Businesses may be rapidly shifting from private cloud services to hybrids of private and public clouds, but many remain concerned about the security risks introduced by shadow IT, a lack of appropriate skills, and the ever-present risk of malware from cloud services.
Fully 51 percent of respondents to a recent Intel Security survey said they had definitively traced malware infections to a cloud-based software as a service (SaaS) application.
With around 40 percent of public-cloud services being procured outside of the control of IT – reflecting a continuing risk posed by shadow IT – most respondents were ambivalent about the growing role of public cloud services in their IT: fully 77 percent of respondents believe shadow IT is preventing them from keeping cloud deployments safe.
The figures confirm regular findings from surveys of security risks due to evolving platforms: a recent Forrester Research survey, for one, suggested that two-thirds of organisations had experienced a security breach in the last two years – and that those with robust identity and access management (IAM) practices were less likely to experience a breach.
Better IAM becomes complicated in cloud environments, but has become essential as growth in public-cloud adoption is reflected in surging adoption of hybrid-cloud services. The proportion of Australian organisations using hybrid cloud environments increased from 23 percent in 2015 to 42 percent last year, with a commensurate drop – from 44 percent to 25 percent – in the proportion of companies using private clouds exclusively.
“Australia is leading the charge in the global market when it comes to cloud services adoption,” Intel Security APAC vice president Daryush Ashjari told CSO Australia, noting figures that suggested more respondents now trust cloud security than distrust it. “This is fantastic in terms of agility, speed, and value; however, I think we mask the cybersecurity challenges that this infrastructure inherits.”
Those challenges were testing companies whose skill sets around cloud are relatively limited – particularly around authentication, which is critical to closing avenues for attack based on exploitation of user credentials. Fully 49 percent of respondents said they had slowed down cloud adoption due to a lack of appropriate cybersecurity skills.
The analysis also flagged “underutilisation” of cloud access security brokers (CASBs) encryption and data loss prevention technologies, each of which offers ways of improving visibility of shadow-IT services and can more effectively stop data before it flows out of the organisation.
Recognising that the growing footprint of cloud services has amplified corporate security exposures, vendors have launched a variety of tools to help bring those vulnerabilities to light. Intel Security’s free McAfee Cloud Visibility, for one, is a dashboard-based view of cloud usage while Centrify this week debuted a Centrify Analytics Service that uses machine learning techniques to evaluate risk based on user behaviour.
Behaviour-based scoring is designed to help identify suspicious data usage patterns that may herald a looming security breach. “By tailoring security policy to each individual’s behaviour and automatically flagging risky behaviour, we’re helping IT professionals minimise the risk of being breached,” said Centrify chief product officer Bill Mann in a statement, “with immediate visibility into account risk, without poring over millions of log files and massive amounts of historical data.”
“Thanks to our broad set of enforcement points that include endpoints, applications and IT infrastructure, we can enforce risk-based policy in real time at the point of access. This means high-risk threats can be blocked while low-risk users get authorised access to apps, privileged credentials or privileged sessions.”
- Australian CISOs still in the dark on usage, security of cloud services within their companies
- CSO Insights: The State of Cloud Storage & Collaboration 2016
- Survey identifies key digital transformation priorities for business in 2017
- As breach notification boosts onus, classification can boost CISOs’ business credibility