More organizations are moving their critical applications, customer data, and development work to public cloud environments. One reason for hopping onto the cloud is to offshore some of the tasks involved in managing applications and data, including security risks. But many businesses are making a mistake by expecting their cloud vendors to take on all or most of the responsibility for security, says a Wednesday report released by CyberArk.
In its Global Advanced Threat Landscape 2019 Report, CyberArk found that more organizations are moving critical data to the cloud. Some 49% of the respondents said they put SaaS-based business critical applications into the public cloud. These applications include customer facing and revenue generating applications, ERP, CRM, and financial management software. Some 45% said they use the cloud to house customer data that’s subject to regulatory oversight. And 39% use the cloud for internal development, including DevOps.
SEE: Essential reading for IT leaders: 10 books on cloud computing (free PDF) (TechRepublic)
More than one third (36%) of the respondents said the number one benefit for moving assets to the cloud is to offload security risk. But 36% also said they believe the burden of risk concerning information security rests entirely or in part in the hands of the cloud vendor. And therein lies the problem.
As CyberRisk points out, Amazon Web Service’s Shared Responsibility Model states that “customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.” Microsoft takes a similar approach with Azure as described in its Shared Responsibilities for Cloud Computing paper that explains the security controls in place and where a customer’s responsibilities begin and end. Google is of a similar mind for its cloud platform, detailing who’s responsible for what in its Customer Responsibility Matrix.
Though many organizations have moved to the cloud to try to enhance security, 94% of the respondents have reported some type of security vulnerability in their use of the public cloud. A full 46% (up from 24% last year) identified their greatest security vulnerability as insiders, partners, and contractors with privileged access. Some 46% also pointed to unauthorized access to the cloud management consoles as a security risk. And 44% cited the use of the same credentials for multiple instances.
The results also reveal issues over privileged access to cloud-based data. Some 62% of the respondents said they’re unaware that credentials, secrets, and privileged accounts exist in IaaS and PaaS environments. Further, only 49% said they currently have a privileged access security strategy for their cloud infrastructure.
“The risks caused by a lack of clarity about who is responsible for security in the cloud is compounded by an overall failure by organizations to secure privileged access in these environments,” Adam Bosnian, executive vice president of global business development for CyberArk, said in a press release. “Despite the often sensitive and highly regulated data being stored in the cloud, it was surprising to see that less than half of organizations don’t have a strategy in place for securing privileges in the cloud, a finding that remains unchanged since our last report.”
Many organizations are aware of the flaw in relying too much on a cloud vendor’s security model. Some 37% said they rely on the cloud vendor’s built-in security and believe this is sufficient protection. But 38% who said they depend on the vendor’s security admitted that it is not enough protection. Only 22% revealed that they use a mix of the cloud vendor’s security and a third-party security solution.
Many businesses are trying to focus more on security for their cloud-based assets. Some 28% of the respondents said they’re currently investing in cloud security, while 52% said they’re currently investing in it and planning to boost that investment this year.