Cloud data sharing and storage services are expanding rapidly; cloud security, however, is not improving at the same pace.
New research reveals that 73 percent of respondents in a recent study have experienced a cloud-related security incident due to inadequate security practices. Symantec’s Cloud Security Threat Report (CSTR), released June 24, finds that while 53 percent of respondents reported workloads moving to cloud applications, 54 percent said their security practices have not kept up at the same rate.
The study covered around 1,250 different IT decision makers in about 11 different countries with about 10 percent coming from global government respondents, said George Teas, senior director of Systems Engineering at Symantec.
According to the report, cloud technology is not responsible for data breaches. Instead, the authors point to three causes. They are:
- Slow security modernization on cloud applications. "Our research shows that 69 percent of organizations believe their data is already on the Dark Web for sale and fear an increased risk of data breaches due to their move to cloud,” said Nico Popp, Symantec’s senior vice president of cloud & information protection.
- Complex IT systems. According to the report, 64 percent of security threats are tied to the cloud and 25 percent of cloud security alerts go unaddressed. “A data breach on information using a cloud application or taking an application that doesn’t have the right security controls into it is a vulnerability of the entire network,” Teas said.
- Risky behaviors. These behaviors run contrary to recommended security practices and expose data on the network to breach. The report cited oversharing as one of the most common risky behaviors, with 93 percent of respondents reporting oversharing as a problem on their networks. Teas refers to this data as “shadow data.”
“It is basically customers putting data into cloud applications that are either overshared, i.e., they let too many people see the data, or the data should never reside in there.”
Embracing a zero trust model
One solution the report suggests as a solution is a zero-trust model.
"The idea behind zero trust is to have complete visibility into the data flow and the user traffic that is going to cross in accessing the application,” Teas said.
These security measures are especially important to federal government officials as they transition to the cloud, Teas said.
“They are going to need the same policies regardless of if their data is on the premise or whether or not their data is on the cloud," Teas said. "They need to have a holistic visibility approach.”
For federal governments, data security on cloud networks can have significant implications for national security, Teas said.
“For national security we have to know what the data is, where the data is at, and who is it being shared with so that you can understand your risk exposure and who you are allowing to have access to that data,” Teas said.
To implement these practices, Teas said organizations need to change how they view security using what he calls development security operations.
“They are building the application and then bolting security on top of that. What they need to start doing to get in front of this is actually building security into these applications so it is a foundational part, anytime they develop,” Teas said.
Kelsey Reichmann is a general assignment editorial fellow supporting Defense News, Fifth Domain, C4ISRNET and Federal Times. She attended California State University.