With the world still adjusting to the changes of the last two years, the technology sector in general – and cloud adoption in particular – has been instrumental in helping people cope with the enormity of the tasks at hand. For those who were already looking into cloud adoption, the pandemic simply accelerated the adoption of cloud environments, including multi-cloud and hybrid deployments. Despite numerous benefits that cloud adoption brings with it, the introduction of cloud also introduces significant new security challenges for organisations.
Thales has released the 2021 Thales Cloud Security Study. Based on the data from a global survey of more than 2,600 IT and security professionals, this report uncovers cloud security trends to inform readers of the best practices for cloud migration and implementation practices.
To read the full report and its findings, download it here.
In its current state, multicloud adoption is widespread. Globally, 57% of respondents use two or more Infrastructure as a Service (IaaS) providers.
Number of IaaS Providers
Software as a Service (SaaS) Usage
Whilst discussions surrounding cloud security might often focus on IaaS and PaaS, the use of SaaS applications is widespread across all industries. Those tasked with securing organisational resources in the cloud should ensure that they have SaaS applications in their scope.
Larger organisations typically use more SaaS applications. This is expected, as a characteristic of SaaS applications is that they can be deeply aligned to specific use cases and easy consumption. This means that the complexity of larger organisations can yield a greater range of possible use cases for SaaS applications.
Whilst the multitude of use cases, and a greater number of SaaS applications in larger organisations is extremely beneficial, it also introduces more security risks. A complex usage pattern increases the potential for sensitive corporate data to be present and used at multiple locations outside of direct organisational control.
Telecommunications, manufacturing and financial are the sectors that have the highest average number of SaaS applications.
Number of Apps
Managing Cloud Security
One of the key differentiating factors of cloud adoption is notably that the cloud model is not merely a technology refresh. Instead, it forces organisations of all sizes to take a deeper look at their internal organisational structure. Cloud adoption brings with it a broader set of internal stakeholders and demands, from faster time to value to accelerated project schedules. With a range of scenarios being presented, how is security being managed?
Responsibility for Policy Definition and Enforcement
There are often discrepancies surrounding the responsibilities of cloud security management. Those in senior management have a higher perception that security teams are responsible for both policy definition and enforcement (39%), compared to staff (32%). Conversely, staff primarily indicated that security teams are responsible for policy definition, but enforcement is up to others. This lack of consistency has the potential to generate confusion between teams, both during incidents and in strategic planning for security activities.
Perception of Who is Responsible for Policy Definition and Enforcement by Role
Policies defined and enforced by security
Policies defined and enforced by cloud teams
Policies defined by security, enforced by cloud teams
Cloud complexity levels tend to peak at two different stages in an organisation’s growth. The smallest companies and those just shy of reaching the largest category often encounter heightened complexity with cloud management. For small companies, the challenge of managing the cloud is likely relatively new when compared to on-premises, or the company itself is potentially new and still evolving its governance structure.
To what extent do you agree with the following statement: It is more complex to manage privacy and data protection regulations in a cloud environment than on-premises networks within my organisation?
Complexity of Cloud vs. On-Premises Environment
There are two notable aspects around cloud adoption:
- Virtually all organisations have at least part of their footprint ‘on-premises’. This is then tied to cloud resources in what is usually viewed as a ‘hybrid’ environment.
- There are multiple ways for workloads to be migrated to the cloud.
Workloads can be ‘lifted & shifted’ to the cloud i.e. the use of virtual machines and application architecture is traditionally maintained, but they’re now hosted on a cloud environment. Alternatively, they can be ‘re-architected’ to incorporate newer concepts such as containerisation and serverless function execution. Each option has benefits and drawbacks, from potential faster time to value to better use of cloud paradigms and resources.
Preferred Method for Migration to Cloud
Securing Cloud Environments
Key Technologies Being Used to Secure Cloud Deployments
For organisations looking to secure cloud environments, there are a host of tools at their disposal, each addressing key aspects of their threat model.
The ever-evolving threat landscape is driving increased awareness and adoption of multi-factor authentication (MFA). Organisations often turn to MFA as their access management usage. Despite the relative popularity of MFA, survey results indicate that organisations are a long way off from MFA being broadly adopted.
Just 16% of global survey respondents use MFA to secure over half of their cloud services. For on-premise applications, this number falls even lower, with just 11% using MFA to secure them.
Securing modern environments – which are often a combination of on-premise and cloud – can seem daunting to many. 66% of respondents considered securing the combination of on-premises and cloud either “challenging” or “very challenging”.
For global responses, cloud-specific tools (cloud security posture management, cloud workload protection, cloud identity and access management), data loss prevention (DLP), encryption, and multi-factor authentication (MFA) were consistently the top-ranked choices as tools for securing data in cloud environments.
Encryption in the Cloud
Encryption is a key technology to address cloud security needs. Delving into the use of encryption requires addressing two aspects: deploying encryption capabilities to data residing in the cloud, and managing the keys used for encryption. There’s also the matter of just how much data should be encrypted. Whilst it would normally be expected that all or most sensitive data in the cloud would be encrypted, research indicates differently.
When considering what kind of encryption capabilities are used to encrypt sensitive data, organisations have the choice of using services from their cloud services provider, rolling out their own third-party encryption capability for handling that data, or using a mixture of both.
Percentage of Sensitive Data in Cloud that is Encrypted
Key Management in the Cloud
Approach to Key Management
Protecting sensitive data in the cloud requires a great deal more than simply deciding on how to implement encryption. Key management has become a notable concern for many, as cloud usage fundamentally means a shared responsibility between the organisation and provider, without an organisation relinquishing responsibility for data protection.
As with most encryption technology, managing keys for cloud environments has a number of different approaches. Organisations may use the encryption provided by their cloud service provider but retain control over how keys are created and managed. Alternatively, the organisation may choose to use provider-managed keys. For many, the trade-off is between cost and control.
For some, opting for provider keys that favour immediate operational simplicity is preferential, whilst others will lean towards provider keys that are better at supporting strong ownership of data. Specific compliance mandates may also push organisations towards maintaining greater control over encryption keys.
Breaches and Compliance Issues
One of the primary goals of security is to protect an organisation, supporting its internal needs, processes, constraints and objectives, whilst minimising the cost of securing it and preventing breaches.
Experienced a Data Breach
Experienced a Data Breach by Multicloud Adoption
Organisations globally are tackling cloud adoption in a variety of ways. Every organisation has its own set of objectives, preferences, and constraints; however, some key themes emerge:
- There’s a high possibility that security teams across all organisations, and particularly larger ones, will need to support multi-cloud use cases. Accounting for this will require balancing security features from the cloud provider(s) with how to deliver and centrally manage the same security outcomes across multiple providers and organisational environments.
- If left unaddressed, gaps between practitioners and senior management may result in friction in the effort to secure cloud adoption. Effective security will require alignment both at an operational level and within senior leadership conversations.
- A large proportion of organisations have encountered issues involving data residing in the cloud. This indicates that organisations likely require strong support for cloud environments in their incident detection and response capabilities.
- For organisations where protecting customer data is a priority, strategies and approaches involving proactively protecting data in the cloud, particularly sensitive data, should be reviewed. This may include understanding the role of specific control and technologies, including authentication, encryption and key management, as well as the shared responsibilities between providers and their customers.
- With data privacy and sovereignty regulations increasing globally, it is now essential for end-user organisations to have a clear understanding of how to remain responsible for data security, as well as how to make clear decisions regarding who is in control of and access sensitive data.