We know the adoption of cloud and cloud-based tools is growing rapidly, but a new survey helps quantify the growth.
According to the Cloud Threat Report 2019 commissioned by Oracle and KPMG, businesses that hold “more than 50% of their data in any public cloud” has nearly doubled in the last year. Moreover, the survey indicates that number is likely to double again over the next 12 months.
Specifically, the survey found the rate of growth around that particular measure of cloud adoption grew from just 14% in 2018 to 23% in 2019. Moreover, respondents estimated that number will climb to 49% by 2020.
This is not a casual migration either. Businesses are putting valuable data in the cloud. Some 71% of respondents said “the majority of their cloud-resident data is sensitive” – a 21% increase from the same survey last year.
Yet the cloud transformation also brings new concerns for cybersecurity. IT infrastructures are already complex, and the survey surfaced the rising challenges of maintaining security in hybrid environments with a mix of both cloud and on-prem infrastructure.
Here are some of the findings that stood out to us:
1) Confusion over cloud security responsibilities.
The report places the question of cloud security in a model of shared responsibility. For example, the enterprise, or end customer, have higher levels of responsibility in subscribing to infrastructure-as-a-service (IaaS) than they do in platform-as-a-service (PaaS) or in software-as-a-service (SaaS). Yet in all cases, the customer maintains at least some obligation – so it’s a shared responsibility.
The survey shows that enterprises may not fully understand the differences. For example, when the survey asked about shared responsibility for each category, the answers stacked up like this:
- 54% said they understand their security responsibilities in SaaS;
- 43% said they understand their security responsibilities in PaaS;
- 46% said they understand their security responsibilities IaaS; and
- 18% said they fully understand the shared responsibly security model.
The confusion raises the risk level because no one is looking if each party – customer and vendor – thinks the other one is accountable. The report made three observations about this finding:
First, “the less [security] the customers are responsible for, the more they’re confused about their obligations.”
Second, some CIOs may have a better level of understanding about shared security responsibilities than some CISOs. “Only 10% of the CISOs in this year’s research fully understand the shared responsibility security model, compared with 25% of CIOs who report no confusion.”
And third, this confusion has real consequences. For example, about one-third of respondents (34%) indicated the confusion over cloud security “has led to the introduction of malware” among other risks.
2) Security’s visibility into the cloud is the top challenge.
You can’t protect what you can’t see, which is why visibility is an important challenge with which security teams wrestle as their organization increasingly adopt the cloud. For example, when asked “What are the biggest cybersecurity challenges currently experienced by your organization today?” cloud visibility was at the top of the list.
Here’s the breakout of the answers:
- 33% said detecting and reacting to security incidents in the cloud;
- 29% said the lack of skills and qualified staff;
- 27% said the lack of alignment between security and IT operations teams;
- 26% said the unauthorized use of cloud services; and
- 24% said the lack of visibility across our data center and endpoint attack surface.
“CISOs are particularly aware of the cloud security visibility gap,” according to the report. It noted 38% cited “the inability of network security controls to provide visibility into public cloud workloads as their top cloud security challenge.”
This idea was also reflected in separate qualitative research compiled into a book by cybersecurity analyst Richard Stiennon. In an interview about his book for the Bricata blog, Mr. Stiennon noted leaders in large enterprise moving to the cloud, “realized that they can’t just replicate the data centers and the security around it, that they’ve been building for the last 20 years.”
3) New infrastructure gives old attacks new tricks.
While some of the top ways of initiating an attack, like email phishing, are not new, the report says that “the broad use of cloud services has created an opportunity for hackers to exploit” social engineering techniques in their attacks.
File sharing services are an example identified in the report because users commonly receive notifications about shared files or product updates from the services through email. That mental conditioning can be exploited:
“Hackers are now taking advantage of this established workflow by phishing users with seemingly legitimate emails from well-known file sharing service providers with a call to action to download a file, review an updated privacy agreement, or to update their account information, including their username and password.”
Even more concerning, these attack methods are sometimes used to gain more persistent access to cloud infrastructure. This happens, for example, when the targets of the attack are users with privileged access.
When asked, “Which of the following cybersecurity attacks, if any, has your organization experienced most often within the last 24 months?” phishing was at the top of the list. Here’s how the answer stacked up according to the report:
- 27% said email phishing with malicious attachments or links;
- 23% said malware that moved laterally;
- 19% said the misuse of a privileged account by an inside employee;
- 18% said “zero-day” exploits;
- 17% said business email compromise;
- 16% said ransomware;
- 15% said cryptojacking;
- 15% said credential stuffing;
- 15% said exploits that take advantage of known vulnerabilities;
- 14% said targeted penetration attacks;
- 14% said misconfigurations (including cloud);
- 12% said stolen credentials for privileged accounts; and
- 11% sad BGP rerouting as part of a denial of service attack.
To combat the top concern, phishing, the report makes several recommendations including continuous end-user awareness testing and conducting “simulated email phishing attacks to test the effectiveness of end-user awareness training, identify weaknesses, and benchmark progress over time.”
Additional Cybersecurity Statistics from the Study
The report contained several other statistics related to cloud security that struck us as interesting and worth highlighting:
- Compromises attributed to a third-party. Respondents said their organization had experienced cybersecurity incidents attributed to a third-party compromise:
- 49% said the introduction of malware;
- 46% said unauthorized access to data; and
- 39% said a loss of data.
- Compromises attributed to shadow IT. Respondents said their organization had experienced cybersecurity incidents attributed to the use of unsanctioned cloud toolsf:
- 50% said unauthorized access to data;
- 48% said introduction of malware; and
- 47% said loss of data.
- How security is boosting defenses. When asked what actions their organization had taken in the last 24 months – and had a positive impact – some of the answers respondents identified were as follows:
- 28% conduct more regular penetration testing;
- 25% have engaged a managed service provider;
- 24% purchased new security technologies;
- 21% conduct simulated email phishing attacks; and
- 20% obtained an increased security budget.
* * *
“Urgency” is the “single, seminal take away” the report concludes. “This year’s report is a call to action to treat cloud security as a strategic imperative, one that entails a multifaceted approach to secure the business cloud.”
The survey was commissioned jointly by Oracle and KPMG and conducted by Enterprise Strategy Group. It polled more than 450 cybersecurity and IT professionals in North America, the United Kingdom, Australian and Singapore in late 2018. The full report runs 60-pages in length and is freely available for download with registration here: Cloud Threat Report 2019.
Note: Bricata has a comprehensive network protection platform that covers cloud, on-prem and hybrid environments. If you’d like to see the product in action, we’d be glad to show you. Click here to request a demo.
If you enjoyed this post, you might also like:
Considerations for Planning, Structuring and Deploying a New Network Security Strategy