​The Ever-expanding Cloud

A new report finds that most organizations doubt their security measures can keep up with the growth of the cloud.

Comments Views

​Do internal auditors know what's in their organization's cloud? There's probably more to it than they or their IT security colleagues realize, according to volume one of Symantec Corp.'s 2019 Cloud Security Threat Report.

Dependence on the cloud is growing, the report notes. More than half of the 1,250 security decision-makers who responded to the global survey say their organizations have moved their computing workload to the cloud. And 93% say their organizations store data in multiple environments, distributed relatively evenly among private cloud, public cloud, on-premises, and hybrid cloud setups.

That complexity is making it hard for organizations to keep track of how much data they are storing in the cloud — and where. On average, respondents say their organizations' employees are using 452 cloud applications. However, Symantec estimates that organizations actually have an average of 1,807 shadow IT apps.

And if organizations can't see their cloud apps and data, they can't secure them. More than half of respondents say their organization's cloud security practices aren't keeping pace with the proliferation of cloud apps.

"The [security] gap created by cloud computing poses a greater risk than we realize, given the troves of sensitive and business-critical data stored in the cloud," says Nico Popp, senior vice president, Cloud and Information Protection, at Mountain View, Calif.-based Symantec.

Security Challenged

Popp says the cloud, itself, isn't increasing the problem with data breaches. A bigger problem is immature security practices, which nearly three-fourths of respondents blame for at least one cloud security incident in their organizations. More than 80% say their organizations lack processes to respond to cloud security incidents successfully. Just one in 10 say their organizations can analyze cloud traffic effectively.

Cloud security is a capacity problem, as well. More than 90% say their IT security teams can't keep up with all the cloud workloads in their organizations. Most don't have the cloud security manpower to deal with all alerts — organizations respond to just one-fourth of alerts, respondents say. In addition, 93% say their organizations need to enhance cloud security skills.

The report notes a third culprit: risky employee behavior such as using personal accounts and having weak passwords. This behavior sets the stage for attacks using "camouflaged" files or aimed at taking over user accounts. Another behavior problem is oversharing of data. Respondents estimate that one-third of files in the cloud shouldn't be there.

Threat Watch

The Symantec report lists several threats to cloud systems, including a recent trend of cross-cloud and malware injection attacks. Still, unauthorized access accounts for nearly two-thirds of cloud security incidents. "Digging deeper, companies are underestimating the scale and complexity of cloud attacks," the report notes.

For example, only 7% of respondents say account takeover is among their biggest cloud risks, yet Symantec says its data reveals that 42% of risky behavior can be attributed to a compromised cloud account.

Respondents say they know criminals are taking advantage. Nearly 70% say they have found evidence that their organization's data has been for sale on the Dark Web.

Clearing Skies

Despite looming threats, organizations can act to ensure a better forecast for their cloud operations. These actions include:

  • Developing a cloud governance strategy to enforce security policies across on-premises and cloud environments.
  • Adopting a "zero-trust" model that protects all data and implements controls at all points of access.
  • Promoting shared responsibility encompassing not only the cloud provider and IT security department, but also executives and all employees.
  • Leveraging automation and artificial intelligence to analyze potential threats and respond to incidents.
  • Moving to a DevSecOps approach in which security practices are embedded into all application development.

With cloud reliance expanding and business processes becoming digitized, organizations "need to re-evaluate their actual versus perceived risks," the report advises. To address these risks, the report recommends complementing technology solutions by adopting security best practices "at the human level" to confront cloud threats.

To learn more, read Internal Auditor's August issue cover story, "Security in the Cloud."

Tim McCollum
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Tim McCollumTim McCollum<p>​​​​Tim McCollum is <em>Internal Auditor</em> magazine's associate managing editor.​​</p>https://iaonline.theiia.org/authors/Pages/Tim-McCollum.aspx


Comment on this article

comments powered by Disqus
  • PwC-October-2021-Premium-1
  • FastPath-October-2021-Premium-2
  • AuditBoard-October-2021-Premium-3



Stopwatch Auditinghttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Stopwatch-Auditing.aspxStopwatch Auditing
Thanks, We Already Know Thathttps://iaonline.theiia.org/blogs/jacka/2020/Pages/Thanks-We-Already-Know-That.aspxThanks, We Already Know That
Hidden Goalshttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Hidden-Goals.aspxHidden Goals
Building a Better Auditor: Which Way Should I Go?https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Which-Way-Should-I-Go.aspxBuilding a Better Auditor: Which Way Should I Go?