The Cloud Security Alliance (CSA) on Wednesday in tandem with Google Cloud released a survey on cloud risk that found some 52% of organizations say they did not evaluate the ongoing risk of their cloud services being used after procurement as product features or business environments changed.
CSA-Google researchers also found that there’s no consistency of data classification across the use of cloud platforms and services. Only 21% use cloud service data classification — and only 65% of those users are aligning internal data classification schemes.
“With enterprises continuing to add production in the cloud and the growing use of cloud services, managing cloud and digital assets will be critical in risk management and measurement,” said Jim Reavis, co-founder and CEO, Cloud Security Alliance. “While there’s still work to be done as organizations mature their ability to manage cloud and multi-cloud security and risk mitigations, these issues are improved in the cloud when compared to current on-premise and legacy IT environments. This study confirms that an organization's best path to viable risk management involves IT modernization into the cloud or cloud-like on-premise infrastructure.”
As a response to this changed environment, the survey pointed out that tools for quantifying and measuring risk need to improve. Some 70% of organizations reported less than effective processes for assigning risk to cloud assets, with only 4% percent reporting having highly effective practices. Overall, monitoring, measuring, and reporting has become difficult. CSA-Google said 30% of enterprises reported that risk scoring systems are used as a directional guide to risk improvement for certain cloud solutions, as opposed to measurements that can be relied on for comparison across all cloud services.
The move to cloud infrastructure has also changed how organizations have to look at risk, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said in some cases, it’s become easier while in others it’s become more complex, and it’s taking organizations more time than maybe it should to come to grips with managing the new risk environment.
“Risk assessment and management are ongoing processes that need to be reviewed and updated as the situation and business environments change,” Parkin said. “IT security teams need a consolidated view of risk across cloud application environments, as well as traditional IT infrastructure. Then they need a plan to prioritize and mitigate this risk. This is no easy task, but it's possible through procedural and organizational discipline. If security teams can understand and prioritize risk created by cloud misconfigurations alongside IT infrastructure and application vulnerabilities, they have a shot at reducing risk and improving the security posture of the business.”
Mona Ghadiri, director of product management at BlueVoyant, said continuous monitoring of risk, prevention, and detection is the only way to stay ahead, with both cloud security and cybersecurity in general. Ghadiri said CISOs need an internal and external readout of what happened, how it happened, and what was done to contain it.
“As more and more organizations bring on cloud services, they need to make sure they are continuously monitoring these environments with the same vigilance using more automation to contextualize response than on-premise assets,” Ghadiri said. “Analyzing a cloud environment only when it's first put online is far from sufficient. Day-to-day changes for good or bad reasons can result in new vulnerabilities. Organizations need to be able to quickly detect and remediate any issues as they arise.”