What cloud security challenges do IT leaders need to address?
As cloud computing evolves and new issues emerge, which of these cloud security threats are at the top of the CIO’s agenda, and how can they be solved?
1. The growing risk of cloud account hijacking
Our cloud security research found that account hijacking is the biggest cloud security challenge facing organizations (45%). With cloud services come large numbers of user accounts across enterprises, creating potentially thousands of individual weak points. CIOs need to drill into the business strong password and privacy methods from day one of on-boarding, reinforced by regular strong password changes and training to spot and avoid phishing attacks or other methods that hackers use to gain entry to a business.
Once an account is compromised, hackers can create further backdoors, download key files and extend their reach into the company. Every business needs policy and compliance management services, workload security and intrusion detection tools to keep the hackers at bay should an account be hijacked.
2. The boom in cloud data breaches
The threat of data breaches doesn’t just concern businesses - the World Economic Forum lists data theft and cyberattacks as the fourth and fifth biggest threats to the entire planet. Furthermore, our research found that 41.5% of senior IT professionals ranked data breaches as their second biggest threat. With all that’s going on in the world, the CIO must face both sets of challenges and protect the company from the massive risk of a data breach.
As firms adopt the cloud for their productivity and data processing tasks, the risk of a breach grows due to the volume of attacks from the common cloud security threats. Some leaders, especially among smaller firms, think it’s up to their cloud provider to ensure security. However, the onus remains on the firm, just as it did in the on-premises traditional times when a firewall and antivirus software were top of the security charts.
Data breaches are a daily occurrence with only the major events hitting the headlines. Most recently, Air India’s breach that exposed 4.5 million customer records made global headlines and left those customers feeling exposed and betrayed. While your firm’s footprint may not be as dramatic, it remains a target due to the indiscriminate nature of hackers’ automated tools.
To defend against cloud data breaches, CIOs need multilayered defenses. These include ensuring high-level security and safeguarding for all vital data by:
- Controlling access to only key employees
- Ensuring multi-factor authentication (MFA) is in use
- Making sure all security tools are up to date
- Following data governance rules for your market/region
- Securely archiving or destroying old data
- Training staff in data handling and sharing
3. Weak control planes
With 34% of businesses concerned about weak control planes, it’s vital that IT leaders address this. When adopting cloud infrastructure and services, many providers can give a false sense of security through their easy sign-ups, flash-looking dashboards and grand security promises. In reality, most are running on very lean budgets and provide the bare minimum in security, or only including quality tools among the premium service tiers. After all, data security is ultimately the user’s responsibility.
A weak cloud control plane is where cloud providers fail to deliver sufficient security for basic business needs. This can include allowing weak passwords, making it very easy to change them or create new accounts without suitable security, such as two-factor authentication.
When considering cloud providers, CIOs need to examine the security element of the service and either choose strong security over the most competitive price or ensure third-party security tools can be integrated into the service to deliver a strong control plane. Tools like cloud access security brokers (CASB) are being increasingly used in an intermediary role between users and cloud service providers to defend corporate data and monitor user actions.
4. The risk of insider threats and users taking control
There are also many threats to the cloud from within the business, with 39% of IT security professionals reporting that they’re concerned about unauthorized access/insider threats. Given the choice, users may choose the weakest possible passwords. They might log on while working in cafes or airports through weakly protected or fraudulent access points, and disenfranchised workers might take the opportunity to abuse cloud services.
The US Department of Homeland Security has a detailed assessment of insider threats. CIOs are responsible for developing the tools that can identify insider risks early, or the early actions they might take using forensic software and defensive tools. They must ensure that the business is just as focused on the insider risk as it is to external factors and be prepared with a reaction plan should such an event take place.
5. Control of data sovereignty and residence
As well as the malicious threat to data, there’s also the risk of it falling into the wrong hands across territories. Just under half (49.5%) of IT professionals cite data sovereignty/residency/control as a key concern. Many regulated firms like banks must keep their data located within a specific nation or region. Generalist firms might also want to take that approach to ensure their business data doesn’t end up overseas.
When data does travel, it needs to be done with adequate decision-making processing and when subject to appropriate safeguards according to the EU GDPR. This requires research on where cloud providers store data and ensuring that concepts like encrypting data or tokenization are employed to protect it.
As cloud deployments grow, the complexity increases and CIOs need to get on top of advanced issues and complex services. The CIO role is often being augmented by CISO to focus on security, but a smart and adaptive approach to security is key across the whole IT security team to manage the current threats and prepare for the next ones.
- CSPM 101: How Does Cloud Security Posture Management Work?
- 3 Cloud Data Compliance Problems You Didn't Know You Had
- The State of Cloud Security 2021 [Infographic]
- 4 Ways to Strengthen Your Cloud Security
Join the conversation...