Main Cloud Security Concerns
Many organizations have decided to move sensitive data and important applications to the cloud, but concerns about how they can protect it there abound.
Data Loss/Leakage
Cloud-based environments make it easy to share the data stored within them. These environments are accessible directly from the public Internet and include the ability to share data easily with other parties via direct email invitations or by sharing a public link to the data.
The ease of data sharing in the cloud – while a major asset and key to collaboration in the cloud – creates serious concerns regarding data loss or leakage. In fact, two-third (2/3) of organizations point to this as their greatest cloud security concern. Data sharing using public links or setting a cloud-based repository to public makes it accessible to anyone with knowledge of the link, and tools exist specifically for searching the Internet for these unsecured cloud deployments.
Data Privacy/Confidentiality
Data privacy and confidentiality is a major concern for many organizations. Data protection regulations like the Singapore Personal Data Protection Act (PDPA), EU’s General Data Protection Regulation (GDPR) and many more mandate the protection of customer data and impose strict penalties for security failures. Additionally, organizations have a large amount of internal data that is essential to maintaining competitive advantage.
Placing this data on the cloud has its advantages but also has created major security concerns for 66% of organizations. Many organizations have adopted cloud computing but lack the knowledge to ensure that they and their employees are using it securely. As a result, sensitive data is at risk of exposure – as demonstrated by a massive number of cloud data breaches.
Accidental Exposure of Credentials
Phishers commonly use cloud applications and environments as a pretext in their phishing attacks. With the growing use of cloud-based email (Microsoft 365, G-Suite, etc.) and document sharing services (OneDrive, Google Drive, Dropbox), employees have become accustomed to receiving emails with links that might ask them to confirm their account credentials before gaining access to a particular document or website.
This makes it easy for cybercriminals to learn an employee’s credentials for cloud services. As a result, accidental exposure of cloud credentials is a major concern for two-fifth (2/5) of organizations since it potentially compromises the privacy and security of their cloud-based data and other resources.
Incident Response
Many organizations have strategies in place for responding to internal cybersecurity incidents. Since the organization owns all their internal network infrastructure and security personnel are on-site, it is possible to lock down the incident. Additionally, this ownership of their infrastructure means that the company likely has the visibility necessary to identify the scope of the incident and perform the appropriate remediation actions.
With cloud-based infrastructure, a company only has partial visibility and ownership of their infrastructure, making traditional processes and security tools ineffective. As a result, two-fifth (2/5) of companies are concerned about their ability to perform incident response effectively in the cloud.
Legal and Regulatory Compliance
Data protection regulations require organizations to demonstrate that they limit access to the protected information (credit card data, healthcare patient records, etc.) https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act . This could require creating a physically or logically isolated part of the organization’s network that is only accessible to employees with a legitimate need to access this data.
When moving data protected by these and similar regulations to the cloud, achieving and demonstrating regulatory compliance can be more difficult. With a cloud deployment, organizations only have visibility and control into some of the layers of their infrastructure. As a result, legal and regulatory compliance is considered a major cloud security issue by two-fifth (2/5) of organizations and requires specialized cloud compliance solutions.
Data Sovereignty/Residence/Control
Most cloud providers have several geographically distributed data centers. This helps to improve the accessibility and performance of cloud-based resources and makes it easier for CSPs to ensure that they can maintain service level agreements in the face of business-disrupting events such as natural disasters, power outages, etc.
Organizations storing their data in the cloud often have no idea where their data is stored within a CSP’s array of data centers. This creates major concerns around data sovereignty, residence, and control for two-fifth (2/5) of organizations. With data protection regulations such as the PDPA limiting where Singapore citizens data can be sent, the use of a cloud platform with data centers outside of the approved areas could place an organization in a state of regulatory non-compliance. Additionally, different jurisdictions have different laws regarding access to data for law enforcement and national security, which can impact the data privacy and security of an organization’s customers.
Protecting the Cloud
The cloud provides several advantages to organizations; however, it also comes with its own security threats and concerns. Cloud-based infrastructure is very different from an on-premises data center, and traditional security tools and strategies are not always able to secure it effectively. For more information about leading cloud security issues and threats, welcome to contact us.