A survey made available this week by the non-profit SANS Institute suggests that while the volume of cybersecurity incidents involving cloud services is up, more organizations are overcoming some of the natural fear and loathing the naturally comes from having to rely on an external IT service provider.
The survey finds the number of organizations that had to deal with some form of unauthorized access to the cloud environment increased to 31 percent this year, compared to 19 percent in 2017.
But the percentage organizations that have required to deal with an actual breach has dropped in that same period. Nearly three-quarters of respondents (72%) said they were unaware of an actual breach, compared with 59 percent in 2017. Interestingly, 11 percent said they did experience a breach, while another 11 percent think they've had one but can't prove it. Meanwhile, seven percent are just unsure.
There also appears to be more faith being place in cloud service providers. The number of organizations citing concerns over data breaches potentially involving the personnel of their cloud service provider has dropped from 53 percent in 2017 to 44 percent this year.
However, while progress is clearly being made, cloud security concerns remain a top of mind issue. Over half the respondents (56%) said knowing when and who accessed cloud resources remains a concern, followed by the inability to respond to incidents (52%), lack of visibility into what data is being processed and where (51%), and unauthorized access to data from other cloud tenants (50%).
The survey makes it clear that organizations are still coming to terms with the shared responsibility model require to secure applications in the age of the cloud. Most cloud service providers can secure their infrastructure much better than any internal IT team could ever hope to secure an on-premises IT environment. Where things get challenging is the cloud service provider does not secure the applications deployed on their infrastructure. Most IT organizations understand the shared responsibility model conceptually, but they often lack the tools and processes required to live up to their end of the cloud cybersecurity bargain.
At the same time, very few cybersecurity teams have yet come to appreciate how the nature of the applications being deployed in the cloud is radically changing. Modern cloud-native applications based on microservices and containers need to be secure in a fundamentally different way than a monolithic application running on top of a virtual machine. Simply trying to lift and shift the same cybersecurity policies, processes, and products from an on-premises environment to a public cloud is a recipe for potential disaster, especially when application code starts to be updated several times a week.Survey: The number of organizations citing concerns over data breaches potentially involving the personnel of their public cloud service provider has dropped from 53 percent in 2017 to 44 percent this year. Click To Tweet
It’s always difficult to get people to focus on tactics and strategy in the middle of a firefight. But unless organizations take the time to appreciate how fundamentally different IT environments have become, the chances are high whatever cybersecurity strategy that gets put in place will be fundamentally flawed in some way. The good news is the potential to make this the best of cybersecurity times is high. The bad news is the potential to make this the worst of cybersecurity times is just as high.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.