The cloud gets in your eyes

Driven by the inexorable push crush towards digital transformation, investment in cloud services has snowballed in recent years. Yet as businesses increasingly move sensitive data and processes to public and private clouds, the need to support the migration with secure processes and technologies is creating problematic drag.

Cloud’s pre-eminence in corporate IT strategy goes without saying these days. The recent Solarwinds IT Trends Report, for one, found that an overwhelming 94 percent majority of Australian IT professionals believe that cloud and hybrid IT are most critical to their IT organisation’s technology strategy today.

Even long-term sceptics are giving in and embracing the cloud, with cloud providers playing an increasing role in enabling what Solarwinds calls “frictionless consumption of services” by even offering assistance to organisations without their own in-house cloud skills.

The industry-wide push towards the cloud is working: among companies that are working in the cloud, an average of 27 cloud applications are in use, according to the recent Ponemon Institute-Gemalto 2018 Global Cloud Data Security Study of 3621 IT and IT security practitioners worldwide. Within two years, that survey found, businesses will be running an average of 51 percent of all IT and data processing requirements in the cloud.

Despite the enthusiasm for cloud services, security-related business controls are far less mature. Just 47 percent of respondents said their organisations were being proactive about addressing regulatory issues in the cloud, while only 46 percent said they have defined roles and accountability for safeguarding sensitive information in the cloud.

That’s hardly a resounding vote of confidence in the protection of cloud-stored data, given that 59 percent of companies are storing customer information in the cloud, 47 percent are storing consumer data, 39 percent are storing payment information, and 38 percent are storing employee records.

Increasing cloud, increasing risk

This functional immaturity is leaving cloud-stored data at risk at a dangerous time, what with this year’s notifiable data breach (NDB) and EU general data protection regulation (GDPR) increasing the pressure on businesses to make sure they can manage their data’s exposure to the cloud services on which they are storing it.

Fully 88 percent of Ponemon-Gemalto survey respondents said that GDPR would require changes in cloud governance. Unsurprisingly, security has increased in importance for businesses evaluating cloud solutions: 26 percent named it their most important criterion when choosing a cloud solution in 2017, up from 12 percent two years earlier.

Much of this concern stems from the broad understanding that cloud security is harder to achieve than conventional security. Not only did 71 percent of respondents agree with this contention, but the same percentage agreed back in 2015. This suggests that, despite enthusiasm for the cloud and the efforts of countless vendors and cloud suppliers, customers still feel the cloud-security challenge is not being completely met.

Cloud suppliers have moved assertively in recent months to dispel this perception – largely through a doubling-down of onshore investments designed to allay concerns that cloud data is being shunted out of the control – and reach – of its owners.

Microsoft, for its part, recently announced that many of its Office 365 and Azure cloud platform services had been added to the Commonwealth government’s Certified Cloud Services List (CCSL) with accreditation to store PROTECTED level government data. Microsoft joins cloud service providers (CSPs) Dimension Data, Macquarie Government, Sliced Tech, and Vault Systems all of which are able to target serious government and commercial clients with the authority that high-level certification provides.

Yet certification of cloud platforms is only one step of the journey towards cloud security. Overlying applications may leverage those security capabilities – CommandHub’s HubDrop file-sharing solution, for example, is built on top of Vault Systems’ CCSL-certified cloud platform – but businesses adopting piecemeal cloud solutions face a bigger challenge in the form of visibility.

Meeting the visibility imperative

Despite years of progress, few companies believe they know all the cloud applications in use within their environment. Just 25 percent of respondents to the Ponemon-Gemalto said they were very confident of this, while 43 percent said they were not confident.

The implications of this lack of visibility are significant, since it’s hard to justify allowing data to be pushed onto external cloud solutions if there’s no way to manage where it goes or who is accessing it. This higher degree of “observability”, Solarwinds’ analysis noted, remains a major challenge for cloud adoption and its resolution requires a combination of metrics, logs, and application traces.

“This degree of monitoring with discipline must carry forward the same level of granularity and source of truth that has existed in on-premises for decades,” the authors wrote, noting the need for correlation of multiple events across multiple systems.

“The key part of this process is establishing a baseline of observability within their hybrid IT environments across the entirety of their cloud-based applications.”

Yet with 84 percent of respondents to cloud access security broker (CASB) vendor BitGlass’s Cloud Hard Security Report 2018, admitting that traditional security solutions don’t work or have limited functionality in the cloud, closing the visibility gap necessarily requires a completely different approach.

Only 44 percent of respondents to that survey said they have visibility into external sharing of data and violations of data loss prevention (DLP) policies, while 58 percent can monitor file downloads and just 15 percent said they can see anomalous behaviour across apps.

Improving these numbers will require a concerted effort by cloud adopters to not only identify and implement suitable cloud solutions, but to ensure they work with CASB and other cloud-security vendors to integrate those solutions into their broader portfolios of cloud and data-protection solutions.

This includes increasing endpoint security, using one of a number of methods to monitor data flowing to known and unknown mobile devices as well as restricting access as appropriate. It also includes drawing on any of a wide variety of cloud-based email, traffic and malware scanning tools that can be easily integrated into operational environments.

Ever-improving functionality is helping cloud platforms continue to assert their utility for the world’s businesses, but security managers need to make sure they are given primacy in the discussion about how to plan and execute that cloud strategy. Cloud’s momentum has already produced a raft of unmanaged conduits for sensitive corporate data, and it is only with a concerted effort to improve management that they can be brought under control – and kept there.