This blog is a continuation of our series looking at a new study, Cloud Data Security by TechTarget’s Enterprise Strategy Group (ESG). The study looked at challenges of securing cloud data among 387 IT, cybersecurity, and DevOps professionals who evaluate, purchase, test, deploy, and operate hybrid cloud data security technology products and services at organizations in North America. Normalyze is a co-sponsor of this study. Read the full ESG report.
This blog summarizes key points for the survey’s second major finding: Organizations Are Losing Cloud-resident Sensitive Data.
Organizations Are Losing Cloud-resident Sensitive Data
The rising use of cloud data stores in SaaS, IaaS, and PaaS environments has, not surprisingly, led to the loss of associated sensitive data from those locations. A majority of respondents to ESG’s survey either know of or suspect the loss of such sensitive data. For organizations that aren’t sure, the mist of uncertainty is due to either not having resident expertise, or lack of appropriate tooling for modern environments (such as the Normalyze cloud platform).
The most concerning statistic is widespread acknowledgement that data loss has occurred more than once in the last 12 months – a startling 84% of all respondents! Most of the respondents in this category have experienced loss of sensitive data between two and five times. For example, nearly one fourth (23%) say they experienced sensitive data loss from a public cloud-resident sensitive data four times.
Responses Show IaaS, PaaS, SaaS as the Most Common Data Loss Vectors
The largest cloud attack surface entails data stores on “Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service” platforms, which include options of block, file, object, and database storage. The ESG survey found that another common vector for cloud-resident sensitive data loss was from respondents’ Software-as-a-Service (SaaS) platforms. This finding was experienced by 42% of respondents.
ESG postulated these data loss experiences were due to confusion about how to best secure SaaS-resident sensitive data. In particular, the confusion is probably rooted in unawareness of or uncertainty in application of the “shared responsibility model.” In a nutshell, this model describes how implementation and management of cloud data security controls should be shared between the user organization and the service provider. In other words, some controls are the responsibility of the user, and others of the service provider. AWS, Microsoft Azure, and Google Cloud provide their own statements of how this model applies within those respective environments.
Notably, a variety of siloed point solutions for cloud data security provide only partial or no coverage for SaaS, IaaS, or PaaS environments. The Normalyze cloud platform protects sensitive data in all major cloud stores.
Contributors to Cloud-resident Sensitive Data Loss
ESG’s study discovered three primary contributors to lapses in securing cloud-resident sensitive data: misconfigurations, policy violations, and access control/credential issues.
Misconfigurations of Services
About a third of all respondents (32-33%) experienced misconfigurations in SaaS and IaaS/PaaS services.
Respondents experienced multiple types of policy violations, including data exposure from data misclassification (33%), unsanctioned apps/services (26%), and incorrect/insufficient security policies (25%).
Access Controls/Credential Issues
Respondents experienced several types of access control issues, including malicious insider accessing sensitive data (31%), attacker masquerading as an employee via stolen credentials (31%), and unauthorized access by an over-provisioned account (23%). The new details of the LastPass breach corroborate these findings.
Our next blog in this series will look deeper at ESG’s third major finding, which examines how organizations face numerous cloud data security challenges driven by scale, complexity, and visibility. Meanwhile, if you’d like to skip ahead and read all of ESG’s major findings, you can download the eBook here.
Read earlier blogs in the Cloud Data Security series