Data breaches have always been a risk organizations have had to deal with. One disgruntled employee, or even something as simple as an unsecured file cabinet, can compromise sensitive assets and result in extensive financial, reputational and legal damage to the firm.
Cybercriminals have many attacks surfaces to choose from as IT evolves
That said, the increasing centrality of IT to all facets of organizational operations has only amplified the frequency and severity of such incidents. Troves of information can now be lifted simply by exploiting a flaw in a Web platform such as Adobe Flash, obtaining and using legitimate logins or finding a soft spot in the supply chain. Prominent incidents from recent years have featured:
- Target’s point-of-sale systems being breached last winter via cybercriminals’ exploitation of an HVAC contractor, which had remote access to Target infrastructure.
- LinkedIn losing more than 6 million unsalted passwords in 2012 after its network was broken into.
- Information on 74,000 current and former Coca-Cola employees leaking because several laptops were stolen and raided.
The causes of these breaches run the gamut from inadequate physical security of PCs to corporate network vulnerabilities, illustrating the scope of the challenge that technology-enabled enterprises now face in staving off attacks. On top of that, the ongoing integration of cloud computing into IT systems only complicates cybersecurity efforts, even as the cloud introduces new functionality that streamlines IT processes and costs.
IDC has estimated that cloud-related technologies will account for 90 percent of spending on Internet and communications assets over the next six years. Despite its rapid ascent, the cloud continues to be a foremost security concern for most organizations.
How the cloud enables data breaches
Why is the cloud so closely associated with the risk of data breaches? Fundamentally, using a cloud-based service, whether something largely consumer-facing such as Dropbox, a professional tool such as Adobe Creative Cloud or an enterprise automation platform, takes at least some control away from the IT department and vests it in a third-party provider.
“There’s no more debate,” Rajat Bhargava, co-founder at JumpCloud, told The New York Times. “When you don’t own the network, it’s open to the rest of the world, and you don’t control the layers of the stack, the cloud – by definition – is more insecure than storing data on-premises.”
Companies are also increasingly at the mercy of employees who endanger sensitive data through the use of cloud applications and workflows lacking in common security mechanisms. For example, the 2014 “Trends in Cloud Encryption” study from the Ponemon Institute that while virtually all respondents planned to move company information into the cloud, their methodologies were sloppy:
- 59 percent reported that data at rest on infrastructure- and platform-as-a-service solutions was stored in clear text. The figure was 45 percent for software-as-a-service.
- 26 percent of IaaS/PaaS data and 39 percent of SaaS data was encrypted, with other data security mechanisms cover 15 and 16 percent of application information, respectively.
- 19 percent of respondents saw SaaS security as a responsibility shared by the customer and provider. The picture was different for IaaS/PaaS, with only 22 percent seeing security as a task solely for the provider; these parts of the cloud, if they are secured at all, are protected by the service subscriber.
As they findings demonstrate, when organizations have to take responsibility for cloud security, many do not go far enough. Clear text data all but invites surveillance, plus if stolen it would become instantly exploitable. With this in mind, it’s no surprise that the cloud can significantly heighten the risk of a multimillion dollar breach.
Using the cloud may up the chances of a costly breach
A separate Ponemon Institute report, commissioned by Netskope, discerned a “cloud multiplier effect,” governing rising exposure to security incidents as organizations utilized additional cloud-based services. Basically, for every 1 percent increase in cloud utilization, the probability of a data breach rises 3 percent.
“Imagine then if the probability of that data breach were to triple simply because you increased your use of the cloud,” said Sanjay Beri, CEO and founder of Netskope, in a statement. “That’s what enterprise IT folks are coming to grips with, and they’ve started to recognize the need to align their security programs to account for it.”
The study, “Data Breach: The Cloud Multiplier Effect,” surveyed 613 IT and security professionals. It found that part of the cloud’s effects on data breach probability could be due to IT’s low estimate of how many and what type of cloud services are in use at the organization. While respondents asserted that 45 percent of the software at their firms was in the cloud, half of those applications are not visible to IT.
Such a scenario, commonly labeled shadow IT, threatens to degrade the value of cloud implementations at many companies. Without sufficient oversight of how users are interacting with cloud applications and what data they are handling, many risks emerge:
- IT loses control of business-critical applications in the cloud, 36 percent of which it can’t see, understand or secure.
- Cloud services are not thoroughly screened for weaknesses, according to 62 percent of Netskope’s respondents.
- 69 percent reported that their organizations failed to perform due diligence on what type of data is too sensitive to move to the cloud.
- Service-level agreements between providers and customers are often vague, with little to define how the security burden is distributed. More than 70 percent of Netskope’s respondents feared that their providers would not immediately notify them in the event of a breach.
Based on the Ponemon Institute’s estimates of the cost of a compromised record ($201.18 apiece), a cloud breach of 100,000 documents would cost roughly $20 million, so the stakes are high for finding a way to better assess data security requirements and implement adequate procedures for data storage and transfer. Focusing on incident response, forensics and monitoring can get organizations on the right track to getting more value from cloud platforms through comprehensive security.