Six Insights from the 2021 SANS Cloud Security Survey

Question is should they be implicitly trusting cloud providers to move data to cloud?

The question of should you put your data in the cloud is separate from should you trust your cloud provider. There are lot of advantages to running in the cloud — scalability, ease of operations, great cloud native services. But none of that protects your data. Organizations looking to move their workloads to cloud are often caught in a conundrum. With increasing need to move to cloud for flexibility, scalability, and agility, CISO’s also need to ensure that this is done without exposing sensitive data to increased cyber risks. Security and data privacy continue to be the primary concern slowing down cloud adoption. For data security, cloud service providers offer best practices and resources, but it is a shared responsibility between cloud service provider and the organization. Go ahead and put your data there but take the steps to keep it safe. Organizations need to take concrete measures to ensure data security as required by compliance regimes, government data breach regulations and to protect their confidential intellectual property.

How is that changing how customers approach data security?

Much of the sensitive data is also governed by privacy regulations. There has been an explosion in activity from data privacy regulators, with regulations like General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) increasing the cost of leaving this data unprotected. Data breaches are now costlier than ever. For example, With CCPA businesses can be required to pay damages between $100 to $750 per resident, per incident, and can be fined up to $7,500 for each intentional violation and $2,500 for each unintentional violation. This means that a data breach involving a million consumers, of which there have been many, could cost hundreds of millions of dollars in penalties per breach. Regulations, such as the GDPR and CCPA, have dramatically increased pressure on security and risk management (SRM) leaders. Data breaches are now much more expensive, more visible, and more complicated. This has also led to compliance teams getting new power (but not necessarily new budget). Budget still wrests with the security and IT teams.

Why doesn’t encryption appear in the survey as a cloud control used to protect sensitive data?

This is not really surprising. Pretty typical list of what people have bought in the past, and there is certainly inertia in that. This clearly illustrates how thinking needs to change when going to the cloud. These are generally the same investments one would make for an on-prem data center. Largely castle / moat defense. Keep bad guys out, then hunt them down when they get in. Fortanix believes data and identity are the new perimeter. As simple as this sounds, it requires a fundamental shift in how we approach cybersecurity: from building network perimeters around data to assuming everything else is potentially compromised and securing the data itself.

How should this work when using multiple cloud platforms?

The best option is to insert security upstream from the cloud APIs. This means integrate with cloud KMS but manage externally.

Why encryption is low on priority and what needs to be done?

Commercial data encryption was invented in 1976. You can still buy the successor to that product. But most of these HSM solutions have typically treated on-premises data security and cloud data protection as two separate problems with two separate solutions delivered on two separate technology stacks. Moving from one to the other is difficult making cloud deployments almost impossible. These are not designed for cloud. Many organizations still rely on these legacy HSM solutions and find them inadequate to meet the security needs within hybrid environments. This whitepaper “ Five Step Guide to Modernizing Data Security “ maps out a practical path to using Fortanix technology alongside your existing HSMs to improve on-premises, public cloud, and hybrid cloud data security.

How does this impact strategies for data security?

This means you need to extend security to cloud APIs, credentials, and secrets. DevOps teams have enthusiastically adopted cloud tools, agile development methodologies, and API-driven “infrastructure as code”. The push for speed and continuous delivery frequently collides with the more deliberate world of security, and certainly does not have thoughtful support of aging integrations. When security teams do get visibility, they are often appalled to see widely shared passwords, unsecured databases, and PII in test files left sitting on public clouds. A collateral benefit of modernizing data security is the introduction of “DevOps-friendly” security tools. Capabilities like RESTful APIs (just like the APIs DevOps uses for all the rest of its work), consistent cryptography services on-prem and in the cloud, and support for containers all make it easier to integrate data security into DevOps. Secrets management and tokenization are critical data security measures for DevOps.

Headwinds to continued or expanded cloud usage?

And with increased adoption towards cloud the most pertinent question is what should security and IT professionals do over the next 12 months?

The biggest challenge that security professionals are going to face is a lack of cybersecurity expertise to handle data security concerns. Even though organizations may know there is a problem they may not be able to find the right answers.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Fortanix

Fortanix

Fortanix™ has created the world’s first runtime encryption solution. Enterprises get provable, portable, and preventive security for their applications!