Where Security Accountability Stops and Starts in the Public Cloud
For years, security was cited as a prime reason not to put sensitive data or valuable workloads into the public cloud. It’s safe to say that situation has changed. In fact, the CyberArk Global Advanced Threat Landscape Report 2019: Focus on Cloud found that the vast majority (94 percent) of the 1,000 global organizations surveyed used cloud services in some way, shape or form. We see that that use is often to support digital transformation initiatives.
The public cloud isn’t being used for low-value data or unimportant assets. For instance, nearly half of the respondents are using SaaS-based business critical applications and a similar percentage use the public cloud for regulated customer data.
So far, so unsurprising.
The eye-opening discovery was the contrast between what organizations see as the major benefit derived from their use of cloud versus their understanding of their cloud security accountability.
The prime benefit that the organizations surveyed hoped to see from their usage of cloud was the ability to offload security to the cloud vendor, either completely or in part. This was potentially alarming, to say the least. Cloud vendors take responsibility for certain aspects of security when companies use their services, but they are very clear about where their clients must step in and assume accountability. Protecting customer data remains the responsibility of the client.
Then, we found that three quarters of survey respondents, perhaps blindly, entrust the security of their cloud workloads completely to the cloud vendor while half this number realize that this will not provide them with broad protection – but do it anyway. At this point, it’s obvious that the shared security responsibility model, which is clearly communicated by major cloud vendors, is either not well-understood or being ignored by many organizations.
Our report looked further into how privileged credentials are protected in the cloud and whether the high-value privileged credentials that give access to the most sensitive cloud-based data and assets were being properly secured.
It shows widespread lack of awareness about the existence of privileged accounts, secrets and credentials in IaaS and PaaS environments as well as the lack of a strategy to secure them. With less than half of all respondents reporting having a privileged security plan for the cloud, our findings indicate that organizations could be placing themselves – and their customers’ data – at significant risk.
For more details, download our eBook.