CISOs have known for years that money alone doesn’t buy security in on-premises environments. The lesson is the same in the cloud, according to a new report.
Produced by IDC and sponsored by Bell Canada, the analyst’s brief released this month is based on a survey of the cloud adoption of 300 medium and large organizations, their security capabilities, and their success at delivering strong security outcomes.
Among the surprising findings: The highest security technology spenders had more breaches than average. Technology alone wasn’t keeping organizations in the study secure. It also needs to include processes, tools, and people.
Only 52 per cent of organizations studied were able to protect themselves from a security breach, the survey concluded.
It also showed that only 34 per cent deployed cloud security posture management solutions, “leaving the remainder exposed to misconfigurations,” the study concluded.
In a lot of ways, said David Senf, a senior manager in Bell Canada’s security practice and national security strategist, the study shows IT departments need to focus on cybersecurity basics.
“What organizations aren’t doing enough of is focusing on knowing what they have in the cloud, what are the misconfigs, what are the actual risk levels, so they can allocate resources more effectively.”
Survey results also showed that organizations that focused on detection — including logging and monitoring IT network activity and automating response — did better than others.
The study grouped responding organizations into four categories:
–Traditionalists, who are stuck in legacy skills, processes and technology, and had limited cloud adoption;
—Pragmatists, who had slower than average cloud adoption but were starting to take the right security actions. Generally they fared better than others in security outcomes;
—Strategists, who took a measured approach to the cloud and had the best security outcomes.
—Denialists, who had rapid cloud migration but primarily relied on security technologies for data protection. They suffered the worst security outcomes of the four groups because the right security processes were not in place.
IT departments should strive to emulate the approach of Strategists, says the report.
The organizations in this group find the proper balance between speed of cloud adoption and taking time to implement security processes,” the report says.
“In addition, they focus on increasing the security skills of developers and IT and security staff. They do not rely as heavily on technology solutions as the less-secure Denialists do. They acknowledge that improving security maturity involves a continuous investment of resources and ongoing management; it is a strategy, not a project. They recognize that maintaining security takes time and if planned properly, without significant hardship.”
–use security frameworks such as those from the Cloud Security Alliance, the U.S. National Institute for Standards and Technology (NIST), the ISO and the Centre for Internet Security (CIS);
–focus on key security processes, such as having an ongoing inventory of cloud services, continuous assessment of cloud configurations, managing entitlements, and threat detection;
–both shift left (integrate security early in their application development process) and shield right (execute strong security of their live applications);
–use cloud security posture management tools and processes to detect misconfigurations and drifts from a known good state;
–automate security tasks where possible;
–and ensure cloud control through the use of cloud access security brokers and zero-trust network access.
“Things like how fast do you respond to an incident, how much protection did you put in place, how fast can you recover are important” in cloud environments, said Senf, “but if you don’t have the foundational elements of ‘what’s the inventory [of cloud services]’, ‘can I detect when something’s happening’, then, relative to your peers, you’re not going to be performing as well [as other organizations] from a security perspective.”