Considering that 40% of organizations have fallen victim to a cloud-based breach in the last year, it would seem they would put a premium on safeguarding their data in the cloud.
But the 2021 Thales Global Cloud Security says differently. Most—a whopping 83%—have failed to encrypt even half the sensitive data they have tucked away in the cloud. And if that’s not enough to give pause—just about one-third, or 34%, retain total control over encryption keys.
As cloud adoption continues to rise post-onset of the pandemic, businesses are diversifying the ways they’re using cloud with 57% of those surveyed saying they use two or more providers for their cloud infrastructure, Thales said, citing a McKinsey & Company study that found organizations have accelerated cloud adoption by three years. One in four have moved most of their workloads and data to the cloud—21% say the majority of their sensitive data is now in the cloud.
“These findings are yet another reminder that as organizations transition to cloud services, which has accelerated as a result of the pandemic, you simply cannot treat cloud services the same as traditional on-premises services. This is especially true for security,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, particularly as nation-states and cybercriminals up their attacks on cloud services. “Organizations that are adopting cloud services must also adopt a cloud security strategy that is designed to reduce the risks of cloud assets, such as data encryption, multifactor authentication (MFA) and privileged access security.”
While security is top of mind, encryption efforts lag behind and almost half don’t have a zero-trust strategy—25% aren’t considering one. Instead, many organizations (33%) have made multifactor authentication the centerpiece of their cybersecurity strategy. But that is not enough.
“Organizations across the world are struggling to navigate the increased complexity that comes with greater adoption of cloud-based solutions. A robust security strategy is essential to ensuring data and business operations remain secure,” Sebastien Cano, senior vice president for cloud protection and licensing activities at Thales, said when the report was released. “With nearly every business reliant on the cloud to some extent, it is vital that security teams have the ability to discover, protect and maintain control of their data.”
The failure to safeguard data is troubling. Noting that “protecting customer data is always the priority, and organizations should strongly consider reviewing their strategies and approaches to proactively protect data in the cloud,” Fernando Montenegro, principal research analyst, information security at 451 Research, part of S&P Global Market Intelligence, said a review should include “understanding the role of specific technologies including encryption and key management, as well as the shared responsibilities between providers and their customers.”
He maintained that as data privacy and sovereignty regulations increase, “it will be paramount that organizations have a clear understanding of how they remain responsible for data security and make clear decisions about who is in control and who can access their sensitive data.
But the data picture has become more complex. “In today’s cloud and SaaS platforms, the corporate network is no longer the only way to access data. Data is now frequently accessed through third-party apps, IoT devices in the home, and portals created for external users like customers, partners, contractors and MSPs,” said Brendan O’Connor, CEO and cofounder at AppOmni. “Often access through these channels completely bypasses the corporate network.”
Companies are “eager to use these access points to increase the functionality of their cloud and SaaS systems,” said O’Connor, but “they often neglect to secure and monitor them in the same way they’ve secured access from their corporate network, leading to major access vulnerabilities that may be completely unknown to the company.”
Archie Agarwal, founder and CEO at ThreatModeler, acknowledged that “many security professionals are privately worried that cloud adoption may be moving faster than they can ensure the secure transition of data to cloud services.” And the Thales research seems to confirm that.
“While the business benefits of scaling up cloud services are obvious, we do so hastily at our own peril,” said Agarwal. “We do not want to see a return to the dark days of security as an afterthought. If necessary, we must slow down cloud migration and employ tools such as threat modeling automation to plan out our transition carefully and securely.”