Mountain View, Calif.-based Egnyte provides file sharing via the cloud to its customers, so its security practices have to be top-notch. But the company also has all of its internal finance applications in the cloud, including those handling employee expenses and payment processing for contractors, says Suzanne Colvin, CFO. Its sales team relies heavily on Salesforce’s cloud-based customer relationship management (CRM), and the marketing team uses a mix of cloud-based applications to communicate with prospects and customers.
“As our chief security officer Kris Lahiri likes to remind us, [on-premise] infrastructure isn’t inherently more secure than the cloud; it comes with its own set of vulnerabilities and risks,” Colvin says. “We adopted cloud technology early and never looked back.”
Many organizations have trod the same path. But any organization launching a cloud computing initiative or in the middle of moving more data and workloads to the cloud has likely been worried about the accompanying cybersecurity risks. It turns out, they are just as prevalent as those in on-premise systems. Entrusting valuable information resources to an outside service provider always comes with hazards.
Wisely, many enterprises, like Egnyte, are investing in cloud and remote worker security, especially as more of the global workforce toils from home. Indeed, cloud security spend is expected to rise by 33% in 2020, Gartner forecasts.
Unfortunately, spending on solutions doesn’t necessarily translate into bulletproof systems. Recent studies find that while companies continue to adopt cloud services rapidly, many fail to put in place proper cloud security measures. That’s troublesome for several reasons, not the least of which is that bad actors use weaknesses in the cloud as an entry point for malicious attacks.
In addition, many enterprises that do get attacked point fingers at cloud service providers, saying their systems lack built-in security measures. One recent study found that about 8 in 10 IT professionals are concerned that cloud providers are too self-assured about the security of their platforms.
Shoot, Then Aim
Recent research by consulting firm KPMG and software giant Oracle notes that as business leaders digitally transform their operations and move what’s left of on-premise systems to the cloud, adequate security controls are all too often an afterthought.
“Companies [often] eschew proven best practices and make it difficult — if not impossible — for the business to accurately assess and manage enterprise risk,” the report says. “Organizations are simply not ready to secure [their systems] at the rate at which the business [is adopting] cloud services, creating a palpable cloud security readiness gap.”
The basics of cloud security are still not understood by many organizations, and worsening confusion over the shared responsibility security model is a pivotal contributor to the readiness gap, the study says. Many IT executives also believe that cloud security requires a different employee skillset than on-premise security.
As part of their research, KPMG and Oracle conducted an online survey of 750 cybersecurity and IT professionals worldwide in December 2019 and January 2020. They found that 81% of those surveyed are concerned about the potential for complacency among cloud service providers. And a majority of organizations (70%) say too many specialized tools are needed to secure their public cloud footprint. On average, organizations use more than 100 discrete products for cloud security.
Some of the big cloud companies have been adding to their security prowess with significant bolt-on acquisitions. They’re doing so because most of their customers expect cloud security to be “baked into” services, says Lawrence Pingree, a managing vice president at Gartner.
“[Businesses] expect that cloud providers can provide a basic level of due care for security,” Pingree says.
In October 2019, virtualization software provider VMware bought Carbon Black, which offers cloud-native endpoint and workload protection. Carbon Black will form the nucleus of VMware’s security offering, focused on helping VMware customers with advanced cybersecurity protection and in-depth behavioral insight to both help stop sophisticated attacks and accelerate response times.
Despite the massive spending on cybersecurity by enterprises, “the last two years have seen some of the largest security breakdowns in IT history, with major data breaches making headlines nearly every week,” says Sanjay Poonen, chief operating officer, customer operations, at VMware.
As businesses continue to shift toward hybrid cloud environments and more dynamic endpoints, rethinking cloud security is critical, Poonen says. “As the threat landscape expands in the age of multi-cloud, modern apps, and modern devices, cybersecurity should not be an afterthought or an ‘add on;’ it should be baked into the fabric of tools, processes, and business,” he asserts.
In a similar move in June, IBM announced it had signed a definitive agreement to acquire Spanugo, a provider of cloud cybersecurity posture management products. To further meet the security demands of its clients in highly regulated industries, IBM will integrate Spanugo software into its public cloud.
The addition of Spanugo software will enable organizations to define compliance profiles, manage controls, and monitor compliance, IBM says.
