Business users are not the only ones within enterprises to benefit from the use of cloud services. A majority of security teams say that they can achieve better security within cloud environments, according to new research from McAfee.
The latest Cloud Adoption and Risk Report from McAfee focuses on the business growth organizations achieve through the strategic use of cloud services. One of the most critical findings from the report is that 52 percent of organizations state they experience improved security in the cloud. This should dispel once and for all the myth that cloud services are inherently insecure, and push organizations to adopt cloud services with the goal of improving security — in addition to the business benefits cloud applications provide.
The entire business model of enterprise-ready cloud providers depends on preventing breaches. Leading cloud providers invest more resources in security than almost any enterprise can afford to put into securing their own hosted environments. They are strategically focused on meeting customer security requirements and able to recruit top talent to do so. Outsourcing areas of security to cloud providers allows enterprises to focus on their own core competencies. Every company should not need to be an infrastructure security company.
Moving to the cloud does not mean all of an organization’s security needs are automatically met, however. On the contrary, securing data in cloud environments requires the cloud customer to take additional steps to address specific areas of risk to their data.
Cloud Adoption and Risk Report: Business Growth Edition
In this edition, we analyze the growth factors companies are experiencing with the cloud, and how adoption leaders are addressing risk to move faster than the rest.Download Now
Navigating the Shared Responsibility Model
The one element of security cloud providers can’t cover for their customers is how their services are actually used, specifically the data that is stored in them, shared externally, and accessed from a myriad of devices and locations. Gartner has predicted that security efforts from cloud customers will be the most important factor in preventing data breaches in the cloud: “Through 2023, at least 99% of cloud security failures will be the customer’s fault.1”
Cloud security is based on a shared responsibility model, which dictates that cloud providers will cover many aspects of physical, infrastructure, and application security while cloud customers remain responsible for certain areas of security and control, depending on the cloud environment.
Specifically, cloud customers are almost wholly responsible for protecting data and securing access from internal and external risks. This means the cloud customer must take the initiative to implement additional security measures for the areas where they are responsible.
The areas of security the customer is responsible for depend on the type of cloud service (IaaS, PaaS, SaaS) and the security capabilities of the provider itself. Leading cloud service providers have taken the effort to educate customers on their security responsibilities. Microsoft, for example, publishes their model for their cloud computing resource, Azure. Amazon does similarly for Amazon Web Services (AWS).
IT professionals must take the initiative to understand the risks to their organizations. Addressing the customer’s end of the shared responsibility model can involve configuring cloud provider native security features, working with internal stakeholders to ensure secure behavior, and implementing third-party cloud security tools. When done effectively, organizations can successfully take advantage of the business and security benefits of cloud environments.
Shared Responsibility Shortcomings
While the Cloud Adoption and Risk Report showed that organizations are recognizing the security benefits of the cloud, it also revealed that many have a long way to go to address risks to data in cloud environments.
A minimal percentage of enterprises have implemented key controls around data in the cloud. Only 36 percent of respondents reported they can enforce data loss prevention (DLP) in the cloud. Similarly, 33 percent said they could control how users collaborate and share data in the cloud.
Access from personal devices is a key element of cloud security, yet only 40 percent of companies said they could control access to cloud data from personal devices. The remaining 60 percent have no control over sensitive corporate data traveling to an unmanaged personal device.
IaaS platforms pose their own unique security challenges. Misconfigurations of security settings have led to many publicized data leaks where sensitive data was left unsecured on the open internet. Worryingly, a mere 26 percent of organizations said they could audit configuration settings.
Cloud Access Security Brokers (CASB) provide a dedicated cloud security solution for addressing all areas of cloud customer’s security responsibilities. While almost all organizations have moved significant data and computing workloads to the cloud, only one in three companies have currently implemented a CASB.
A Data-Centric Approach to Cloud Security
Cloud security approaches have evolved significantly since the early days of cloud adoption. At first, many organizations were concerned about shadow IT, or the risk of data theft from unsanctioned, high risk cloud services. Today, organizations are strategically uploading sensitive data to enterprise cloud services, shifting cloud security priorities.
Most organizations’ top priority should be securing the cloud applications that contain the most sensitive data. In aggregate, leading cloud services include Office 365, Salesforce, Box, Dropbox, and ServiceNow for SaaS. Amazon Web Services, Azure, and Google Cloud Platform represent a rapidly growing share of enterprise computing loads in the IaaS realm. Every cloud customer should audit their own usage to understand which services they rely on for sensitive data and critical operations. Once they have identified these services, they should look to implement a CASB as a dedicated cloud security solution.
While organizations can achieve better security through cloud services, it does not happen automatically. Only with a cloud-native security strategy can companies receive the business and security advantages of cloud services.
1 Gartner, 2018. Magic Quadrant for Cloud Access Security Brokers