Two-thirds of organizations use the cloud to store sensitive data or workloads, but there is a persistent lack of confidence in the ability to protect this information, according to research from the Cloud Security Alliance.
And while more than a quarter of these organizations use confidential computing to protect this sensitive information, more than half of those surveyed said they plan to implement this security technology within the next two years.
But that’s too long to wait, according to Ameesh Divatia, co-founder and CEO of data protection company Baffle.
“With the majority of organizations now processing and sharing data in the cloud, the importance of continuous data protection – in use, at rest and in transit – is critical,” Divatia said in a statement. official. “It is very encouraging that the survey indicates that companies intend to implement confidential computing and homomorphic encryption, but the low level of confidence of 81% of respondents in their current ability to secure data is worrying.”
Why are they waiting?
When asked why CISOs and cloud security teams aren’t moving faster to implement confidential computing or other security tools, Divatia said in an email interview that resources, especially available security talent, are limited, making it difficult to keep up with speed and quantity. data and applications migrate to the cloud.
“Implementing currently available security controls often requires application modifications, which may not be possible with commercial closed-source solutions. While these challenges have made identity and infrastructure the top priority for CISOs in cloud security, that focus is shifting to data security,” Divatia said.
With digital transformation and the pandemic forcing organizations to move more data and resources to the cloud, CISOs are always trying to better understand their cloud security posture and these tools allow them to do just that, according to Aaron Cockerill, Director of Strategy at Lookout.
“The only reason implementation is slow is lack of familiarity with setting up these controls,” Cockerill said in an email interview. “If you think about it, CISOs have to configure apps like Workday, Salesforce, Office 365, and all the hundreds of other SaaS apps that every organization relies on today. If you implement a cloud security tool like a Cloud Access Security Broker (CASB) on all of these applications, the task of configuring these individual applications is greatly simplified.
Controls to implement today
The security reality that CISOs and security teams face, regardless of where their information is stored, is that data has increased in value both to the organization and to security stakeholders. threat, while modern attack vectors keep changing and shifting. The most immediate need for cloud security is for controls that will protect data in use and at rest.
“Back when everything was located in a data center, you had tools that protected your perimeter, such as firewalls, DLP filters and VPNs,” Cockerill said. “In this new cloud-centric world, you need to replicate those security tools that you once had with the traditional security perimeter and move them to the cloud. What Gartner calls the Security Services Edge (SSE) is essentially a framework that consolidates these tools from the traditional security perimeter and moves them to the cloud.
If you don’t know where to start with your cloud security tools, start with the basics, said Davis McCarthy, senior security researcher at Valtix, like securing cloud user accounts with 2FA and opting in to the idea of least privilege permissions.
“Harden the environment by designing a secure cloud network, building layers of defense in critical workloads, especially where visibility is lacking,” McCarthy said.
Protecting record-level data is the critical cloud security control, and CISOs should focus on implementing controls they trust now, not in one to two years, Divatia added. .
“Appropriate security controls not only protect against costly and damaging breaches, but remain a valuable competitive differentiator for businesses.”