Cloud Zoo:
Don’t Let Your
Business Data Roam Free

Maintaining Control and Data Security in the Cloud

Introduction

The use of cloud-based services and applications are fast becoming the de facto way for many organizations to run a lean and efficient business. Once the preserve of big businesses looking to outsource large chunks of their IT requirements to specialist partners, cloud adoption is now a viable and affordable way for companies of all sizes to maximise IT budgets and remain competitive.

Both Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) platforms are in high demand among business owners and IT teams. When it comes to IaaS, nearly half (49%) of enterprises and 45% of SMBs are looking to outsource IT infrastructure and processes to third parties, with 49% of enterprises also agreeing that cutting costs is the major driver when it comes to the decision to outsource to IaaS providers. As for SaaS, over three quarters (78%) of businesses across SMB and enterprise segments already make use of at least one form of cloud service and the same number (75%) are planning to move more applications to the cloud in the future.

Cloud services give SMBs and enterprises the flexibility to grow without worrying about the hefty costs and maintenance of associated IT infrastructure that supports their day to day operations. Businesses using cloud services have, on average, 4 to 5 different applications supplied either through a private cloud or hosted remotely as part of a SaaS offering, with email the top application (52%), followed by collaboration software (48%), human resource management (48%) and finance and accounting tools (47%).

With technology the lifeblood of virtually every business – no matter what it’s size or sector – cloud computing has come into its own in recent years as a way of taking the IT strain and allowing businesses to spend more time focusing on growing and succeeding. Looking at the global landscape, fast growing economies are heavily relying on cloud services, with businesses in Chile (47%), India (44%) and Turkey (43%) storing close to half of their corporate data outside of their own network or security perimeter.

But as well as providing a much-needed way for organizations to support their ever-growing IT requirements, reliance on cloud services can come at a cost – with many blindly using cloud based applications without being able to account for their data across a number of sprawling services. This is paving the way for potential security and cost implications.

The following report looks into the attitudes and issues currently experienced by CISOs, security teams and SMB business owners caught in this “cloud zoo” scenario. Are businesses opening themselves up to security risks in a bid to drive efficiencies? Can the cloud environment be tamed to ensure it is secure and makes way for opportunities instead of growing risks? 

Methodology

Unless stated, all figures in this report are taken from the Kaspersky Lab Corporate IT Security Risks Survey – a global study of IT business decision makers, carried out by B2B International on behalf of Kaspersky Lab in March-April 2017.

The research questioned 5,274 workers about various aspects of cybersecurity, including their company’s attitudes towards the area, the main challenges they are facing and the types of approaches/strategies they currently use.

Respondents represented very small businesses (1-49 employees), small to medium sized businesses (50-999 employees) and large organisations with 1,000+ employees. Results were compared to last year’s survey – as well as between regions, industries and company sizes – to paint a comprehensive picture of the threat landscape.

Speed vs. Security

It is no great surprise that security of information in the cloud is still one of the main concerns for those looking to take advantage of hosted services, with 59% of both SMB and enterprise businesses feeling that outsourcing and cloud hosted services could introduce new risks to the IT security of their business. But what is shocking is that despite these reservations, many businesses are still not taking cloud security seriously, or putting measures in place to map the environment and ensure data is secure – no matter where it resides.

The speed of adoption has seen many companies swept along on the cloud wave, resulting in cybersecurity teams simply not knowing where their data lives. At the enterprise level, 42% of businesses admit that they are unsure if certain parts of corporate information is stored on company servers or on those of cloud suppliers, making it extremely difficult for them to account for its integrity. For SMBs, this is less of a concern with only a third (36%) feeling the same. This disparity could be due to the fact that SMBs tend to have smaller and less complicated infrastructures than enterprises, so are more likely to know where their data is being stored.

This uncertainty is leading to a “cloud zoo” scenario, with many businesses finding themselves in an untamed data jungle with a lack of control and visibility of their data. Even more importantly, they lack control of their customers’ data, which could have serious compliance repercussions with General Data Protection Regulation (GDPR) and its derivatives resulting in legal fines and penalties on the horizon, as well as similar compliance legislations in other countries.

This is further compounded by a lack of planning and mapping of cloud adoption. The consequences of this lack of insight can be significant, with enterprises suffering an average $1.2m financial impact as the result of a cloud-related security incident, compared to $100k for SMBs.

Third party problems

Out of sight should not mean out of mind. Indeed, incidents affecting IT infrastructure hosted by a 3rd party is one of the top-3 growing security events – with a quarter (24%) of businesses experiencing an incident over the last 12 months. Worryingly, 47% of those affected suffered data loss, leakage or exposure as a result of a 3rd party cloud infrastructure breach, which should prompt businesses to raise the issue to the top of the boardroom agenda.

Tightened regulations around the security of customer data – coupled with high profile breaches including the recent Equifax hack, which resulted in hundreds of thousands of customers having their details stolen – should also give companies all the ammunition they need to ensure the appropriate measures are taken to secure their data – no matter where it is stored. However, it seems that along with relinquishing storage of data to third parties, many businesses are also washing their hands of securing it appropriately.

As a result, 41% of enterprises have lost sensitive customer and employee information via data leakage from a 3rd party cloud service and 34% have had trade secrets and intellectual property exposed.

