• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cloud Computing   »   Encryption needs to be a bigger part of cloud security

Encryption needs to be a bigger part of cloud security

  • Posted on:May 10, 2014
  • Posted in:Cloud Computing, Cloud Security, Compliance & Regulations, Current News, Encryption, Industry News, Internet Safety, Private Cloud, Public Cloud, Virtualization, Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
0

Many organizations are gradually setting aside their reservations about cloud security and storing more company data to the cloud. This move may confer numerous benefits to them, including reduced overhead in the management of on-premises storage, as well as overall reductions in IT costs. In addition, having larger stores of information in the cloud enables new opportunities for business engagement and communication across mobile devices.

An April 2014 Research and Markets report estimated that large enterprises would spend nearly $50 billion on cloud services for infrastructure, platforms and software by 2018. Similarly, surging demand for high-quality mobile applications – ones that leverage the cloud to do more than simply repackage websites or provide watered-down experiences – may drive the mobile engagement market past $32 billion by 2018.

This growing affinity for cloud computing isn't without its drawbacks, though. Just because companies are increasingly comfortable with having some assets in remote storage doesn't mean that they have been freed from risk. On the contrary, key vulnerabilities may be going overlooked as IT departments around the world profoundly change how they deliver and manage services. Encryption, already a prime cybersecurity issue in light of newly discovered issues with OpenSSL and revelations about the U.S. National Security Agency, in particular has taken a backseat in cloud security.

Companies keeping more data in public cloud, despite risks
Storing data in a public cloud is fast becoming the norm for businesses, despite the pitfalls. According to the results of a recent Ponemon Institute and Thales e-Security study, which surveyed more than 4,000 companies and IT managers around the world, found that 53 percent of them now put sensitive information in the cloud, up from 49 percent in 2011.

Respondents had mixed attitudes about how the cloud was influencing their respective organizations' security postures. Approximately half believed that more extensive use of the cloud would have little effect on cybersecurity, yet it is worth noting that the number that expected negative impact outnumbered the ones that foresaw positive changes by two to one (34 percent to 17 percent).

What types of risks do companies court when they rely more heavily on the cloud? For starters, they cede some degree of control to cloud service providers, which in many cases obfuscate their security responsibilities in service level agreements. Last year, Gartner reported that most buyers of commercial software-as-a-service solutions were unhappy with their SLAs and that 80 percent of them would remain so through 2015, due to issues such as ill-defined recovery policies and lack of regular third-party auditing.

More specifically, there's the possibility that security oversights can lead to mishandling or improper dissemination of data. Dropbox recently disabled the use of old sharing links after sensitive documents such as tax returns and mortgage applications were discovered via Google AdWords campaigns. Searching for particular queries could return the full URLs for associated files kept on the service, permitting access via a loophole that doesn't require users to authenticate themselves.

Surprising amounts of data in cloud storage are not protected by encryption
The Dropbox exploit (which also affects popular consumer and enterprise platforms such as Box) underscores how much data is readily available and unencrypted in cloud storage. The Ponemon/Thales survey examined this issue in depth, finding that slightly less than 40 percent of SaaS users encrypt data at rest. There were similar figures for how many of them encrypted their assets before sending them to the cloud.

"You would think that a higher percent of companies would have data encryption or a similar form of protection, because it does present a risk," stated Larry Ponemon, lead author on the study and founder of the Ponemon Institute. "Especially if the data sent to them is confidential, as we found."

Key management was a primary impediment to the adoption of encryption. Organizations are also struggling to determine where sensitive data resides and how to best protect it. Essentially, while companies have many incentives to implement encryption – many of the survey's respondents cited customer privacy and prevention of data breaches as leading drivers of their approaches to cybersecurity – they may be getting bogged down in technical aspects.

Still, there is good news amid this lagging adoption of encryption. The number of companies with an encryption strategy, while low at just 35 percent of the Ponemon/Thales respondents, rose between 2013 and 2014. Plus, the motivations for using encryption are changing, with organizations now more concerned about blunting the fallout of data breaches than preventing reputational damage.

This shift is promising, since many incidents are still the result of improperly secured assets, such as unencrypted laptops, which facilitated the theft of sensitive information on roughly 74,000 individuals from Coca-Cola in early 2014.  Moreover, companies are discovering that reducing exposure to data breaches and preserving reputation are often the same thing – just look at the holiday season attacks on Target and Neiman-Marcus, both of which capitalized on weak security to damage those retailers' brands.

Cloud storage is just one area of many to address when implementing comprehensive cybersecurity. As businesses change the way they do IT and work with an increasing range of partners and service providers, it will be critical for all parties to push for encryption by default. That way, they can be sure that critical data is not hung out to dry as assets are moved off premises and into the cloud.

"Encryption by default in the cloud is rarely a bad idea, and most of the major cloud providers have been making what hay they can out of professing to encrypt everything at rest," wrote InfoWorld's Serdar Yegulalp. "But the trick is to provide it in such a way that end-users can confirm encryption is taking place and can't easily be defeated on the cloud provider's side. Even if encryption isn't employed unilaterally by cloud customers and uptake for same remains modest, they'll scarcely be indifferent to the option to become that much more secure – and to control the parameters for that security."

Related posts:

  1. Key management essential to successful cloud encryption strategies
  2. Study: Cloud providers and users think differently about security
  3. Thales study finds Australian organizations ahead on encryption
  4. Cloud security best practices: Benefits of cloud encryption

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.