Poor Cloud Security Practices Put Data at Risk; A Detailed Look at How Hackers Target Employees
To provide organizations with an up-to-date understanding of cloud security concerns, the Cloud Security Alliance (CSA) has created the latest version of its Treacherous 12 Top Threats to Cloud Computing Plus: Industry Insights report.
“The volume of public cloud utilization is growing rapidly, so that inevitably leads to a greater body of sensitive stuff that is potentially at risk,” says Jay Heiser, vice president and cloud security lead at Gartner, Inc.
The report reflects the current consensus among security experts in the CSA community about the most significant security issues in the cloud. Some of the top challenges highlighted include:
Data Breaches: A data breach might be the primary objective of a targeted attack or simply the result of human error, application vulnerabilities, or poor security practices, CSA says. It might involve any kind of information that was not intended for public release, including personal health information, financial information, personally identifiable information, trade secrets, and intellectual property.
Malicious Insiders: While the level of threat is open to debate, the fact that insider threat is a real adversary is not, CSA says. A malicious insider such as a system administrator can access potentially sensitive information, and can have increasing levels of access to more critical systems and eventually to data. Systems that depend solely on cloud service providers for security are at greater risk.
Insufficient Credential and Access Management: Bad actors masquerading as legitimate users, operators, or developers can read, modify, and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source, CSA says. As a result, insufficient identity, credential, or key management can enable unauthorized access to data and potentially catastrophic damage to organizations or end users.
More than 80 percent of companies are suffering security and compliance risks due to poorly defined and inadequate data-management policies, according to a new Vanson Bourne-Veritas report that blames poor management of ‘dark data’ for a host of enterprise inefficiencies.
Poor data management leaves businesses unable to meet the requirements of new privacy regimes such as Australia’s Notifiable Data Breaches (NDB) scheme or the EU’s general data protection regulation (GDPR) – which spurred more than 206,000 reported privacy breaches in its first year.
These practical deficiencies not only generated estimated losses of over $US2 million ($A2.9m) annually, but create massive exposures for businesses facing increasingly onerous requirements around compliance and security.
Poor visibility and control of enterprise data has long been flagged as a hindrance to GDPR compliance, and the latest figures suggest that little has actually changed despite years of efforts to improve data management.
Data-loss scenarios typically fall into three categories: outsider with intent, insider with intent or insider without intent.
The outsider with intent is an obvious example. Picture the evil villain. Next is the intentional insider. The insider may harbor a grudge against an employer. Or the insider may seek personal gain from access to proprietary information.
And then there’s Kevin, the most dangerous threat of all. Kevin’s a good guy: diligent worker, loyal employee, dutiful parent. But to hackers, Kevin’s an information-rich target.
One Sunday, Kevin took his laptop to the coffee place down the street... he didn’t bother with the VPN since everything he needed was on his machine.
He checked Gmail: A parent had shared team photos from Kevin’s daughter’s recent Little League game. He clicked the link to a well-known file-storage website, but the link was broken. He thought little of it and resumed work.
What Kevin didn’t realize was that he had been phished -- spear-phished, to be exact. Potential Kevins are everywhere.
"To reduce risk, IT leads must rethink enterprise data-loss detection: Examine all data movement, especially when employees are offline or not connected to the corporate network."