In comparison, 46% of SMBs have lost the sensitive information of their customers and employees via data leakage from a 3rd party cloud service, while 18% of SMBs have lost financial information about the company. As well as actual data loss, small businesses that make use of cloud services are also likely to be a target for DDoS attacks, with 37% of SMBs using the cloud experiencing this type of attack, compared to only 22% of those not using cloud services.

This suggests that those using 3rd party cloud services are leaving themselves more exposed to DDoS attacks, meaning SMBs that are embracing the use of cloud in their business need to consider improving their cyber defences.

Whose Responsibility is it Anyway?

One of the main issues and compounding factors of the ‘cloud zoo’ scenario is responsibility surrounding the security of data in the cloud. Although the concept of “shared responsibility” is widely adopted by the cloud generation, service level agreements usually state that the service provider only covers “service availability” and “security of the cloud infrastructure” (usually including virtualization, network and hardware protection). Even though the biggest cloud providers offer cloud-native security services (including identity management, data encryption, VPN, etc.) there are still some gaps when it comes to the cybersecurity capabilities of operations inside cloud workloads. This is what cloud-adopting businesses have to manage in order to mitigate potential data security risks.

This means that ransomware or DDoS attacks which affect data within the cloud, for example, are the responsibility of the customer. This subtle, but crucial, difference is catching companies out, with many assuming that their 3rd party cloud provider is not only storing their data but securing it from harm.

As a result, 7 out of 10 (70%) businesses using SaaS and cloud service providers have no clear plan in place to deal with security incidents which could affect their partners. A quarter (24%) even admit to not checking the compliance credentials of their service provider. With 42% of businesses not feeling adequately protected from incidents affecting their cloud service provider – this suggests a clear disconnect between expectations and reality and a total reliance on 3rd parties to provide complete protection.  For SMBs, 43% feel this way, compared to only 38% of enterprises.

Security concerns

With security of data a clear concern, businesses of all sizes and sectors remain unsure of their responsibilities. Cybersecurity teams within enterprises are more likely to check security compliance of 3rd parties that they share data with (35%), compared to 31% of SMBs – with over half (53%) more concerned with the IT security of 3rd party infrastructure than their own.

As a result, enterprises are becoming concerned about their reliance on 3rd parties for critical IT services, with 47% feeling too reliant, compared to 42% of SMBs.

Most businesses have no clear plan in place to deal with an incident affecting cloud service providers (Q21)

Cloud Promises: Flexibility and Efficiency

Despite concerns around data security and getting the cloud zoo under control, adoption levels and opportunities created by the delivery of IT services via the cloud continue to rise. Almost a quarter (23%) of enterprises plan to increase usage of public clouds, with the same number planning to grow their use of private (22%) and hybrid (21%) clouds in the next 12 months. For SMBs, adoption is continuing at a slow but significant pace, with usage still expected to rise across public (18%), private (17%) and hybrid (14%) environments.

The difference in adoption rates can be attributed to the difference in the type of IT support and infrastructure needed within businesses of these sizes. For enterprises, almost a quarter (23%) use – or plan to move – collaboration software to the cloud, closely followed by finance and accounting (21%), business specific, client related applications (19%), and CRM and salesforce automation (16%). For SMBs, adoption takes on different requirements with human resource management (21%) and finance accounting software (20%) being the main applications moved to the cloud.

Risk or opportunity

The differences in adoption rate and reliance on the cloud is reflected in how comfortable businesses are with the role that cloud plays in their organization. As a clear advocate and heavier user of cloud services, it is no surprise that enterprises consider cloud more of an opportunity (43%) than a threat (28%) to their business. SMBs however, take a different view, with a third (32%) considering the possible risks that can accompany the use of cloud services.

Opinion of the impact of increased use of outsourced and cloud-hosted services on security

As a result, attitudes towards protection also differ among company sizes with SMBs remaining more cautious and wary of throwing all applications into the cloud, and unsure of how protected their data really is. Enterprises feel more protected than SMBs when incidents affect 3rd party cloud services they use (26% feel well protected versus 21%), with SMBs not feeling well protected from such incidents (44% compared to 37% of enterprises).

Conclusion: Taming the Cloud Zoo

Cloud services are very much a reality among businesses large and small, but as many seek to realise the benefits of outsourcing services to a third party, accountability and security of data is becoming compromised. A lack of understanding around responsibility for securing data in the cloud and a failure to map where data resides is leaving businesses in a vulnerable position, where the risks could outweigh the benefits if not appropriately assessed and prepared for.

The cloud is designed to help companies reduce the total cost of ownership, simplify operations and increase business agility – not add to their security concerns. Nor should it, if adopted in the right way. The nature of the cloud makes adoption quick and easy but this should not be to the detriment of ensuring due diligence around security processes. It is clear, however, that complacency exists when it comes to security of data in the cloud, with only 30% of companies using specialist security solutions designed specifically for SaaS applications, IaaS, public and private clouds.

Far from being a hindrance, there are simple steps that companies can take as part of the cloud adoption process, which will help smooth usage and the present new opportunities. Enabling cloud ecosystem visibility is the first part of the process, giving businesses a clear view of what data resides where. Each part of the cloud infrastructure – be it hybrid, hosted or public cloud – should also have its own set of security measures as if it were data being protected within the company network.

Only by taking these key steps and putting a cloud security strategy in place will businesses be able to tame the cloud zoo and have complete control over all elements of the ecosystem, no matter how much data is roaming and residing within each enclosure.

To learn more about Kaspersky Lab’s approach to information security for cloud computing, visit Hybrid Cloud Security page.