enterprise cloudSaaSsecurityFebruary 17, 2020Security risk even after move sensitive data to the enterprise cloud

Enterprises continue to feed their clouds with increasingly sensitive information, yet according to McAfee’s latest report the security issues are building alongside this trend.

The study, titled ‘Enterprise Supernova: The Data Dispersion Cloud Adoption and Risk Report’, polled 1,000 enterprises across 11 countries, as well as logging anonymous data from 30 million enterprise cloud users.

More than a quarter (26%) of the files analysed in the cloud now contain sensitive data, a rise of 23% year over year. Yet security is yet to catch up. 91% of cloud services analysed do not encrypt data at rest, while one in five respondents said they lacked visibility into what data resides in their cloud applications.

Enterprises are utilising initiatives such as data loss protection (DLP); indeed, on average companies polled saw more than 45,000 incidents per month. Yet only a third (37%) say they are utilising DLP. Almost four in five (79%) of those polled said they allowed access to enterprise-approved cloud services from personal devices. A quarter of companies admitted they had sensitive data downloaded from the cloud to an unmanaged personal device.

This is the situation at many organisations and is, to not put too fine a point on it, a mess. “Security and risk management professionals are left with a patchwork of controls at the device, network, and cloud – with significant gaps in visibility to their data,” the report noted. “Living with these gaps and the patchwork of security born out of the network is an open invitation to breach attempts and non-compliance.”

93% of CISOs surveyed do agree that it is their responsibility to secure data in the cloud. Three in 10 respondents, however, admit they lack the staff with the skills to secure their SaaS applications. The latter figure is up 33% from the year before, with the report noting technology and training continues to be outpaced by cloud’s aggressive enterprise growth.

“The force of the cloud is unstoppable, and the dispersion of data creates new opportunities for both growth and risk,” said Rajiv Gupta, senior vice president for cloud security at McAfee. “Security that is data-centric, creating a spectrum of controls from the device, through the web, into the cloud, and within the cloud provides the opportunity to break the paradigm of yesterday’s network-centric protection that is not sufficient for today’s cloud-first needs.”

McAfee’s recent reports have been a mix of the gloom-laden and optimistic. In November, the company noted how 40% of large UK businesses expected to be cloud-only by 2021, but noted the gaps in security and responsibility between the haves and have-nots. In June, the company’s Cloud and Risk Adoption Report, again based on the responses of 1,000 enterprises, found organisations with cloud access security brokers (CASBs) were over 35% more likely to launch new products and gain quicker time to market.

The company had three recommendations based on its current report findings:

  • Evaluate your data protection strategy for devices and the cloud: Consider the difference between a disparate set of technologies at each control point and the advantages of merging them for a single set of policies, workflows, and results
  • Investigate the breadth and risk of shadow IT: Determine your scope of cloud use, with a focus on high-risk services; then move to enabling your approved services and restricting access to those which might put data at risk
  • Plan for the future of unified security for your data: Context about devices improves security of data in the cloud, and context about the risk of cloud services improves access policy through the web. Many more efficiencies apply, while some are yet to be discovered. These control points are merging to deliver the future of data security