IT security has for a long time been cited as a prime reason not to put any sensitive data or valuable workloads into the public cloud. However, recently it is safe to say that this situation has changed. In fact, the CyberArk Global Advanced Threat Landscape Report 2019: Focus on Cloud found that the vast majority (94 per cent) of the 1,000 global organisations surveyed used cloud services in some way, shape or form. Specifically, organisations often deploy cloud services to support their digital transformation initiatives.
The public cloud is also not simply deployed for low-value data or unimportant assets. Rather, it usually hosts sensitive data and applications. For instance, nearly half of the respondents are using SaaS-based business critical applications and a similar percentage use the public cloud for regulated customer data.
So far, not that surprising.
The security responsibility
Yet what is surprising is that the survey revealed there existed a significant contrast between what organisations see as the major benefit derived from their use of cloud, as opposed to their understanding of who was accountable for cloud security.
The prime benefit that the organisations surveyed hoped to see from their usage of cloud was the ability to offload security to the cloud vendor, either completely or in part. This result is potentially alarming, to say the least. Cloud vendors take responsibility for certain aspects of security when companies use their services, but they are very clear about where their clients must step in and assume accountability.
Protecting customer data remains the responsibility of the client and cannot be passed on entirely or even in part to the cloud vendor. As more and more cloud-native companies are entering the market, being in the cloud will soon be a business imperative, and those who don’t adopt it will be left behind. This creates a race to the cloud that leaves many companies putting the security question second – when it should actually be at the core of their cloud adoption strategy.
On top of this, the survey highlighted that three quarters of respondents, perhaps blindly, entrust the security of their cloud workloads completely to the cloud vendor. At the same time, half this number realise that this will not provide them with broad protection – and yet, they do it anyway. At this point, it is obvious that the shared security responsibility model, which is clearly communicated by major cloud vendors, is either not well-understood, or simply being completely ignored by many organisations.
What happens to privileged credentials?
The report looked further into how privileged credentials are protected in the cloud and whether the high-value privileged credentials that give access to the most sensitive cloud-based data and assets were being properly secured.
Worryingly, the survey showed that the risks caused by a lack of clarity about who is responsible for security in the cloud was compounded by an overall failure by organisations to secure privileged access in these environments. Despite the often sensitive and highly regulated data being stored in the cloud, it is surprising to see that less than half of global organisations don’t have a strategy in place for securing privileges in the cloud.
This is not, however, the only issue organisations face with privileged credentials. Most of them also battle with a widespread lack of awareness about the existence of privileged accounts, secrets and credentials in IaaS and PaaS environments, as well as the lack of a strategy to secure them. With less than half of all respondents to the survey reporting having a privileged security plan for the cloud, the findings indicate that organisations could be placing themselves – and their customers’ data – at significant risk.
A concerning example of this lack of privileged security strategy for the cloud is the recent data breach that affected IT and cloud solution provider PCM earlier this year. In this scenario, hackers gained access to critical data with stolen PCM administrative credentials used to manage client accounts within Microsoft’s Office 365. This highlights the issue of giving trusted third-party vendors access to the most sensitive data and crown jewels, even when cloud vendors do not have the capacity to protect these assets themselves – and communicate this to organisations. As competition increases in the cloud vendor space, many players try and increase competitivity through cutting down on security costs, meaning organisations just cannot afford to leave their entire cloud security strategy to vendors – not to mention giving them access to privileged accounts. – Read more
