As many as 75 percent of global organisations are relying on public cloud providers not only to store all of their data, but also to secure such data from external access, even though the responsibility of securing such data rests both on organisations as well as cloud providers.
This was revealed by CyberArk's latest Global Advanced Threat Landscape Report 2019 which noted that a vast majority of organisations believe that by storing business-critical applications and consumer data on cloud servers, they can shift their responsibility of securing such data completely to public cloud providers.
Enterprises expecting cloud providers to manage cyber security
As far as organisations based in the UK are concerned, CyberArk found that 70% of them are relying completely on built-in security offered by cloud providers, 41% are storing customer data in the public cloud, 39% are storing business-critical applications such as ERP, CRM or financial management applications in the public cloud, and 37% are conducting DevOps using the public cloud.
The fact that organisations are storing critical applications and consumer data in the public cloud without taking steps to secure such data on their own poses a huge risk to the security of vast amounts of data stored in cloud servers.
What's more worrying is that 70% of organisations are relying completely on built-in security offered by cloud providers even though 51% of them are aware that built-in security offered by public cloud providers is not sufficient considering the existing threat environment.
Considering that the cost incurred to set up and maintain data centres is huge, almost all enterprises have adopted cloud storage as the latter is cheap to adopt and offers increased efficiency and ease of use. However, a majority of organisations have not invested much effort into understanding how cloud security works and what needs to be done to ensure data stored in cloud servers are kept secure at all times.
Lack of privileged access strategies could place sensitive data at risk
According to CyberArk's report, 67% of organisations based in the UK are not aware of the fact that IaaS and PaaS environments allow them to set up privileged accounts and credentials. 55% of them also do not have a privileged access security strategy in place for cloud infrastructure and workloads and this puts their data at risk of unauthorised access and misuse.
"The risks caused by a lack of clarity about who is responsible for security in the cloud is compounded by an overall failure by organisations to secure privileged access in these environments," said Adam Bosnian, executive vice president for global business development at CyberArk.
"Despite the often sensitive and highly regulated data being stored in the cloud, it was surprising to see that less than half of global organisations don’t have a strategy in place for securing privileges in the cloud, a finding that remains unchanged since our last report," he added.
The lack of a privileged access security strategy for cloud infrastructure could result in third-party vendors, contractors, and unauthorised insiders gaining access to confidential data stored in cloud servers as well as to cloud management consoles. Unsecured and unmanaged credentials could also be exploited by attackers to escalate privileges and gain elevated access within a cloud infrastructure.
Organisations have to introduce layered security with advanced protections
Considering that cloud data centre traffic is expected to represent 95 percent of total data centre traffic by 2021 as projected by Cisco's Global Cloud Index for the period 2016 to 2021, it is essential for organisations to not rely solely on built-in security offered by cloud providers but to introduce privileged access security strategies to ensure that enterprise and consumer data are as secure in the cloud as they are within secure IT environments.
"As the world continues to move towards SaaS cloud service models, flexibility, economies of scale and speed have become primary concerns for businesses. Yet too many businesses rely solely on the protection provided by SaaS or cloud app providers, many of which are simply not geared up to mitigate on-premise risks such as business continuity and data loss," said Dan Sloshberg, Director Product Marketing at Mimecast.
"Not all SaaS vendors are created equal and not all are able to provide the level of protection needed today – including the single layer of built-in security from Office 365 and Google. It is therefore essential that organisations carefully examine shortlisted SaaS vendors to ensure they have layered security with advanced protection in place to defend against targeted threats,' he added.
Insider mistakes cast shadow over cloud security
Cloud migration: critical lessons to be learnt from moving houses
CIOs worried about long-term security risks of cloud adoption