Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/3/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Multicloud Businesses Face Higher Breach Risk

A new report finds 52% of multicloud environments have suffered a breach within the past year, compared with 24% of hybrid cloud users.

More than half of firms running multicloud environments have been hit with a data breach in the past year, compared with 24% of hybrid cloud organizations and 24% of single-cloud users.

To gain a better understanding of how the public and private sectors are engaging with the $325 billion cloud market, researchers with Nominet polled 274 CISOs, CTOs, CIOs, and other professionals responsible for cybersecurity in large organizations across the US and UK. While 61% believe the risk of a breach is the same or lower in the cloud compared with on-prem environments, it seems there is a link between the number of clouds used and risk of attack.

The majority (71%) of respondents use software-as-a-service (SaaS) and 60% use infrastructure-as-a-service (IaaS). Fewer have moved to platform-as-a-service (PaaS) or business-process-as-a-service (BPaaS). Nearly half (48%) report their organizations uses a multicloud approach, and 24% use hybrid cloud. Only 29% of respondents use cloud services from one provider. Google Cloud was the most popular (56%), followed by IBM (49%), Oracle (44%), Microsoft Azure (36%), and AWS (32%).

Businesses using a multicloud approach are both more likely to have experienced a breach and more likely to have suffered multiple breaches: Sixty-nine percent of multicloud businesses report 11 to 30 breaches, compared with 19% of single-cloud organizations and 13% of hybrid cloud users.

Nominet vice president Stuart Reed points to a "tipping point" in terms of cloud adoption as more businesses consider the potential risks involved. Still, 69% remain moderately, very, or extremely worried about cloud security. Most fear cybercriminal sophistication and customer data exposure; other trepidations relate to increased attack surface, Internet of Things devices, and visibility.

These concerns no longer block cloud adoption as organizations recognize the cloud's potential to drive growth. "I think a lot of major SaaS applications are finding their way into enterprises as a matter of course now," he says. "We're beyond the point of people 'dipping their toe' in." Organizations are beyond using one cloud; now, more of them use at least two – if not more.

"There is a huge amount of choice out there in the market, from a cloud perspective," Reed says. "Organizations, generally speaking, have varied requirements depending on the project [they're] doing." A cloud service that works for one project may not work for another, for example, or have different geographical requirements. Companies' solution is to use several.

The higher likelihood of a breach for multicloud businesses has less to do with the security of each provider and more to do with heightened complexity. Each new cloud service increases the number of touch points onto a network, expanding opportunities for an attacker to get in.

"The traditional view of the network is becoming increasingly dissolved," he continues. "The network becomes broader, wider, and more significant. The need to be able to have a good level of visibility across that is highly important."

Navigating the Complexity of Cloud
For businesses working to secure existing multicloud environments, or those considering an additional cloud provider, Reed advises taking inventory of where assets reside and understanding the full breadth of the clouds. Knowing the implications of where data passes through and how it reaches other parts of the network or the Internet is important to achieve the level of visibility and understand what normal behavior looks like in the organization.

Nearly two-thirds of respondents (63%) already outsource cloud security to managed service providers, Nominet found. For organizations considering outsourcing, Reed emphasizes the importance of asking the right questions. Understand what they are able to offer and the security processes and procedures in place. This creates clarity between the supplier and organization in terms of what should happen when a breach is identified and how to mitigate it.

"It's the same level of diligence they need to apply to any supplier," he says.

Most (57%) respondents expect their cloud security budgets to increase, researchers found; the only industries where it's expected to lower are pharmaceuticals and hospitality. Budget increases could signify a more security-conscious organization, they report, or a response to an incident. Respondents are likely to believe cloud security budgets are increasing if their organization had been hit with a cyberattack in the 12 months prior.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: 'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5530
PUBLISHED: 2020-02-18
Cross-site request forgery (CSRF) vulnerability in Easy Property Listings versions prior to 3.4 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-1842
PUBLISHED: 2020-02-18
Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
CVE-2020-8010
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
CVE-2020-8011
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
CVE-2020-8012
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.