The rapid growth of the cloud has left organisations with significant gaps into the visibility of the data they keep there, putting them at risk of data loss and regulatory non-compliance, according to a report published by McAfee.
In its research study, titled Enterprise supernova: The data dispersion, cloud adoption and risk report, McAfee highlighted the broad distribution of data across devices and the cloud.
“The force of the cloud is unstoppable, and the dispersion of data creates new opportunities for both growth and risk,” said Rajiv Gupta, senior vice-president of cloud security at McAfee.
“Security that is data-centric – creating a spectrum of controls from the device, through the web, into the cloud, and within the cloud – provides the opportunity to break the paradigm of yesterday’s network-centric protection that is not sufficient for today’s cloud-first needs.”
McAfee said the sprawling nature of high-risk cloud services was clearly driving new areas of risk. Just over half of companies were found to have used cloud services that had user data stolen in a breach.
It found that 79% of organisations stored sensitive data in public cloud environments, each approving an average of 41 different services, although thousands of others are being used on an ad hoc basis without any vetting by IT teams.
The prevalence of shadow clouds is expanding risk for businesses in many ways, said McAfee. For example, about 26% of files in the cloud were found to contain sensitive data, but 91% of cloud services providers do not encrypt data at rest, meaning it can’t be protected if the provider is breached.
Data travelling in between these diverse cloud providers also opens new paths to risk. As organisations collaborate more internally, the transfer of data within and between cloud providers is creating challenges for data protection. The report claimed 49% of files that enter a cloud service will eventually be shared, and that 10% of files in the cloud that contain sensitive data use a publicly accessible link to the file.
McAfee also looked at the use of personal devices to access data from within the cloud. It found 79% of companies let employees access data from approved cloud services when using their personal devices, and that a quarter downloaded sensitive data from the cloud to an unmanaged device, meaning they could no longer see or control it.
There were, however, some positive trends to pick out, such as a growing understanding of who exactly is responsible for securing data in the cloud. Whereas previous research on this topic has tended to show that confusion reigns over this question, McAfee reported that when it comes to CISOs themselves, 93% understand the primary focus is on them, although many conceded their companies lacked the staff with the skills to do so.
Nigel Hawthorn, Europe, Middle Est and Africa (EMEA) marketing director of McAfee’s cloud unit, said this clearly showed the need for a layered defence and talked up the shared responsibility security model, adding that everyone is accountable to some degree.
“A good way to illustrate this is to think about a family renting a car. The manufacturer is responsible for the build quality and the airbags working, the rental company takes ownership of servicing and keeping the car roadworthy, while the driver is ultimately responsible for driving the car safely and carefully. Everyone has a shared responsibility and a part to play,” said Hawthorn.
“When managed correctly, cloud is the most secure place to do business and an incredible driver of business growth and innovation. Collaboration, strong data governance and regular training are the keys to making this a reality,” he added.
Read more about cloud security
- The Azure AD identity and access management service does not come with certain defensive features turned on by default, which administrators should rectify.
- A series of data leaks in the past week have once again implicated poorly secured Amazon S3 buckets, which are supposed to be private by default.
- Dob Todorov, CEO and chief cloud officer, HeleCloud, sets out why it is wrong to declare cloud not fit for business use in the wake of the Capital One data breach.