According to CyberArk, cyber-security inertia is putting organizations at risk. Nearly half — 46% — of enterprises say their security strategy rarely changes substantially, even after a cyberattack. That data comes from the organization’s new Global Advanced Threat Landscape Report 2018. The researchers surveyed 1,300 IT security decision-makers, DevOps and app developer professionals, and line-of-business owners in seven countries.
Cloud computing is a major focus of this report, and the study results are scary. CyberArk says, “Automated processes inherent in cloud environments are responsible for prolific creation of privileged credentials and secrets. These credentials, if compromised, can give attackers a crucial jumping-off point to achieve lateral access across networks, data and applications — whether in the cloud or on-premises.”
The study shows that
50% of IT professionals say their organization stores business-critical information in the cloud, including revenue-generating customer- facing applications
43% say they commit regulated customer data to the cloud
49% of respondents have no privileged account security strategy for the cloud
While we haven’t yet seen major breaches caused by tech failures of cloud vendors, we have seen many, many examples of customer errors with the cloud. Those errors, such as posting customer information to public cloud storage services without encryption or proper password control, have allowed open access to private information.
CyberArk’s view is dead right: “There are still gaps in the understanding of who is responsible for security in the cloud, even though the public cloud vendors are very clear that the enterprise is responsible for securing cloud workloads. Additionally, few understand the full impact of the unsecured secrets that proliferate in dynamic cloud environments and automated processes.”
In other words, nobody is stepping up to the plate. (Perhaps cloud vendors should scan their customers’ files and warn them if they are uploading unsecured files. Nah. That’ll never happen – because if there’s a failure of that monitoring system, the cloud vendor could be held liable for the breach.)