:
Many organizations are increasing their investments in security defenses and know they have challenges ahead. For example, some are likely to face significant learning curves and complexities in moving from on-prem to hybrid/cloud. Configuration issues may also become forefront, requiring more training for sys admin roles as well as active automated monitoring, logging, and reporting.
The CRA BI study survey reveals just how much work organizations may have ahead, in not only finding the talent they need to build secure and resilient systems but adopting and implementing the right technologies and processes – from secure coding and development pipelines to mastering cloud security architectures.
While some respondents described the impact of the rapid adoption of cloud in terms of being “so much harder to protect information,” and “vulnerable due to the amount of data being moved and integrated,” others were more optimistic and believed “early-stage hiccups would settle after some time and the cloud would become the best option.”
Ultimately, IT security will need to adapt with more effective tools for cloud security to keep the pace. The 10 steps provided by Sophos will certainly help in that regard.