• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cloud Computing   »   Cloud makes data breaches increasingly likely and costly

Cloud makes data breaches increasingly likely and costly

  • Posted on:June 17, 2014
  • Posted in:Cloud Computing, Industry News, Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
0

Data breaches have always been a risk organizations have had to deal with. One disgruntled employee, or even something as simple as an unsecured file cabinet, can compromise sensitive assets and result in extensive financial, reputational and legal damage to the firm.

Cybercriminals have many attacks surfaces to choose from as IT evolves
That said, the increasing centrality of IT to all facets of organizational operations has only amplified the frequency and severity of such incidents. Troves of information can now be lifted simply by exploiting a flaw in a Web platform such as Adobe Flash, obtaining and using legitimate logins or finding a soft spot in the supply chain. Prominent incidents from recent years have featured:

  • Target’s point-of-sale systems being breached last winter via cybercriminals’ exploitation of an HVAC contractor, which had remote access to Target infrastructure.
  • LinkedIn losing more than 6 million unsalted passwords in 2012 after its network was broken into.
  • Information on 74,000 current and former Coca-Cola employees leaking because several laptops were stolen and raided.

The causes of these breaches run the gamut from inadequate physical security of PCs to corporate network vulnerabilities, illustrating the scope of the challenge that technology-enabled enterprises now face in staving off attacks. On top of that, the ongoing integration of cloud computing into IT systems only complicates cybersecurity efforts, even as the cloud introduces new functionality that streamlines IT processes and costs.

IDC has estimated that cloud-related technologies will account for 90 percent of spending on Internet and communications assets over the next six years. Despite its rapid ascent, the cloud continues to be a foremost security concern for most organizations.

How the cloud enables data breaches
Why is the cloud so closely associated with the risk of data breaches? Fundamentally, using a cloud-based service, whether something largely consumer-facing such as Dropbox, a professional tool such as Adobe Creative Cloud or an enterprise automation platform, takes at least some control away from the IT department and vests it in a third-party provider.

“There’s no more debate,” Rajat Bhargava, co-founder at JumpCloud, told The New York Times. “When you don’t own the network, it’s open to the rest of the world, and you don’t control the layers of the stack, the cloud – by definition – is more insecure than storing data on-premises.”

Companies are also increasingly at the mercy of employees who endanger sensitive data through the use of cloud applications and workflows lacking in common security mechanisms. For example, the 2014 “Trends in Cloud Encryption” study from the Ponemon Institute that while virtually all respondents planned to move company information into the cloud, their methodologies were sloppy:

  • 59 percent reported that data at rest on infrastructure- and platform-as-a-service solutions was stored in clear text. The figure was 45 percent for software-as-a-service.
  • 26 percent of IaaS/PaaS data and 39 percent of SaaS data was encrypted, with other data security mechanisms cover 15 and 16 percent of application information, respectively.
  • 19 percent of respondents saw SaaS security as a responsibility shared by the customer and provider. The picture was different for IaaS/PaaS, with only 22 percent seeing security as a task solely for the provider; these parts of the cloud, if they are secured at all, are protected by the service subscriber.

As they findings demonstrate, when organizations have to take responsibility for cloud security, many do not go far enough. Clear text data all but invites surveillance, plus if stolen it would become instantly exploitable. With this in mind, it’s no surprise that the cloud can significantly heighten the risk of a multimillion dollar breach.

Using the cloud may up the chances of a costly breach
A separate Ponemon Institute report, commissioned by Netskope, discerned a “cloud multiplier effect,” governing rising exposure to security incidents as organizations utilized additional cloud-based services. Basically, for every 1 percent increase in cloud utilization, the probability of a data breach rises 3 percent.

“Imagine then if the probability of that data breach were to triple simply because you increased your use of the cloud,” said Sanjay Beri, CEO and founder of Netskope, in a statement. “That’s what enterprise IT folks are coming to grips with, and they’ve started to recognize the need to align their security programs to account for it.”

The study, “Data Breach: The Cloud Multiplier Effect,” surveyed 613 IT and security professionals. It found that part of the cloud’s effects on data breach probability could be due to IT’s low estimate of how many and what type of cloud services are in use at the organization. While respondents asserted that 45 percent of the software at their firms was in the cloud, half of those applications are not visible to IT.

Such a scenario, commonly labeled shadow IT, threatens to degrade the value of cloud implementations at many companies. Without sufficient oversight of how users are interacting with cloud applications and what data they are handling, many risks emerge:

  • IT loses control of business-critical applications in the cloud, 36 percent of which it can’t see, understand or secure.
  • Cloud services are not thoroughly screened for weaknesses, according to 62 percent of Netskope’s respondents.
  • 69 percent reported that their organizations failed to perform due diligence on what type of data is too sensitive to move to the cloud.
  • Service-level agreements between providers and customers are often vague, with little to define how the security burden is distributed. More than 70 percent of Netskope’s respondents feared that their providers would not immediately notify them in the event of a breach.

Based on the Ponemon Institute’s estimates of the cost of a compromised record ($201.18 apiece), a cloud breach of 100,000 documents would cost roughly $20 million, so the stakes are high for finding a way to better assess data security requirements and implement adequate procedures for data storage and transfer. Focusing on incident response, forensics and monitoring can get organizations on the right track to getting more value from cloud platforms through comprehensive security.

Related posts:

  1. Three quarters of businesses suffered data breaches in 2010, study finds
  2. Report: Nearly all data breaches are avoidable
  3. Study: 90 percent of companies suffered data breaches in last year
  4. Insider misuse and error are increasingly the cause of data breaches

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Transforms Channel Program to Advance Cloud Security and Services
  • Exceptional Attack Protection Proven in Rigorous MITRE Engenuity ATT&CK® Evaluations
  • Trend Micro Offerings Are FedRAMP Authorized and Available on AWS
  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.