Companies are investing in cloud computing infrastructure for familiar and well-established reasons, including improved data scalability, higher resource availability, ease of user training, ease of use, business continuity, and IT cost reduction.
Cloud security breaches are growing
As organizations across the world continue to invest in cloud resources, cloud-related security incidents and breaches continue to escalate. From the middle of 2017 through the middle of 2018, 18% of organizations polled experienced at least one cloud security incident. This is double the number reported in the 12 months from the middle of 2016 to the middle of 2017, according to the most recent report published by Cybersecurity Insiders.
Along with the rise in the number of incidents, concerns over cloud security are increasing. According to the Cybersecurity Insiders’ report, 91% of security professionals polled admitted that they’re worried about their ability to detect and deter breaches in their cloud environments. This represents an increase of 10% from the previous year’s poll, when 81% of cybersecurity professionals indicated their concerns, reversing a downward trend on this issue over the previous four years.
These findings are included in Crowd Research Partners’ 2018 Cloud Security Report. This report is based on a comprehensive annual online survey of 570 cybersecurity professionals, including CISOs, security analysts, and IT managers. As the latest report shows, fears over security that have hindered cloud adoption in the past are still in play.
Security challenges abound
Organizations face a range of issues as they begin to rely more heavily on cloud infrastructure for their technology resources. Among other considerations, companies have learned that their legacy security tools have limited capabilities in the cloud. Encryption of data-at-rest (among 64%t of respondents) and of data-in-motion (for 54%) top the list of the most commonly used cloud security technologies, followed by Security Information and Event Management (SIEM) platforms (at 52%).
A mere 16% of organizations surveyed believe traditional data-protection tools can manage security across their cloud platform (representing a 6% decline from the 2017 survey). Most security professionals (84%) maintain that legacy solutions either don’t function in cloud environments or provide only limited functionality.
The leading security challenge according to these organizations is “visibility into infrastructure security’ (for 43% of respondents)” and “compliance” (according to 38%). Respondent companies struggle with establishing consistent security policies across cloud and on-premise environments (at least 35% struggle) and are concerned that cloud security appears to be behind the pace of change in applications (35% have this concern).
Most respondents said that “misconfiguration of cloud platforms” is a key threat to cloud security (62% of those surveyed), followed by “unauthorized access” due to the misuse of employee credentials and improper access control (at 55%), and insecure interfaces/APIs (at 50%). Fifty percent of respondents said they use their cloud provider’s security tools and 35% deploy third-party security software to ensure that cloud security controls are in place.
The top data security challenges in the cloud environment, according to survey respondents, were as follows:
- Protecting against data loss and leakage—67%
- Threats to data privacy—61%
- Breaches of confidentiality—53%
A new hope
Despite the concerns regarding cloud security, the 2018 Cloud Security Report revealed some positive indicators around security education. For a second consecutive year, “training and certification of existing IT staff” ranked as the most popular method (among 56% of respondents) of serving growing security needs. As technology changes and threats evolve in the cloud, updating related internal skills is critical.
Organizations surveyed also understand that continued investment in security is necessary, as nearly half of them (49%) expect their cloud security budgets to increase in the foreseeable future. The median expected increase in the security budget is 22% (year-on-year).
From the overall findings of this year’s survey, as cloud investments continue to grow, more effort must be focused on securing the rapidly emerging cloud environment to minimize threats and ensure the overall safety of cloud computing.
Cloud security standards
This is possible with an integrated cloud security compliance framework based on multiple international standards, which include:
ISO/IEC 9001 Quality Management System is a standard based on several quality-management principles including strong customer focus, the motivation and implication of top management, as well as a process-based approach to continuous improvement.
ISO/IEC 27001 Security Management System is a well-known global standard in the ISO family providing a holistic, risk-based approach to security and a comprehensive and measurable set of information security management practices.
ISO/IEC 22301 Business Continuity Management System is the international standard for business continuity management designed to protect business operations from potential disruptions that include extreme weather, fire, flood, natural disasters, theft, IT outages, staff illnesses, and terror attacks.
BS 10012 Personal Information Management System covers areas such as employee security awareness training, risk assessments, data retention and disposal, and establishes policies and procedures that enable the effective management of personal information of individuals.
ISO/IEC 20000 Service Management is a standard providing measurable quality guidance for the best-practice framework IT Infrastructure Library (ITIL) and elements from other frameworks such as Control Objectives for Information and Related Technologies (COBIT).
Service organization control reports
Service organization control (SOC) reports provide assurance and insight into the design and operating effectiveness of internal control systems implemented within cloud delivery units. SOC reports involve industry-independent audit standards.
SOC 1 Reports: The SOC 1 report follows the SSAE 16 and ISAE 3402 standards on auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.
SOC 2 Reports: The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. The report includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.
SOC 3 Reports: The SOC 3 report is a short-form record that provides a description of controls testing and results and summarizes the results of the respective SOC 2 audits.