Cloud

4/16/2018
10:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Large Majority of Businesses Store Sensitive Data in Cloud Despite Lack of Trust

Researchers report 97% of survey respondents use some type of cloud service but continue to navigate issues around visibility and control.

RSA CONFERENCE 2018 – San Francisco – Businesses relying on public cloud storage aren't entirely sure their data will be safe there, researchers at McAfee report. Eighty-three percent of companies surveyed store sensitive data in the public cloud, but only 69% trust the cloud will keep their information secure.

Results of the survey, which polled 1,400 IT professionals on cloud adoption and security, showed 97% of respondents are using some type of cloud service but continue to navigate issues around visibility and control. Some are moving to the cloud slowly, held back by poor visibility; others are moving ahead despite the risk of security issues.

Personal customer information is the most common form of cloud-based sensitive data, 61% of organizations report. About 40% use the cloud to store at least one of the following data types: internal documentation, payment card data, personal staff information or government identification. About 30% keep intellectual property, healthcare records, competitive intelligence, and network pass cards in the public cloud.

Survey results show once it's in the cloud, this information is at risk. One in four organizations using infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS) has had their data stolen. One in five has been hit with an advanced attack against their public cloud infrastructure.

McAfee researchers discovered an overall decline in the "cloud-first" mentality, with only 65% of respondents reporting a cloud-first strategy compared with 82% one year ago. This drop can be attributed to two factors, says Vittorio Viarengo, vice president of marketing for McAfee's Cloud Business Unit. The first is a growing awareness of the responsibility that comes with storing data in the public cloud.

"Customers are realizing they're still on the hook to provide security for some of the things that happen in the cloud," he explains. They're learning, for example, service providers don't ensure their logins are properly set up, or the security risks of remote employees using cloud services. They're learning what they're responsible for when they use IaaS platforms versus SaaS.

The second is an acceptance that they don't immediately need to move everything to the public cloud, an option especially appealing to institutions like the government, which is one of many industries that's still skeptical of the cloud, says Viarengo.

"They are realizing the hybrid cloud and private cloud they've been building for years, are going to be around for a long time," he says. If an organization has invested twenty years in on-prem processes, it might be easier to keep running them on-prem than move them into the cloud.

The combination of public and private cloud is the most common architecture, with 59% of respondents stating they use hybrid cloud. The larger the business, the more likely it is to go hybrid: in organizations with up to 1,000 employees, 54% relied on hybrid cloud; in enterprises with more than 5,000 employees, 65% use it.

As the cloud becomes more popular, security teams should be looking outside their organization's perimeter and rethinking their security models. Tasks IT used to do will be replaced as cloud continues to grow and businesses lose control over the networks, devices, and applications storing their data. Cloud-focused IT teams don't have the same visibility as they did with on-prem environments.

"User preference is in the cloud," Viarengo points out. "And in the cloud, you don't own anything but you're still on the hook for security … [organizations] need to ascertain visibility and control over enterprise data when they don't own the back end."

Companies leading the charge in cloud adoption are most concerned about visibility, which lets them adopt cloud sooner, and improved controls. Those who prioritize visibility are more likely to have a relaxed approach to shadow IT, researchers found. They view it not as something to shut down, but instead a sign of how the workplace will operate in the future.

Viarengo emphasizes three steps for companies to take when moving data and processes to the cloud. The first of these is to classify information. "As data is uploaded or created in the cloud, you need a mechanism to know what's inside it," he says, noting that the cloud holds credit card information, corporate secrets, patent data, or healthcare data, you'll need to know how to secure it.

Next up: define the policy, and what's acceptable and unacceptable as far as your company is concerned. Is it ok to share data that has confidential information? If so, with whom can that information be shared? Can people access confidential data from their personal devices?

His third recommendation is to "track everything that goes on." Know which users can access which applications, and from which locations and devices they access them. You'll be able to establish patterns for each user and, when something happens, you can go back and conduct forensics on the information you collected. If someone normally accesses data from Palo Alto, and ten minutes later they access the same data from China, it's a red flag.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Rocky7000
50%
50%
Rocky7000,
User Rank: Apprentice
4/18/2018 | 11:51:12 AM
Cloud computing
Cloud computing is a booming system in the area of technology, and many businesses organizations are saving their data in the cloud storage. Most of the industries also do not trust in the cloud computing but they are storing data in that. iPhone Support also uses cloud computing to store and save their data.
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
7 Ways to Keep DNS Safe
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14337
PUBLISHED: 2018-07-17
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length.
CVE-2018-14329
PUBLISHED: 2018-07-17
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink attack.
CVE-2018-14331
PUBLISHED: 2018-07-17
An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my.
CVE-2018-14333
PUBLISHED: 2018-07-17
TeamViewer through 13.1.1548 stores a password in Unicode format within TeamViewer.exe process memory between "[00 88] and "[00 00 00]" delimiters, which might make it easier for attackers to obtain sensitive information by leveraging an unattended workstation on which TeamViewer has ...
CVE-2018-14334
PUBLISHED: 2018-07-17
manager/editor/upload.php in joyplus-cms 1.6.0 allows arbitrary file upload because detection of a prohibited file extension simply sets the $errm value, and does not otherwise alter the flow of control. Consequently, one can upload and execute a .php file, a similar issue to CVE-2018-8766.