Businesses across the globe are accelerating their shift to the cloud. Infrastructure is more agile and distributed in the cloud, enabling customers and hybrid workforces to access data from anywhere. A “cloud-first” strategy is driving dramatic increases in multi-cloud adoptions. Alongside the benefits of using multiple cloud platforms, security challenges have increased for business executives and security professionals alike.
Regulations and Laws Drive Cloud Security
An important driver for protecting data and services in the cloud is regulatory compliance. Australia’s Privacy Act 1988 includes provisions to promote and safeguard the privacy rights of Australian citizens. The Privacy Act outlines 13 Privacy Principles that regulate how Australian government agencies and businesses handle personal information. As the Act evolves, the latest draft calls for:
“the maximum penalty of AU$2.1 million for serious or repeated breaches of privacy will increase to not more than the greater of AU$10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of the entity’s annual Australian turnover.”
Compliance with these security and privacy requirements is the sole responsibility of the business, no matter if the data is stored on-premises or in the cloud. While the responsibility for protecting data stored on premises is easily understood, many companies lack the understanding of the shared responsibility concept of cloud security.
According to this concept, cloud service providers (CSP) are responsible for managing the security and availability of the cloud infrastructure, while businesses are responsible for the security and protection of their own data, services, and applications in the cloud. Unwitting disregard of this principle will leave all these resources open to a growing number of vulnerabilities and threats.
Preventive Security is the Best Security to Harden Your Cloud Presence
To harden the protection of data in the cloud and to safeguard cloud-first initiatives, organisations are investing resources into building preventive security. The 2022 Thales Cloud Security Study indicates that cloud-first organisations prioritise the deployment of the following as the most effective ways to reduce cloud risks:
- Data at rest encryption.
- Cryptographic key management.
- Remote access management, including multi-factor authentication (MFA).
- Zero Trust architecture.
However, the same survey indicates that the large number of organisations directing money towards a great variety of tools speaks to the complexity of addressing the diverse set of risks in the cloud.
Cloud Complexity and Skills Shortage Increases the Chances of a Data Breach
Complexity is a key challenge when securing workloads in the cloud. The Cloud Security Study highlights that 51% of the organisations agree that it is more difficult to manage privacy and data protection in a multi-cloud environment than on-premises.
Complexity is exaggerated by the skills shortage problem. According to the (ISC)2 2022 Cloud Security Report:
- 93% of organisations are moderately to extremely concerned about the shortage of qualified professionals.
- Having the right skills to deploy and manage a security solution across all cloud environments is the biggest challenge for 61% of the organisations.
- The lack of qualified staff is the biggest operational headache when trying to protect cloud workloads.
As a result of these challenges, cloud data breaches have become a commodity. The findings of the Thales Cloud Security Study are compelling:
- 45% of respondents said they have experienced a data breach in the cloud, up from 40% in 2021.
- 32% of respondents had to issue a breach notification to a government agency or body, customers, partners, or employees.
Focusing on the tactics that criminals leverage to breach data, ransomware is the number one threat. Verizon’s 2022 Data Breach Investigations Report (DBIR) indicates that ransomware attacks increased by 13% within 2021, an increase as big as the last five years combined. To break into organisations, attackers follow three main paths – compromised credentials, phishing campaigns, and exploiting vulnerabilities. However, while ransomware tends to hold headline attention, cloud storage misconfigurations are responsible for 13% of all breaches, and human error is involved in 82% of security incidents.
Businesses Need to Invest in Continuity and Recovery
It seems clear that relying on prevention controls alone is not enough for cloud-first businesses. There is no bulletproof solution, and the wisdom of a layered security practice, with resilient response methods is sound advice.
When data breaches do happen, the time to detect and recover from the incident is essential. The Verizon DBIR 2022 indicates that almost 70% of the breached organisations detected the attackers within days or less. This is extremely encouraging, as just a few years ago, the dwell time of malicious actors within a network was more than 9 months. However, while that percentage looks promising, it must be tempered by the awareness that there remains another 25% that still required months or more to detect a problem.
Ignorance and late response times are the biggest enemies to business continuity. Hence, businesses need to have in place robust and tested recovery solutions to minimise impact and protect the organisation’s data and systems if an attack happens. Prevention security cannot block all attacks. It can prevent most breaches, but certainly not all of them. While you cannot stop all cyberattacks, you can minimise the impact of a successful cyber incident.
Preventive controls must be accompanied with incident response and business continuity plans. Recovery solutions, such as immutable backups allow organisations to effectively protect the integrity and availability of their data and systems in the event of a successful breach. Besides remediating various attacks, backup and disaster recovery solutions help prevent costly downtime even if a natural disaster, hardware issue, or other failure event impacts your business.
“To avoid the worst-case scenario, having a plan in place that includes verified, tested, and secure backups that can be restored quickly is key to dealing with ransomware attacks. Your backup infrastructure is part of your overall cyber resilience and can be the final option for getting back to, or staying in, business,” stresses Edwin Weijdema, Global Technologist at Veeam.
The transition to the cloud is deceptively attractive to many organisations. Scalability, flexibility, and the promise of infinite uptime make the cloud hard to resist. However, it is wise to enter this realm with clear goals and understanding about the security responsibilities for each participant.
Are You Looking for a Trusted Partner?
Somerville offers a robust portfolio of services and solutions to help you protect your data in the cloud. Download our whitepaper to discover how to achieve cyber resilience in the face of the evolving threat landscape.