As clients move increasingly significant and sensitive workloads to the cloud, management of security and compliance becomes more complex, IBM says. For businesses in highly regulated industries, including financial services, health care, insurance, and telecommunications, cloud environments are most useful when they are approved for sensitive information.
“When it comes to hosting sensitive and regulated workloads on the public cloud, enterprises are being forced to take a hard look at their approach to managing security and compliance,” says a spokesperson for IBM.
Complex deployments open the door to a range of cloud cyber threats, but so does human error, according to research by Trend Micro, a multinational IT security provider. The company found that misconfigurations are a primary cause of cloud security issues. A misconfiguration is when a system administrator does not secure a cloud storage system or a database correctly on a cloud service. (For this and other definitions, see “Knowing the Parlance,” below.)
Such errors have been increasing since 2017, according to the 2020 Data Breach Investigations Report (DBIR) by Verizon. The trend can be in large part associated with internet-exposed storage discovered by security researchers and unrelated third parties.
“These are the kinds of incidents that you hear security researchers discovering through simple trawling of the internet to see what’s exposed,” according to the DBIR. DivvyCloud, a security and compliance platform provider, found nearly 33.4 billion records were exposed in breaches due to cloud misconfigurations in 2018 and 2019. Those breaches cost global enterprises almost $5 trillion. (Only breaches that were definitively attributed to cloud misconfigurations were included in the report.)
Cyber criminals that capitalize on misconfigurations have gone after companies via ransomware, crypto-mining, data exfiltration, and other methods.
In May 2020, a report by cloud software company Accurics stated that current security practices are “grossly inadequate” for protecting cloud infrastructure in development environments.
The report shows that there is a significant shift toward provisioning and managing cloud infrastructure through code, which allows organizations to embed security earlier in the application development lifecycle. However, infrastructure as code is not adequately secured, thanks in part to a lack of tools that can provide complete protection.
Even in scenarios where infrastructure as code is being governed, there are ongoing problems from privileged users making changes directly to the cloud once the infrastructure is provisioned. This creates a drift from the secure baseline established through code, the study says.
“The dangers are undeniable: high-severity risks such as open security groups, overly permissive identity and access management roles, and exposed cloud storage services constitute 67% of the issues,” the report says. “This is particularly worrisome since these types of risks have been at the core of numerous high-profile cloud breaches.”
While cloud security will likely continue to broaden and improve as customer needs evolve, it may continue to be one of the biggest resistance factors in cloud adoption.
“When you’re talking data in the cloud, there is always the threat of ransomware, malicious insiders, and accidental exposure often caused by poor access control,” says Egnyte’s CFO Colvin. “As an organization, we thoroughly evaluate the tools we bring into our digital workplace, continuously vet them, and educate our workforce on security practices.”
Translation: there are plenty of things organizations can do on their own to bolster cloud security, even if cloud providers are playing catch up.
Bob Violino is a freelance writer based in Massapequa Park, N.Y.
No Spending Lull
Cloud security investment will most likely prove resistant to the COVID-19 economic shock.
Given the issues swirling around cybersecurity, it’s no surprise that a June report by Gartner noted that demand for cloud and remote worker security is boosting worldwide spending on information security and risk management technology and services.
Such spending is expected to grow 2.4% to reach $124 billion in 2020, although spending in other segments of IT will likely show little growth thanks to the coronavirus pandemic. Cloud security spending specifically is expected to rise 33% from 2019 to this year, Gartner says. That’s by far the most significant increase for any IT segment.
According to Forrester Research, cloud security spending in the United States is expected to reach $1.93 billion by 2021, tripling since 2016. The ongoing shift to a cloud-based delivery model makes the security market somewhat more resilient to a downturn, Gartner says. As of late, cloud-based delivery models have reached well above 50% of the deployments in the areas of secure email and web gateways.
In the meantime, however, companies continue to get hit.
Cloud assets were involved in about 24% of the data breaches examined by the Verizon research team that occurred in 2019. A large majority of cloud-based breaches involved email or web application servers.
One of the most notable attacks targeted credit card applicants at Capital One. A hacker accessed 100 million card applications, which included Social Security and bank account numbers, that were improperly secured on Amazon cloud storage.
A recent study by IDC found that 79% of companies had experienced at least one breach in the past 18 months. Within that group, 43% had experienced 10 or more cloud security incidents during that same timeframe. One of the nagging issues for organizations? The lack of visibility into live cloud environments, according to the chief information security officers surveyed. — B.V.