One of the biggest issues with cloud security arguably has very little to do with technology. Most breaches involving the cloud are generally the result of one misconfiguration or another. In theory, that should not be a big deal if the files being purloined are encrypted. But new research from Vera Security, a provider of information rights management tools, confirms what most cybersecurity professionals already know all too well. Only four percent of breached files were encrypted.
Most end users can’t seem to be bothered with encryption. Despite all warnings to the contrary, unencrypted data is strewn across the extended enterprise. In fact, only 35 percent of respondents to the Vera Security build encryption into security processes and procedures across the board, and only 26 percent employ digital rights management that could be employed to revoke access rights to a file.Recent survey: only 35% of cybersecurity professionals build encryption into security processes and procedures across the company. ~ @MVizard Click To Tweet
Even when organizations do embed encryption into their processes, end users still seem to find a reason to end-run whatever cloud security controls are in place. It’s little wonder that cybersecurity professionals consider cloud computing insecure. The reason they feel that way has nothing to do with the cloud services being employed. Rather it’s about how end users employ those clouds. Once an end user engages in risk behavior on a cloud service, cybersecurity professionals generally lack the tools to do anything about it. In contrast, when a mistake gets made in an on-premises environment, cybersecurity professionals can usually limit access to any and all offending files.
Unfortunately, a separate survey published by Ping Identity, a provider of identity management tools, suggests this problem is only likely to get worse before it gets better. A survey of 301 IT and security professionals at enterprises with 5,000 or more employees conducted by MarketCube finds more than one quarter (27%) of respondents experienced a breach of customer identity data stored in a public cloud, on-premises or in a SaaS application provider’s cloud. Among those respondents, 41 percent said a lawsuit was subsequently filed, while 29 percent dealt with the repercussions of a legal investigation.
Both studies would suggest that when it comes to securely storing data many organizations are their own worst enemies. A recent survey conducted by Syncsort, a provider of data management tools, suggests internal IT organizations are part of the problem. The Syncsort survey finds only 23 percent of organizations are conducting security audits every three months. Another 19 percent claim they conduct audits every six months, while nearly one-third (32%) said their organization only performs security audits annually. The trouble is most those audits are conducted by internal IT organizations rather than third-parties, which is roughly equivalent to internal IT organizations grading themselves.New research reveals that only a minority of companies conduct regular security audits, and very few of those are audited by third parties. ~@MVizard Click To Tweet
Between the willingness of IT organizations to cut corners and egregious end-user behavior, cybersecurity professionals are clearly in a tough spot. There’s clearly much work to be done when it comes to securing business processes that extend to the cloud. Cloud computing obviously is not going away any time soon. The challenge cybersecurity professionals face when it comes to the cloud is getting their organizations to first at the very least take basic reasonable precautions and then actually check to make sure policies are being followed. Otherwise, it’s simply a matter of when, rather than if, before the next major cloud security breach inevitably occurs.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.