This blog is a continuation of our series looking at a new study, Cloud Data Security by TechTargetās Enterprise Strategy Group (ESG). The study looked at challenges of securing cloud data among 387 IT, cybersecurity, and DevOps professionals who evaluate, purchase, test, deploy, and operate hybrid cloud data security technology products and services at organizations in North America. Normalyze is a co-sponsor of this study. Read the full ESG report.Ā
This blog summarizes key points for the surveyās second major finding: Organizations Are Losing Cloud-resident Sensitive Data.
Organizations Are Losing Cloud-resident Sensitive Data
The rising use of cloud data stores in SaaS, IaaS, and PaaS environments has, not surprisingly, led to the loss of associated sensitive data from those locations. A majority of respondents to ESGās survey either know of or suspect the loss of such sensitive data. For organizations that arenāt sure, the mist of uncertainty is due to either not having resident expertise, or lack of appropriate tooling for modern environments (such as the Normalyze cloud platform).
The most concerning statistic is widespread acknowledgement that data loss has occurred more than once in the last 12 months ā a startling 84% of all respondents! Most of the respondents in this category have experienced loss of sensitive data between two and five times. For example, nearly one fourth (23%) say they experienced sensitive data loss from a public cloud-resident sensitive data four times.
Responses Show IaaS, PaaS, SaaS as the Most Common Data Loss Vectors
The largest cloud attack surface entails data stores on āInfrastructure-as-a-Service (IaaS) and Platform-as-a-Serviceā platforms, which include options of block, file, object, and database storage. The ESG survey found that another common vector for cloud-resident sensitive data loss was from respondentsā Software-as-a-Service (SaaS) platforms. This finding was experienced by 42% of respondents.
ESG postulated these data loss experiences were due to confusion about how to best secure SaaS-resident sensitive data. In particular, the confusion is probably rooted in unawareness of or uncertainty in application of the āshared responsibility model.ā In a nutshell, this model describes how implementation and management of cloud data security controls should be shared between the user organization and the service provider. In other words, some controls are the responsibility of the user, and others of the service provider. AWS, Microsoft Azure, and Google Cloud provide their own statements of how this model applies within those respective environments.
Notably, a variety of siloed point solutions for cloud data security provide only partial or no coverage for SaaS, IaaS, or PaaS environments. The Normalyze cloud platform protects sensitive data in all major cloud stores.
Contributors to Cloud-resident Sensitive Data Loss
ESGās study discovered three primary contributors to lapses in securing cloud-resident sensitive data: misconfigurations, policy violations, and access control/credential issues.
Misconfigurations of Services
About a third of all respondents (32-33%) experienced misconfigurations in SaaS and IaaS/PaaS services.
Policy Violations
Respondents experienced multiple types of policy violations, including data exposure from data misclassification (33%), unsanctioned apps/services (26%), and incorrect/insufficient security policies (25%).
Access Controls/Credential Issues
Respondents experienced several types of access control issues, including malicious insider accessing sensitive data (31%), attacker masquerading as an employee via stolen credentials (31%), and unauthorized access by an over-provisioned account (23%). The new details of the LastPass breach corroborate these findings.
Our next blog in this series will look deeper at ESGās third major finding, which examines how organizations face numerous cloud data security challenges driven by scale, complexity, and visibility. Meanwhile, if youād like to skip ahead and read all of ESGās major findings, you can download the eBook here.
Experience data-centric security posture management in action with Normalyze Freemium. Or read the Buyersā Guide.Ā
Read earlier blogs in theĀ Cloud Data Security series
New ESG Research Study Reveals Six Insights for Better Cloud Data Security
Data Is Shifting to Public Clouds Ahead of Readiness to Secure It
