Do internal auditors know what's in their organization's cloud? There's probably more to it than they or their IT security colleagues realize, according to volume one of Symantec Corp.'s 2019 Cloud Security Threat Report.
Dependence on the cloud is growing, the report notes. More than half of the 1,250 security decision-makers who responded to the global survey say their organizations have moved their computing workload to the cloud. And 93% say their organizations store data in multiple environments, distributed relatively evenly among private cloud, public cloud, on-premises, and hybrid cloud setups.
That complexity is making it hard for organizations to keep track of how much data they are storing in the cloud — and where. On average, respondents say their organizations' employees are using 452 cloud applications. However, Symantec estimates that organizations actually have an average of 1,807 shadow IT apps.
And if organizations can't see their cloud apps and data, they can't secure them. More than half of respondents say their organization's cloud security practices aren't keeping pace with the proliferation of cloud apps.
"The [security] gap created by cloud computing poses a greater risk than we realize, given the troves of sensitive and business-critical data stored in the cloud," says Nico Popp, senior vice president, Cloud and Information Protection, at Mountain View, Calif.-based Symantec.
Popp says the cloud, itself, isn't increasing the problem with data breaches. A bigger problem is immature security practices, which nearly three-fourths of respondents blame for at least one cloud security incident in their organizations. More than 80% say their organizations lack processes to respond to cloud security incidents successfully. Just one in 10 say their organizations can analyze cloud traffic effectively.
Cloud security is a capacity problem, as well. More than 90% say their IT security teams can't keep up with all the cloud workloads in their organizations. Most don't have the cloud security manpower to deal with all alerts — organizations respond to just one-fourth of alerts, respondents say. In addition, 93% say their organizations need to enhance cloud security skills.
The report notes a third culprit: risky employee behavior such as using personal accounts and having weak passwords. This behavior sets the stage for attacks using "camouflaged" files or aimed at taking over user accounts. Another behavior problem is oversharing of data. Respondents estimate that one-third of files in the cloud shouldn't be there.
The Symantec report lists several threats to cloud systems, including a recent trend of cross-cloud and malware injection attacks. Still, unauthorized access accounts for nearly two-thirds of cloud security incidents. "Digging deeper, companies are underestimating the scale and complexity of cloud attacks," the report notes.
For example, only 7% of respondents say account takeover is among their biggest cloud risks, yet Symantec says its data reveals that 42% of risky behavior can be attributed to a compromised cloud account.
Respondents say they know criminals are taking advantage. Nearly 70% say they have found evidence that their organization's data has been for sale on the Dark Web.
Despite looming threats, organizations can act to ensure a better forecast for their cloud operations. These actions include:
- Developing a cloud governance strategy to enforce security policies across on-premises and cloud environments.
- Adopting a "zero-trust" model that protects all data and implements controls at all points of access.
- Promoting shared responsibility encompassing not only the cloud provider and IT security department, but also executives and all employees.
- Leveraging automation and artificial intelligence to analyze potential threats and respond to incidents.
- Moving to a DevSecOps approach in which security practices are embedded into all application development.
With cloud reliance expanding and business processes becoming digitized, organizations "need to re-evaluate their actual versus perceived risks," the report advises. To address these risks, the report recommends complementing technology solutions by adopting security best practices "at the human level" to confront cloud threats.
To learn more, read Internal Auditor's August issue cover story, "Security in the Cloud."