Unsanctioned and unsecured cloud applications are creating a massive amount of risk for enterprises in every industry. In an on-premise data centre, the business’s IT, and security teams handle all aspects of and are responsible for, data security.
However, in the cloud, we find a shared responsibility security model (SRSM) that splits the responsibility between the customer and the cloud provider.
Bridgette Kemp, business unit manager at Axiz, says too often the business units that execute cloud applications and infrastructure don’t know that the organisation is also partly responsible for securing those cloud applications.
“This responsibility can include thoroughly vetting potential vendors, patching the sections of the cloud that lie under their purview, monitoring security alerts, and enforcing strong authentication. Unfortunately, this results in security teams having no involvement with crucial tasks such as vendor selection, security audits and suchlike.”
The division of labour needs to be carefully laid out, adds Kemp. “The report highlighted that although certain cloud service providers offer specific cloud security options, for example, encryption, it might well fall to the customer to decide if they should apply and manage these tools. At the end of the day, the security buck stops with the business, not the cloud provider, as the business has far more to lose.”
She says problem creep in when the number of alerts and incidents that enter an average enterprise security team become too onerous to handle, which happens quickly, particularly if anomalous end-user behaviour alerts are included.
A recent study conducted by Oracle and KPMG revealed that the average large enterprise handles some 3.3 billion events every month. “However, a mere 31 of those events turn out to be legitimate threats. And let’s face it, there isn’t a business out there who could afford to hire and train enough security analysts to scrutinise each alert to separate the genuine from the false.”
Unpatched systems are also endangering businesses, says Kemp. “When operating systems, applications or devices are found to contain vulnerabilities, it can take an extremely long time for IT and security teams to install and test the necessary patches or changes in configurations.”
The report suggests that more human resources isn’t the solution, intelligent automation is, as it can easily handle this kind of repetitive and mundane task, freeing up human resources to work on more valuable activities. “Encouragingly, she says the report revealed that automated patching is used by 43% of those polled in general, and 50% of the larger entities. Another 46% in general plan to use automated patching within the next year or two.”
Kemp says there are other steps that businesses can take to protect the burgeoning number of critical could services and applications they use too. “Education remains key. Ensure that all staff are trained on the wide range of social engineering attacks that cybercriminals employ, and keep up to date, because adversaries are increasingly cunning, and always looking for new ways to pull the wool over the eyes of unsuspecting users. Also, implement solutions that block phishing emails before they reach the inbox and have a monitoring tool in place that can pinpoint any anomalous behaviours that might be indicative of an email compromise.”
Moreover, she says businesses must get a handle on shadow IT, or unsanctioned applications and services that were brought into the organisation by employees. “Have strict policies in place to ensure that any use of third-party cloud services must have the full support and approval of the technology department. Shared responsibility goes beyond the business and the cloud provider, and every stakeholder in the organisation needs to play their role.”
However, without automation, too many potential threats can slip through the cracks, concludes Kemp. “It’s more crucial than ever that organisations employ automation tools to protect their information assets because security teams can only do so much. Executives in charge of security must have full visibility and control of cloud services and applications within their organisations, and all stakeholders need to understand that security is everyone’s problem.”