On Wednesday, the Cloud Security Alliance (CSA) along with Google Cloud released a cloud risk survey that found some 52% of organizations say they have not assessed the continued risk of their cloud services being used after acquisition, as product features or business environments changed. .
CSA-Google researchers also found that there is no consistency in data classification across the use of cloud platforms and services. Only 21% use cloud service data classification, and only 65% of those users are aligning internal data classification schemes.
“As enterprises continue to add manufacturing to the cloud and the growing use of cloud services, cloud and digital asset management will be critical in managing and measuring risk,” said Jim Reavis, co-founder and CEO of Cloud Security Alliance. “While there is still work to be done as organizations mature their ability to manage cloud and multi-cloud security and risk mitigation, these issues improve in the cloud compared to today’s legacy and on-premises IT environments. . This study confirms that an organization’s best path to viable risk management involves IT modernization in the cloud or on-premises cloud-like infrastructure.”
In response to this changing environment, the survey noted that there is a need to improve tools to quantify and measure risk. About 70% of organizations reported ineffective processes for assigning risk to cloud assets, and only 4% reported having highly effective practices. In general, monitoring, measurement and reporting have become difficult. CSA-Google said that 30% of companies reported that risk scoring systems are used as a directional guide to improve risk for certain cloud solutions, as opposed to metrics that can be relied upon to compare all cloud services.
The move to cloud infrastructure has also changed the way organizations must consider risk, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said that in some cases it has become easier, while in others it has become more complex, taking organizations more time than they perhaps should be dealing with to manage the new risk environment.
“Risk assessment and management are ongoing processes that need to be reviewed and updated as the situation and business environments change,” said Parkin. “IT security teams need a consolidated view of risk across cloud application environments as well as traditional IT infrastructure. So they need a plan to prioritize and mitigate this risk. This is not an easy task, but it is possible through the discipline of procedure and organization. If security teams can understand and prioritize the risk created by cloud misconfigurations along with IT infrastructure and application vulnerabilities, they have an opportunity to reduce risk and improve the company’s security posture.”
Mona Ghadiri, director of product management at BlueVoyant, said continuous risk monitoring, prevention and detection is the only way to stay ahead of the curve, both with cloud security and cybersecurity in general. Ghadiri said that CISOs need an internal and external reading of what happened, how it happened and what was done to contain it.
“As more and more organizations incorporate cloud services, they need to ensure that they continually monitor these environments with the same vigilance using more automation to contextualize response than on-premises assets,” Ghadiri said. “Scanning a cloud environment only when it first comes online is far from enough. Daily changes for good or bad reasons can lead to new vulnerabilities. Organizations must be able to quickly detect and remedy any problems as they arise.”