Cloud – Data Loss and Leakage Top Security Concerns
Compliance, accidental exposure of credentials, and data control are also primary concerns for senior IT and security managers.
Most (93%) cybersecurity professionals are “moderately to extremely concerned” about cloud security, with data loss and leakage (64%) and data privacy (62%) at the top of the collective list.
To compile the “2019 Cloud Security Report,” commissioned by Synopsys, researchers with Cybersecurity Insiders conducted a survey of its 400,000-person community to see what’s top of mind for senior-level managers in IT and security operations. About one-third said they are “very” or “extremely” confident in their organizations’ cloud security posture, and 47% are “moderately confident.” Still, even those who feel good about security have concerns.
Data loss and confidentiality aside, respondents are mostly worried about legal and regulatory compliance (39%), accidental credential exposure (39%), data sovereignty (35%), and incident response (29%). When asked about the biggest daily operational headaches, respondents pointed to compliance (34%), visibility into infrastructure security (33%), lack of qualified staff (31%), setting consistent security policies (31%), lack of integration with on-prem technology (29%), and security not keeping up with the pace of new and existing applications (29%).
The compliance process is complex, and the greatest challenge for 43% of IT and security professionals surveyed is monitoring for new vulnerabilities in cloud services that must be secured. Other compliance pain points include audit assessments in the risk environment (40%) and monitoring for compliance with policies and procedures (39%).
Respondents use several tactics to protect cloud-based data. More than half (52%) use access controls, 48% use encryption or tokenization, and 45% use security services offered natively or by cloud providers. Less common methods include cloud security monitoring tools (36%), connecting to cloud via protected networks (36%), and third-party security services (25%).
A good resource for cloud specific information security is the ISO / IEC 27017:2015 publication.
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
– additional implementation guidance for relevant controls specified in ISO/IEC 27002;
– additional controls with implementation guidance that specifically relate to the services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.