As more companies move to cloud services, the cloud has overtaken databases and file servers as the top risk storing sensitive information, and privileged users were identified as an enormous threat to their organizations, according to the responses of IT decision makers in a new survey.
Sponsored by enterprise data security provider Vormetric and conducted by Harris and Ovum, the new Insider Threat Report examines the real and imagined risks of sensitive data breaches, based on responses from 818 IT worldwide decision makers (408 in the US) in fall 2014.
Managers See Risks in Cloud and Big Data Adoption
The poll found that 46 percent of IT decision makers in the US see cloud computing as a top risk (meanwhile, 60 percent of them keep sensitive data in the cloud). And that privileged access to data on the cloud can be devastating.
Big data environments are seen as the as the top risk for 31 percent of respondents, which is more than the 29 percent that saw file servers as the top risk for sensitive data. Big data projects often involve sensitive or even classified data, yet are typically run off-premise on cloud-based services which provide the right processing speed and economics.
Enterprise IT is concerned about the overlap between big data and sensitive data, with their top concerns being: the residence of sensitive information anywhere in the environment (41 percent), the security of reports which include sensitive data (37 percent), the lack of security frameworks and controls (34 percent), and privileged user access to protected data (32 percent).
“The cloud and big data survey results demonstrate that there is both hope and fear when it comes to cloud and big data technologies,” said report author and Ovum lead analyst Andrew Kellett. “This fear can lead to slow implementation of these platforms, which stymies innovation and growth. But, there are steps enterprises can take and changes providers can make that will increase adoption. For example, more than half of global respondents would be more willing to use cloud services if the provider offers data encryption with key access control.”
The survey found that countries embracing cloud like the US have higher levels of concern over cloud data breaches, reasoning that doing more research around the dangers of the cloud lead organizations to be more worried. Japan and Germany, which are more conservative when it comes to technology adoption, had low cloud adoption and a correspondingly low concern over the dangers of putting sensitive data on the cloud.
German organizations, in particular, considered themselves safer than those in any other geographic region despite high profile data breaches such as last year’s attack on Vodafone Germany involving an attacker with insider knowledge stealing the personal data of two million customers.
User privilege is therefore a huge concern, although only 56 percent of organizations polled monitor and audit privileged user activities, and only 58 percent have technology in place that lets them control privileged users. Ovum concludes that that user groups should only have access to no more corporate data than they need to fulfil their specific roles, and that this access should be monitored.
Across the board, data residency and the trustworthiness of cloud providers is also of great concern, with 82 percent of those polled are concerned about lack of control over the location of data, and 78 percent worried that cloud providers will abuse their user privileges.
Perimeter-based Security Isn’t Enough
On one level, firewalls protect a security perimeter, making it an important aspect of security. But it’s more difficult to find a perimeter in cloud services that span corporate IT and unmanaged end-point devices such as tablets and smartphones. They tend to be more fluid than traditional IT based on on-premise data centers where a security perimeter is more easily defined. This makes it crucial to take additional steps to protect the data itself – which is what attackers want.
As Charles Goldberg, senior director of product marketing at Vormetric, told the WHIR, “This means controlling access to [data] at a low level, securing it through encryption or tokenization to obscure data, and then also keeping the keys and methods of translating tokens secure. That’s often where things break down.”
He notes that this is basically what happened weeks ago when Uber had its encrypted its data stolen when it left the security key out in the open.
According to Vormetric product management VP Derek Tumulak, the best solution in the cloud era is to focus on creating data-centric controls and solutions where controls as close to the data as possible. “Even if you have a managed device come onto the network, if it’s able to escalate privileges and become an administrator of sorts, when it tries to grab data, the important thing is to have the actual data itself under lock and key so-to-speak and that’s the case no matter where the data exists – whether it moves onto an end-point or onto a cloud.”
Breaches of Sensitive Data Pose Real Threats
Organizations are looking for cloud services that can give them a better chance of avoiding dangerous and costly data breaches, according to Tumulak.
“If you look five years ago, a lot of security goals were driven by compliance… in the last 18 months, one of the big trends has been an increasing number of data breaches, and people are actually looking for security solutions and controls that essentially prevent data breaches.” It’s not about ticking off a checkbox; it’s a legitimate concern about someone stealing their data.
Respondents to the survey said their enterprise would be more willing to go with a cloud service provider that provides: encryption of data with enterprise key control on their premises (55 percent of respondents), encryption of their organization’s data within the service provider’s infrastructure (52 percent), service level commitments and liability terms for a data breach (52 percent) and explicit security descriptions and compliance commitment (48 percent).
To bolster their security features, Vormetric has partnered with several cloud providers such as Amazon Web Services, CenturyLink, FireHost, Google Cloud Platform, Microsoft Azure, Rackspace and Virtustream.
Goldberg notes that corporate IT approaches the security of sensitive data on the cloud with a “healthy paranoia”, yet the move to a cloud solution can often be an opportunity to patch security holes that may have existed before. “As companies move to the cloud, they’re looking at protecting their data more aggressively than they have been in their own on-premise data centers,” he said.
While the cloud presents new and unique threats, it also gives organizations a needed push to reassess some of their failings when it comes to securing their sensitive data.