Insider mistakes cast shadow over cloud security
20 March 2018
By Matt Middleton-Leal, GM EMEA, Netwrix Corporation
More and more organizations are ready to commit sensitive customer data to the cloud. Even the National Health Service (NHS) in the UK has been granted permission to use cloud services more widely for patient data. In spite of the optimism the threat from insider mistakes remains very real.
To give a recent example, 119,000 personal documents were exposed at Fedex following an internal admin error within an AWS S3 server. Fresh survey evidence suggests organizations would be wise to heed the warning. The majority of businesses still lack the ability to monitor adequately user behavior in the cloud.
Enterprise cloud services are entering the mainstream. The benefits of cloud applications including flexibility, scalability and lower running costs are well known and the majority of enterprises already have some element of cloud within their IT environment.
To date organizations have been reluctant to entrust sensitive customer information to the cloud. Instead they prefer to maintain a hybrid infrastructure whereby data with low level security is shared in the cloud while sensitive information stays within the network perimeter.
But the signs are this is changing.
The UK’s largest health provider, the NHS, has received official permission to offshore more of its patient data to Privacy Shield-approved Cloud providers.
Guidelines require NHS and social care providers to conduct their own risk assessments for offshoring before they outsource any data storage to the cloud. They must also put in place measures to mitigate any risks they find.
Data breaches like the one at Fedex are fairly typical of the cloud challenges facing enterprise. In general the risks have nothing to do with Cloud providers for whom data security is an essential part of the business model. It’s more likely a breach will happen because the customer makes a mistake.
Gartner has predicted that customers will be responsible for 95% of security failures in the cloud through 2020. Fresh data from the Netwrix 2018 Cloud Security Report supports this, citing employee mistakes or misbehavior as the root cause of 58% of Cloud security breaches in 2017.
Top cloud concerns are unauthorized data access (69%) and malware infiltrations (50%). Another important factor, cited by 39% of respondents, is the inability to monitor employee activity in the cloud.
More than half of security incidents in the cloud are caused by insiders. It may be malicious – such as when an employee tries to take data with them when they leave – or unintended such as when an insider unwittingly acts as a catalyst for an external attack such as ransomware hidden in a phishing email.
Less than a third of organizations (28%) have proper visibility into what their IT personnel are doing. Even fewer are able to track activity of their business users, contractors and cloud providers. If a data breach occurs the default position is to blame IT staff instead of trying to pinpoint the source.
Cloud providers offer a rich set of security controls. AWS from Amazon, for example has 1,800 to choose from. In spite of this, overall faith in cloud security has fallen. The number of IT pros willing to say cloud has improved overall security dropped to 32% from 41% in 2016. Conversely the proportion of those saying cloud adoption had worsened security overall rose to 27% from 11%.
Security strategies for the cloud require different skills from on-premise. IT departments pursuing cloud strategies have requested additional budget to recruit professionals with the right skill sets. According to the study two-thirds (66%) of IT departments are happy with the amount of senior management support they receive to reach these goals.
This still leaves a third of companies who must make do with lower-cost measures. Just over half of these (55%) give employees regular cyber security training to ensure they are kept up to date with the latest scams and social engineering techniques.
Another popular measure (53%) is to toughen up security policies. Standardizing how employees handle sensitive data does reduce this risk of mistakes but cannot eliminate them completely. Furthermore the policies need to be continually reviewed and updated to keep them in line with changes in the threat landscape.
In summary, more and more enterprises are ready to entrust confidential customer data to the cloud. Cloud providers offer some of the best data security best protection available.
When problems surface it’s usually a sign the customer is relying too heavily on insiders for security best practice. Cloud strategies require a different set of skills from on premise yet many IT departments are not given the resources to recruit the right people.
Instead some companies are taking the more risky option of asking ordinary employees to stick to security policies at all times. A third of organizations do not have senior management buy-in and lack visibility into what their staff are doing.
So long as enterprises continue to settle for lower cost, non-automated approaches to cloud security it will always be a case of when, not if, a data breach will happen.
Netwrix provides a visibility platform for data security and risk mitigation that allows organizations to see and control exactly what’s going on in on premise, cloud and hybrid IT environments.
Also of interest: China altering its vulnerability data and why it matters