Despite the average company using 1,427 cloud services to upload an average of 18.5 TB of data to cloud applications each month, less than 9 percent of cloud providers are taking the strict data security and privacy steps recommended for a modern enterprise, according to Skyhigh Networks. Companies specifically struggle with securing employee behavior, accurately detecting threats and enforcing cloud governance.
Securing the new systems of record
Now that companies trust enterprise cloud service providers with corporate data as much – if not more – than on-premises applications, they are faced with securing cloud-based systems-of-record in applications like Salesforce and ServiceNow. Nearly one-fifth of all documents in file sharing and collaboration apps contain sensitive data indicative of critical business operations.
Cloud facilitates sharing with business partners, but 9.3 percent of files shared externally contain sensitive data. Five percent of all files are accessible by anyone with a link and 6.2 percent are shared with personal email addresses, indicating companies have not updated security policies to address the sharing capabilities of the cloud.
Threats turned inside out
The wide acceptance of cloud applications for critical business use has information security teams worried about what data leaves the cloud rather than focusing only on detecting incoming threats. The average company experiences 23.2 cloud-related security incidents each month, more than half of which originate from malicious or negligent insiders.
Employees generate on average 2.7 billion cloud activity events per month leading to 2,542 anomalous events. However, just 23.2 turn out to be threats – a 110:1 ratio from anomalies to actual threats. Security teams widely report inaccurate breach notifications, resulting in alert fatigue and missed incidents, most notably documented in the 2013 Target security breach. 57.5 percent of companies experienced a threat involving a privileged user, an especially dangerous category of incident given the wide access of application administrators.
Swiss cheese governance
Fewer than one-in-10 cloud services encrypt data at rest and a similarly small percentage commit to not sharing customer data with third parties. A majority of companies claim to have cloud governance policies around acceptable use for cloud services.
Despite their best efforts to enforce these policies, usage data shows companies frequently fail to effectively block high-risk services. For example, companies intend to block high-risk file sharing service Mega 54 percent of the time, but only successfully block it in 32.8 percent of instances.
Calm before the IaaS storm
While the first wave of enterprise cloud adoption centered around SaaS, including cloud versions of legacy software like Office 365, an equal if not larger migration will occur when custom applications leave corporate data centers for the public cloud. It is no secret that Amazon Web Services is the market leader in IaaS with 35.8 percent of the market, but Microsoft has significantly closed the gap with Azure and currently possesses 29.5 percent market share.
Meanwhile, Google Cloud Platform combined with other niche providers collectively make up 34.7 percent of new application deployments – not to mention PaaS services like Force.com. Clearly enterprises will need to take a vendor-agnostic approach to the impending IaaS and PaaS security challenges.