Cloud Security Concerns Cause Many to Consider 'Unclouding'

Cybersecurity providers should offer their customers optional compliance services for the cloud.

Edward Gately, Senior News Editor

May 14, 2019

4 Min Read
Research
Shutterstock

Data security concerns have prompted many organizations that store customer personally identifiable information (PII) in the cloud to consider moving it back on premises.

That’s according to the 2019 Netwrix Cloud Data Security Report. The annual report is based on feedback from nearly 750 organizations that use private and public cloud services to store their data.

Some 46% of organizations are considering moving PII back on premises. Of the half that store customer data in the cloud, 39% had security incidents in the past year and more than half of those couldn’t diagnose the problem.

Ken Tripp, Netwrix‘s director of channel accounts, tells us small businesses extensively are using cloud storage and are leaders in implementing a cloud-first strategy.

Tripp-Ken_Netwrix.jpg

Netwrix’s Ken Tripp

“To support SMBs that rely on the cloud, MSSPs should provide them with affordable packages for cloud security,” he said. “These packages should include, but are not limited to: data discovery and classification functionality, as the study’s results prove that knowing your data decreases security risks to it; auditing capabilities to understand what happens around sensitive content and detect issues at early stage; [and] data loss prevention (DLP) and cloud access security broker (CASB) solutions for stronger protection.”

Second, cybersecurity providers should offer their customers optional compliance services for the cloud, Tripp said. With today’s data privacy laws, there are many businesses that are new to compliance and the demand for affordable and reliable compliance services will grow, he said.

“Finally, MSSPs and other cybersecurity providers should consider offering cloud consulting,” he said. “The survey’s results demonstrate that a considerable number of organizations failed to reach their goals for the cloud migration, such as data security and cost reduction. It means that organizations need professional guidance before and after cloud migration to ensure that they don’t lose the focus on core goals.”

Other findings revealed by the report include:

  • One-half (50%) of respondents store PII of customers and employees in the cloud, but far fewer are willing to store their financial data and intellectual property (IP) there (26% and 16% respectively). 

  • Three-quarters (75%) of organizations that store customer PII in the cloud, but do not classify all their data, experienced a security incident

  • Thirty-one percent of respondents consider business users to be the major security threat, while 16% think members of the IT team are a security risk.

  • One-third (33%) of respondents that store all their sensitive data in the cloud had security incidents during the preceding 12 months. 

  • Compared to 2018, the share of accidental errors has increased by 14% and the share of malware attacks has increased by 11%, while the share of external attacks has decreased by 20%.

  • Respondents plan to strengthen their cloud data security with encryption, monitoring of user activity and employee training, but 55% are having to manage with the same cloud security budget as last year.

“The finding that gave us an unpleasant surprise is that the ability of organizations to identify the actors responsible for incidents has diminished significantly — 36% of respondents were not able to determine who caused a security incident, as opposed to 6% in 2018,” Tripp said. “This is quite disturbing and demonstrates that organizations …

… do not have enough visibility into their IT infrastructure to conduct effective investigations. But more importantly, with such a fragmented knowledge of what is happening across their cloud storage, they have almost no chance to learn how to prevent similar incidents in the future and protect sensitive data.”

“Unclouding” wouldn’t be a mistake, but in most cases it’s a costly and time-consuming activity that will hardly resolve an organization’s problems, he said.

“Indeed, organizations that moved customer PII to the cloud to improve their security posture didn’t get the level of protection they expected,” Tripp said. “But here are a couple of questions I would like to ask organizations before they leave the cloud. Are you moving all of your customer data back? Who will have access to it? And is there any guarantee that your customer PII will be more secure on premises? De-clouding will be pointless if you lack knowledge about what data you have. Contrariwise, knowing where your data resides, which data you don’t need and which data requires (the) most protection will enable you to manage your data more efficiently and ensure its security in the cloud.”

“As regulatory concerns continue to increase toward some unpredictable future peak, cloud-using organizations must increasingly demonstrate that they are governing cloud use,” said Steve Dickson, Netwrix‘s CEO. “As a consequence of ceding some control, you should expect to perform more monitoring of cloud activity, to demonstrate that governance procedures are in place and are being followed.”

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like