Cloud security: Increased concern about risks from partners, suppliers

Were you unable to attend Transform 2022? Check out all the summits in our on-demand library now! Look here.


There is an ever-increasing pressure to the cloud.

This comes with increasing risks from partners, vendors and third parties, vulnerabilities and misconfigurations that can be compromised in a variety of ways, and complex software supply chains and infrastructures that complicate remediation.

But while businesses are concerned about all these implications, many have yet to implement advanced cloud security and data loss prevention (DLP) tools, according to a report released this week by Proofpoint, Inc., in partnership with the Cloud Security Alliance (CSA).

Hillary Baron, a research analyst at CSA and the report’s lead author, pointed to the rush toward digital transformation amid COVID-19. While this facilitated remote work and kept businesses running, there were unintended consequences and challenges due to large-scale – and quickly implemented – structural changes.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to provide guidance on how metaverse technology will transform the way all industries communicate and do business on October 4th in San Francisco, CA.

Register here

“One of those challenges is developing a cohesive approach to cloud and cyber threats while managing legacy and on-premises security infrastructure,” Baron said.

Increased concern in complex landscapes

“Cloud and Cybersecurity Challenges in 2022” asked more than 950 IT and security professionals representing various industries and organization sizes.

In particular, 81% of respondents said they are moderately to highly concerned about risks around suppliers and partners, and 48% are specifically concerned about the potential loss of data as a result of such risks.

That seems like a legitimate concern, study authors point out: 58% of respondent organizations indicated that third parties and vendors were the target of cloud-based breaches in 2021.

Also worryingly, 43% of respondents said protecting customer data was their primary cloud and network security goal for 2022 – but only 36% had dedicated DLP solutions in place.

Also from the report:

  • A majority of respondents were very concerned (33%) or moderately concerned (48%) about security when working with suppliers and partners.
  • 47% said legacy systems were a key challenge to improving their cloud security posture.
  • 37% said they need to guide safer employee behavior.
  • 47% said they had implemented endpoint security, 43% said they had implemented identity management solutions, and 38% said they had implemented privileged access management.

Meanwhile, organizations are concerned that targeted cloud applications either contain or provide access to data such as email (36%), authentication (37%), storage/file sharing (35%), customer relationship management (33%) and enterprise business. intelligence (30%).

Both experts and organizations agree that there is much room for improvement in existing processes for managing third-party systems and integrations.

Context is often missing for software-as-a-service (SaaS) platforms in use — the data they hold, the integrations they facilitate, the access models in place, said Boris Gorin, co-founder and CEO of Canonic Security.

These are also not continuously monitored. He advised organizations to ask themselves if they have an overview of all third-party integrations and add-ons, and what access and reach these integrations have in their environments – or if they are active at all.

“Most breaches happen because we didn’t execute a policy, not because we didn’t have one,” Gorin said. Controls are overlooked, thereby creating vulnerabilities.

Dave Burton, chief marketing officer at Dig Security, also noted that there are many unaddressed uncertainties surrounding cloud complexity that make it difficult for businesses to understand exactly where cloud data is stored, how it is used, whether it includes sensitive information and whether it is protected.

Organizations need to understand all their data stores, ensure they have backup capabilities in place, regularly perform software updates and implement the right tools, he said. Tools such as DLP and DSPM (Data Security Posture Management) are also important.

Strategic practice, culture changer

Another of the many byproducts of cloud technology adoption is the loss of governance, said Shira Shamban, CEO of Solvo. Also, all too often sensitive data is found in places where it shouldn’t be and is not properly secured.

Ultimately, it’s not realistic not to store data in the cloud, he acknowledged, but organizations must only do so in cases where it’s absolutely necessary — not just arbitrarily. Access must also be clearly specified and limited.

Also critical: “security can’t just be an annual audit,” Shamban said. “It’s an ongoing process that consists of frequent revision, validation and updating – much like cloud applications themselves.”

Similarly, the best tools are only effective when combined with a security culture in and around an organization, said Mayank Choudhary, EVP and GM of Information Protection, Cloud Security and Compliance, at Proofpoint.

“As organizations adopt cloud infrastructures to support their remote and hybrid work environments, they must not forget that people are the new perimeter,” he said. “It is an organization’s responsibility to properly train and educate employees and stakeholders on how to identify, resist and report attacks before damage is done.”

VentureBeat’s mission will be a digital town square for technical decision makers to gain knowledge about transformative business technology and transactions. Learn more about membership.

Leave a Reply

Your email address will not be published.