Thales on Tuesday reported that 45% of businesses it surveyed have experienced a cloud-based data breach or failed audit in the past 12 months, up 5% from the previous year.
The new report, conducted by 451 Research, also found that there’s been a notable expansion in the use of multiple infrastructure-as-a-service (IaaS) providers, with almost three-quarters (72%) of businesses using multiple IaaS providers, up from 57% the year before. And, the use of multiple providers has almost doubled in the last year, with 1 in 5 (20%) of respondents reporting using three or more providers.
Despite the shift to the cloud, many businesses share common concerns about the increasing complexity of cloud services as 51% of IT professionals agree that it’s more complex to manage privacy and data protection in the cloud. Additionally, the journey to the cloud has also become more complex, with the percentage of respondents reporting that a simple “lift-and-shift” migration tactic has dropped from 55% in 2021 to 24% today.
Cloud services are extremely easy to acquire, and many employees sign up for “free” services that IT does not know they are using for business purposes, said Chris Clymer, director and CISO at MRK Technologies. Clymer said it’s become very common for elements of the business to operate using some degree of cloud storage and or applications which are not subject to the same controls as IT-managed ones.
“This makes data breaches almost inevitable, as especially in the case of cloud storage it’s all too easy…and sometimes even desirable for documents to be shared with collaborators outside your company,” Clymer said. “Many breaches have been the result of a cloud storage bucket with lax permissions that IT would never have allowed to be provisioned…had they known.”
Treating cloud infrastructure differently than traditional on-premise is where many organizations start to create weaknesses in their security program, said Matthew Warner, co-founder and CTO at Blumira. Warner said it’s often very easy to move into cloud services and assume that because you’re paying for the compute and support, it should also be secure by default.
“In reality, cloud becomes another vertical of infrastructure and effort that security teams must maintain, monitor, and validate by new processes in an environment,” Warner said. “CISOs must apply the same level of policy and process to cloud security and ensure that their environment aligns to baseline security expectations — otherwise the creation of unknown tech debt and risk will only grow. Instead of changing strategies to accommodate the evolution of infrastructure, update your existing policies and processes to mitigate risk and secure these complex cloud environments.”
Dominick Eger, Field CTO at Anjuna Security, said the industry as a whole needs to simplify the way teams can protect data in-use, data in-transit, and data-at-rest so that security pros can minimize these types of exposures and the attack surfaces associated with them are reduced down to a smaller footprint.
“What needs to change in our industry is the over-complexity of hybrid-cloud, trying to lift-and-shift on-premises technologies into the cloud without sufficient protection, and having a baseline of security requirements that can be adaptable regardless of cloud or technology,” Eger said. “With numbers like 45% of companies experiencing data breaches it really shows that we still have a lot of work to do to protect data and people's privacy.”