Cloud environments are now the accepted standard for efficiency and growth, so securing data in the cloud has become a top priority for business leaders who aspire to move away from on-prem infrastructure to leverage the cloud and its benefits.
In stark contrast to this shift to business-forward processes and an agile approach to using data, security teams are lagging behind. Organizational cloud data footprints and postures are currently still managed using manual processes, including spreadsheets, manually collecting information about where data lies, what it supposedly contains and who has access to it, achieving scattered coverage and partial information.
There’s no easy way to say this: spreadsheets are ruining businesses' cloud data security posture. Cloud Data Security Posture Management (CDSPM) is a holistic approach to ensuring the security of an organization's data in the cloud. A critical component of the overall organizational security posture, CDSPM protects the crown jewels at the heart of the organization’s operational and business processes – and spreadsheets are putting them at risk. Here’s what spreadsheets lack:
They aren’t comprehensive: Much like any manual tool, spreadsheets only provide information that was manually entered into them. There’s no way to ensure that it’s complete or comprehensive information. Security teams use these spreadsheets for decision-making processes and as critical tools to ascertain and assess organizational risk. If they rely on partial information, without even knowing that they are missing potentially critical data, they are most likely making uninformed decisions.
Spreadsheets lack accuracy: An agile business requires adaptive support from security teams. As business processes shift and scale, security must withstand growth and enable it. While security teams rush to keep up with constant changes, updating manual spreadsheets becomes laborious – with considerable overhead. By the time manual updates are completed, they are already outdated. Maintaining –and ensuring – the accuracy of these spreadsheets has become nearly impossible at the growth and development rates today.
Most focus on controls, not policies: Spreadsheets contain raw information, without context or assessment. They let teams document the control that’s enabled and how a functionality gets configured, but translating that into the policies these controls are designed to meet requires effort, expertise, and an ability to adapt as data storage technology evolves and more controls become available. Information gleaned from security tools should inform policy-making processes for the organization as a whole and ensure seamless security and business continuity. Teams spend considerable time and effort creating and maintaining spreadsheets that focus on cloud-native controls, instead of the policies they are meant to serve.
They are point-in-time: Security teams can’t have a full-time employee manually updating spreadsheets. Most security teams set specific times for updates, maybe once a quarter. Understandably, if there was a security issue requiring attention – security teams could potentially only know about it after about three months. They can detect and change misconfigurations only after several months, rather than immediately. These risks may have been present in the organization for a long time, potentially being exploited by malicious actors.
With data constantly growing and flowing through multiple cloud environments and data stores, it’s not sustainable to continue with this manual management. Spreadsheets are only relevant for a subset of cloud data technologies. They do not cover the full breadth of security risks, leading to the obstruction of innovation and efficiency with a still lacking security posture. The continued use of manual processes for data management, rather than leveraging the power of automation for this purpose, leads to the potential exposure, leak and loss of sensitive data, wreaking havoc on both business and security operations.
Liat Hayun, co-founder and CEO, Eureka Security
