Evaluating Risk Critical to Cloud Security

According to CloudAcademy’s November 2018 Data Report,” the world is trending toward multi-cloud. In fact, multi-cloud environments have become such a reality that DevOps engineers are now expected to have concurrent proficiency in AWS and Microsoft Azure. What’s unclear, though, is how sensitive data is being protected in these multi-cloud environments.

While cloud computing does deliver greater security, it is not without its issues. Relying solely on the standard offerings that come built in falls short of protecting sensitive data. With more organizations storing files in the cloud, it’s important for companies to focus on how to adequately protect the sensitive data within those files.

AWS Builder Community Hub

The Pulse on Cloud Security

To understand the cloud security strategies of its channel partners, Untangle polled more than 100 organizations and found that more channel partners are looking to embrace cloud security technologies.

The survey found that more than 57 percent of channel partners agree or strongly agree that moving their data and network traffic to the cloud will provide better security. However, price (35 percent), lack of trust (31 percent) and lack of knowledge (27 percent) are the top barriers the channel experiences when their clients consider adopting cloud security solutions.

In looking at those that have already migrated to the cloud, research recently published by Databarracks revealed that in excess of 60 percent of companies have not evaluated the continuity risks for their cloud services over the past year.

The survey of 400 IT professionals found that of the 60 percent of organizations that have not evaluated the continuity risks for their cloud services, 17 percent have no plans to address this over the next 12 months. In addition, 23 percent of companies confessed that they have only the standard default backup or recovery capabilities offered by their cloud provider in place.

The Responsibility of Safeguarding Sensitive Data

In McAfee’s recently released Cloud Adoption and Risk Report,” 21 percent of companies admitted that they regularly store files containing sensitive data in the cloud, which reflects a 17 percent increase over the past two years and a 53 percent increase year on year.

The increase of sensitive data in the cloud must be protected, just as it has been previously for systems held in internally managed data centers, said Peter Groucutt, managing director of Databarracks.

When deciding to migrate sensitive data to the cloud, Erik Costlow, principal product evangelist at Contrast Security, said that one of the first strategies companies attempt is “lift and shift,” which takes an application and migrates it up to the cloud provider.

“This often unintentionally exposes the applications to more users, where the internal application from several years ago with limited maintenance is now available up in the cloud,” Costlow said. “Without bundling security inside these applications to defend in the new landscape, they are at greater risk. Another issue is with gluing different services together, where security issues pass between services but a team’s accountability does not.”

From Troubling Skies to Cloud Security  

According to Jeff Williams, co-founder and CTO of Contrast Security, when companies migrate from the safety of their own data center or intranet, they’re exposed to new threats. “Companies need to do a better job of understanding these threats and adding new protections to their cloud workloads. ‘Reloading’ their stack with modern security defenses like RASP, container security, endpoint protection and other instrumentation makes this transition much safer.”

Because of the frequent misconfigurations in cloud environments and the reality that organizations have been slow to fully automate and continuously monitor every cloud deployment, Williams said it is likely that we will see increased attacks as we head into 2019.

True, many software-as-a-service solutions have a level of resilience built in as a standard option, but standard protections aren’t always enough. Many service provides have additional offerings that might meet the specific needs of an organization. Short of that, though, Groucutt said, “If those options still aren’t adequate, take matters into your own hands and set up your own additional data protection methods.”

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus