IT security has for a long time been cited as a prime reason not to put any sensitive data or valuable workloads into the public cloud. However, recently it is safe to say that this situation has changed. In fact, the CyberArk Global Advanced Threat Landscape Report 2019: Focus on Cloud found that the vast majority (94 per cent) of the 1,000 global organisations surveyed used cloud services in some way, shape or form. Specifically, organisations often deploy cloud services to support their digital transformation initiatives.
The public cloud is also not simply deployed for low-value data or unimportant assets. Rather, it usually hosts sensitive data and applications. For instance, nearly half of the respondents are using SaaS-based business critical applications and a similar percentage use the public cloud for regulated customer data.
So far, not that surprising.
The security responsibility
Yet what is surprising is that the survey revealed there existed a significant contrast between what organisations see as the major benefit derived from their use of cloud, as opposed to their understanding of who was accountable for cloud security.
The prime benefit that the organisations surveyed hoped to see from their usage of cloud was the ability to offload security to the cloud vendor, either completely or in part. This result is potentially alarming, to say the least. Cloud vendors take responsibility for certain aspects of security when companies use their services, but they are very clear about where their clients must step in and assume accountability.
Protecting customer data remains the responsibility of the client and cannot be passed on entirely or even in part to the cloud vendor. As more and more cloud-native companies are entering the market, being in the cloud will soon be a business imperative, and those who don’t adopt it will be left behind. This creates a race to the cloud that leaves many companies putting the security question second – when it should actually be at the core of their cloud adoption strategy.
On top of this, the survey highlighted that three quarters of respondents, perhaps blindly, entrust the security of their cloud workloads completely to the cloud vendor. At the same time, half this number realise that this will not provide them with broad protection – and yet, they do it anyway. At this point, it is obvious that the shared security responsibility model, which is clearly communicated by major cloud vendors, is either not well-understood, or simply being completely ignored by many organisations.
What happens to privileged credentials?
The report looked further into how privileged credentials are protected in the cloud and whether the high-value privileged credentials that give access to the most sensitive cloud-based data and assets were being properly secured.
Worryingly, the survey showed that the risks caused by a lack of clarity about who is responsible for security in the cloud was compounded by an overall failure by organisations to secure privileged access in these environments. Despite the often sensitive and highly regulated data being stored in the cloud, it is surprising to see that less than half of global organisations don’t have a strategy in place for securing privileges in the cloud.
This is not, however, the only issue organisations face with privileged credentials. Most of them also battle with a widespread lack of awareness about the existence of privileged accounts, secrets and credentials in IaaS and PaaS environments, as well as the lack of a strategy to secure them. With less than half of all respondents to the survey reporting having a privileged security plan for the cloud, the findings indicate that organisations could be placing themselves – and their customers’ data – at significant risk.
A concerning example of this lack of privileged security strategy for the cloud is the recent data breach that affected IT and cloud solution provider PCM earlier this year. In this scenario, hackers gained access to critical data with stolen PCM administrative credentials used to manage client accounts within Microsoft’s Office 365. This highlights the issue of giving trusted third-party vendors access to the most sensitive data and crown jewels, even when cloud vendors do not have the capacity to protect these assets themselves – and communicate this to organisations. As competition increases in the cloud vendor space, many players try and increase competitivity through cutting down on security costs, meaning organisations just cannot afford to leave their entire cloud security strategy to vendors – not to mention giving them access to privileged accounts.
Keeping up with the threat landscape
So, why are companies consistently placing the security responsibility on cloud vendors, rather than address the issue themselves? Although companies face a variety of distractions, including cloud and scalability issues, it could be down to an organisation’s security culture not keeping pace with the threat landscape. A security culture requires nurturing to make it ‘sustainable’. When a security culture is ‘sustainable’, it transforms security from a one-time event into a lifecycle that generates ongoing security returns.
Without the right security culture and protection in place, many business and IT stakeholders are putting their applications and organisations at risk by delegating security. Indeed, business critical applications are the engine that keep firms running. While the adoption of cloud and SaaS means a shift in thinking is needed as these key applications are delivered or accessed from elsewhere, advantages such as reduced development costs and improved scalability must not distract from the need to keep security front and centre. While they are busy successfully implementing digital transformation strategies in their businesses, they are failing to protect the costly investments that run their enterprises and keep customers coming back.
As cloud-based infrastructures become mainstream, it is essential to understand the associated security vulnerabilities and how best to secure company data and the applications that house and manage it. Such considerations cannot be left solely to the responsibility of cloud vendors, especially when they make it clear that the responsibility has to be shared. It is time for organisations to regain ownership of their cloud security strategies.
David Higgins, EMEA Technical Director, CyberArk