Nine in ten IT professionals in the UK are concerned with the security of the public cloud, and almost 20% do not deploy security for sensitive data stored outside the company’s infrastructure, according to a recent Bitdefender survey. Half of those surveyed admit cloud migration has significantly expanded the size of the border they have to defend, while only one in five encrypts already migrated data.
These are some of the findings of a survey released today by security firm Bitdefender. The study explores the pressures cloud migration place on 1,051 IT security professionals from large enterprises with 1,000+ PCs and data centers, based in the US, the UK, France, Italy, Sweden, Denmark, and Germany. As EU’s General Data Protection Regulation (GDPR) goes into effect on May 2018 — roughly eight months away — many organizations still find themselves struggling to comply. The new requirements include that data be protected adequately, and when breaches do occur organizations had better have notification capabilities in place that align with GDPR standards.
The increasing adoption of hybrid cloud — a mix of public cloud services and privately owned data centers, already in place for 70 percent of companies on a global level – is giving rise to new security challenges and prompting CISOs to adopt different technologies to fight zero-day exploits, Advanced Persistent Threats, and other devastating types of cybercrime.
Hybrid cloud brings hybrid issues
Some 85 percent of the CISOs say encryption is the most effective security mechanism to secure public-cloud-stored data, followed by security software (mentioned by 75 percent of respondents) and backups (trusted by almost half of those surveyed).
According to the survey, most US companies – a third – secure 31 to 60 percent of data stored in the public cloud, while only 21% encrypt all data stored there. Another area of concern is that 20 percent of CISOs do not deploy security in the public cloud, while a fifth do not encrypt data in transit from their own data center to an external one.
Bitdefender security specialists recommend that any data transfer between the client and the cloud service provider be encrypted to avoid man-in-the-middle attacks that could intercept and decipher all broadcasted data. Beyond that, any data stored locally or in the cloud should be encrypted to make sure cybercriminals cannot read it, in case of data breaches or unauthorized access.
To become GDPR compliant, companies need to identify data that falls under the regulations’ control – “any information relating to an identified or identifiable natural personal” –, document how this data is secured, and create incident response plans.
The survey also shows that 71 percent of IT decision makers use a security solution developed for endpoints to protect physical and virtual infrastructures, but 24 percent have implemented separate tools. Out of those, 79 percent do it to protect sensitive customer and consumer data, 70 percent cite compliance with internal and regulatory requirements, and 56 percent want to prevent service interruptions resulting from attacks.
Tailor-made security against crafted cyber weapons
Bitdefender security specialists strongly advise CISOs to use a security solution specifically designed for the infrastructure in will run on (physical or virtual) instead of a single tool for three main reasons:
– It generates overhead: installing an endpoint solution on different virtual machines hosted on the same servers impacts resources by continuously running redundant apps, like security agents
– It significantly reduces performance: security tools tailored for virtual environments use optimized agents that integrate with a security virtual appliance on server/servers, so previously scanned files are not rescanned each time a user needs them
– The typology of attacks is different: boot time security-coverage gaps leave the system vulnerable to malware attacks. As a result, virtual environments often face more sophisticated cyber weapons, such as advanced persistent threats, and targeted attacks, aiming at both companies and government entities (such as APT-28 and, just recently, Netrepser). In this respect, security for virtualized environments is by far the most effective way to detect and fight these complex tools.
What’s stored in the public cloud must not go public
Companies in the UK mostly store in the public cloud product information (47 percent), information about clients (40 percent), and information about employees (39 percent), and avoid storing off-premise what they perceive to be more sensitive data, such as research into new products and competition – 24 percent and 22 percent, respectively; intellectual property – 22 percent. Thus, companies encrypt more often information about clients (36%), financial info (31%), product info and specs (35%) than backups (28%), research into competitors (14%) and intellectual property (15%).
“The risk of being GDPR non-compliant means not only negative publicity and damage to the companies’ reputation as it has been until now, but also penalties that can total up to 4% of a company’s global annual revenue,” Bitdefender’s Senior eThreat Analyst Bogdan Botezatu says. “With 2017 having already set new records in terms of magnitude of cyberattacks, boards should be aware that it’s only a matter of time until their organization will be breached since most still lack efficient security shields.”
Bitdefender security specialists recommend that, when opting for a hybrid cloud solution, an organization must analyze the type of data it handles and evaluate it based on its sensitivity – both for the company and its clients. Critical, personal and private data related to intellectual property must be stored on premise, with access only to authorized personnel. Organizations that handle sensitive or confidential data, or data related to intellectual property, need to ensure their private cloud infrastructure remains private. No one outside the local network should be able to access that data and only authorized personnel should be vetted for handling it. The private cloud needs to be completely isolated from public internet access to prevent attackers from remotely accessing the data through security vulnerabilities.
In terms of security challenges, 40 percent of CISOs say that public cloud is their major concern, while private cloud comes third (17 percent). Another 27 percent say they are equally concerned about both, and 15 percent admit hybrid cloud is their major area of concern.
Lack of infrastructure-agnostic security, lack of predictability, and lack of visibility are perceived as top security challenges of cloud adoption by half of the companies surveyed.
The survey, conducted in May 2017 by Censuswide for Bitdefender, included 1,051 IT security purchase professionals from large enterprises with 1,000+ PCs and data centers, based in the US, the UK, France, Italy, Sweden, Denmark, and Germany.