A Massive Shift to Cloud Continues, But the State of Cloud Security Lags Behind

Transitioning the work environment to the cloud had long back become a norm. Today, at least 88% of organizations across the world have their workflows in the cloud, either partially or fully, an O’Reilly survey confirms. But despite the new opportunities arising from moving to cloud computing, security continues to be a critical business concern.

Incidents driving the storyline

In the era of COVID-19, security teams at various organizations have seen a dramatic increase in the number of cyberattacks directed at their cloud infrastructure.
  • In a recent hack-and-extort campaign, a hacker reportedly stole at least 31 SQL databases containing 1,620,000 (1.6 million) rows of customer information from a number of e-commerce websites.
  • Last week, hackers siphoned off nine million customer details from the largest British airline, EasyJet.
  • Plenty of database misconfigurations incidents surfaced last month that led to data breaches at various companies, including Virgin Media, Tokopedia, and Decathlon.

What’s the state of cloud security (under pandemic)?

The overall enterprise use of cloud services increased by 50% from January to April, as per the latest McAfee report.
  • McAfee found that the external threats targeting cloud services increased by 630% during the COVID-19 crisis.
  • The report also studied a correlation between the increased use of cloud services and collaboration tools and inferred that hackers are responding to this with an increased focus on abusing cloud account credentials.
  • Moreover, the number of breached records globally surged by 273% in Q1 2020, as compared to the last year.
  • Adding to the woes, a recent Fortinet survey revealed that cloud security architect is already among the most challenging job roles to fill.

As observed by experts

  • According to Rajiv Gupta, Senior VP of Cloud Security at McAfee, mitigating cyber threats and risks require cloud-native security solutions. Organizations should be able to “detect and prevent external attacks and data loss from the cloud and from the use of unmanaged devices.”
  • Urging businesses to continue employee education on phishing schemes, Tami Erwin, CEO of Verizon Business, said, "As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount."

Closing thoughts

Unmanaged devices and unsecured networks, especially when the entire world is reeling from the pandemic-induced lockdowns, pose a bigger threat to businesses. Organizations will need to establish an integrated cloud security posture with comprehensive visibility and security controls across the cloud services used in their work environment.

These NSA guidelines on mitigating cloud vulnerabilities and CISA’s page on APTs Targeting IT Service Provider Customers offer great insights on implementing a defense-in-depth strategy to protect infrastructure assets.