Getting firms to move to the cloud hasn’t been all that easy. Many companies have justifiable concerns and fears about moving their most vital non-human asset – data – outside their data center.
While cloud providers have struggled to assuage those fears, they don’t seem to be getting through. A study by the Ponemon Institute and Netskope, called “Data Breach: The Cloud Multiplier Effect,” shows many firms still have concerns regarding data loss in the cloud, but none of it is based in reality.
Ponemon surveyed 613 IT and IT security practitioners in the United States who are familiar with their company’s usage of cloud services and the findings were cynical, to say the least. While 51 percent of respondents said on-premises IT is equally or less secure than cloud-based services, 66 percent of respondents say their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information. And 64 percent believe it makes it difficult to secure business-critical applications.
Dr. Larry Ponemon, head of the group that bears his name, thinks part of it is IT being a little territorial. “I think there’s a little fear they will become obsolete,” he said. “They aren’t driving the cloud train, business is. There is a sentiment that what I don’t know is worse than what I do know. They may think there’s a problem because they weren’t involved in the selection.”
There were other negative sentiments as well.
* 69 percent of respondents said they believed that their organization is not proactive in assessing which information is too sensitive to be stored in the cloud.
* 62 percent of respondents said they believed the cloud services in use by their organizations are not thoroughly vetted for security before being used.
* 72 percent of respondents said they believed their cloud services provider would not notify them if they had a data breach involving the loss or theft of their intellectual property or business confidential information.
* 71 percent said they believed they would not receive immediate notification following a breach involving the loss or theft of customer data.
In the latter two findings, there is something to that concern. Hackers were stealing credit card information from unsecured wireless networks at TJX for 18 months and the company fired an employee who leaked that the company was still using unsecured networks even after the hack was exposed. Nortel Networks was the subject of a decade-long hack by Chinese criminals who stole pretty much all of the company’s IP, which led to its demise.
“There’s a lot of frustration in the complex world we are in,” said Ponemon. “Cloud providers are not motivated to say their data was exposed, even though it’s required by law. Also, a lot of cloud providers don’t find out about it until the FBI contacts them. Target first learned about their breach from the Secret Service. A lot of companies don’t have the tools or ability to know they were hacked and it can go on for months.”
It comes down to many IT professionals having no faith in cloud providers. Along with IT being left out of the decision-making process – thank you, BYOD, for letting the inmates run the asylum – Ponemon said there are two other reasons.
A lot of organizations have rushed to the cloud for cost efficiency or because it’s the cool thing to do. As a result of that rush, they don’t factor into the equation that data entrusted to the cloud can leak out. Not just from criminal activity but mistakes and glitches. Users might log on to a perfectly secure cloud storage system from an insecure place, like a Starbucks.
And occasionally the cloud provider makes a mistake, like Dropbox did in 2012, when a bug allowed anyone to access a Dropbox account without using the correct password. Later in the year, a security hole was found in Dropbox’s iOS app, which allowed anyone with physical access to your phone to copy your login credentials.
That said, Ponemon said some cloud providers are “very, very secure and I would trust them more than some on-premises IT configurations.”
The other problem is that a lot of firms are delegating their cloud services management to employees, not IT, which adds a layer of complexity that’s harder to control. You can’t control security in the cloud and you are allowing any employee to access the cloud. “A lot of material data breaches are from insecure third parties. You may be a perfectly secure company, but then you team with a small development company in India, and a lot of them are insecure,” he said.
One thing not raised by the pros surveyed: a negative experience. Ponemon admitted that none of those surveyed actually cited a direct experience with a data breach or data loss, it was all based on hearsay and negative opinion formed in a vacuum.
Ponemon’s report is called “The Multiplier Effect” because when there is a data breach in the cloud, the costs multiply over a regular breach in a company’s own network. In every case, there is a net increase in cost and a net increase in the probability of occurrence because of certain events in the cloud. That’s because the task of a forensic examination into how the data was lost is increased because third parties are involved.
He notes that cloud storage industry providers are very honest and will tell you they are not responsible for data losses. They don’t indemnify if there is a data breach on their watch. But most of the cloud providers are really trying to tighten up their practices. They realize if they are not secure they will get into big trouble with customers and ultimately regulators.
That’s true globally, he added. Many firms are now using cloud storage providers in their nation. Germany in particular is pulling out of U.S.-based providers after the NSA spying allegations.
And, Ponemon notes, the most common cause of breaches is still a negligent person, “a good person who does stupid things,” as he put it.
Ponemon recommends that the business units using cloud storage get IT involved in the decision making and deployment process. That is their expertise, after all. And he said to check with a cloud storage provider for their certifications to show their data center is up to a high standard. Ponemon said he looks for three certifications: SOC 2, ISO 27001, and NIST.
Photo courtesy of Shutterstock.