Let's talk about how you can stay off the growing list of companies that have been hacked. Spoiler alert: It takes money and commitment. Credit: Thinkstock The studies are coming fast these days. Thales Global Cloud Security Study for 2022 found that during the past 12 months, 45% of businesses have experienced a cloud data breach or failed to perform audits. (It would have been nice for this number to be broken out.) If you’ve been watching this space, it was only 5% off from the previous year. What gives? Overall, we’re having a perfect storm of a lack of increasing investment in cloud security, a significant dependence on cloud-based platforms, and a shortage of cloud security talent that leads many enterprises to hire less-than-qualified pros. Combine this with increased weaponization of new tools, such as generative AI by bad actors, and most enterprises are ill prepared to handle the new challenges. Data is out of control One of the more significant concerns is the rise of shadow data. Shadow data is data created, stored, or transmitted within an organization’s IT infrastructure without the knowledge or control of enterprise IT. It typically exists outside approved and monitored systems and includes data stored on employees’ devices, cloud services, or other unsanctioned and unknown applications. If you’ve ever put a document containing sensitive business data from an enterprise cloud database on a thumb drive to work on at home, or emailed a customer list from a SaaS-based application to yourself before going on a business trip, you’re using shadow data. Shadow data can contain sensitive or confidential information, and its wild nature poses risks to data security, compliance, and governance. It’s more of a training problem than a cloud security problem. You can place all the restrictions on using this data and even monitor usage, but at the end of the day, if the data can be seen on a screen, it can become unsecured shadow data. The fact that this is a training (and people) issue makes solving the problem difficult. IT security pros are used to tossing tools and technology at this problem, which may provide a false sense of security. We need a layer of education on how data should be handled, which those in IT may view as someone else’s problem. It’s often pushed to HR, where it’s seldom addressed. It’s a misconfigured world Configuration problems are often the most significant risk to cloud data and the most often overlooked. Show me a breach, and I’ll show you something stupid that allowed it to happen. One recent example is a large car manufacturer that had more than two million customers’ data exposed due to misconfigurations in its cloud storage systems. Rarely are properly configured security systems bypassed to gain access to data. Often, storage systems are left exposed or databases need more encryption. Someone didn’t fully know what they were doing in configuring security for cloud-based systems and data stores. This goes to the talent shortage I mentioned, and if we get massive losses through a breach, it will usually happen this way. Other threats We also have new and emerging threats, such as less-than-secure APIs. If you build and deploy on cloud-based platforms, APIs drive most of your work. Not only are APIs provided by the cloud vendors, APIs are also built into business applications. They provide “keys to the kingdom” and are often left as open access points to business data. Other emerging threats include the use of generative AI systems to automate fakery. As I covered here, these AI-driven attacks are occurring now. As bad actors get better at leveraging AI systems (often free cloud services), we’ll see automated attacks that can work around even the most sophisticated security systems. It will be tough to keep up with the new and innovative ways attacks can occur. Indeed, using generative AI to create code for malicious applications on demand, just through the sheer number of attacking software systems that can be generated and launched, makes successful attacks a matter of time. Most enterprise IT leaders can’t scale their defenses as quickly as attackers. What to do This is mostly bad news for those in charge of cloud security. The best path to a more secure cloud platform is the fundamentals. This means zero-trust security approaches and best-of-breed cloud security tools. If anything, you are putting up a better set of defenses that will make other enterprises a more attractive target. This is the reason locked bikes are stolen less often—the thief could cut the lock in a matter of seconds, but the unlocked motorcycle next to it is an easier target. A vulnerability this big needs the cooperation of the entire company to upgrade the knowledge that people have about cloud security. I see two battlegrounds here: First, the rank-and-file cloud users from sales executives to executive assistants must improve security practices. They need training and governance and to be held accountable for using data out of compliance. The second is to upgrade the security talent that the enterprise employs. This means funding salaries to hire the best security pros, as well as paying for continuous training and prioritizing time spent in training. I often hear stories about a lack of training exercises because security staff are having to put out fires. Guess why those fires are occurring in the first place? If you think lack of training, you’re on the right track. Related content feature A GRC framework for securing generative AI How can enterprises secure and manage the expanding ecosystem of AI applications that touch sensitive business data? Start with a governance framework. By Trevor Welsh Nov 19, 2024 11 mins Generative AI Data Governance Application Security news Java proposals would boost resistance to quantum computing attacks OpenJDK proposals would provide Java implementations of a quantum-resistant module-latticed-based digital signature algorithm and key encapsulation mechanism. By Paul Krill Nov 08, 2024 2 mins Java Quantum Computing Application Security news ‘Package confusion’ attack against NPM used to trick developers into downloading malware Attackers gunning for supply chains again, deploying innovative blockchain technique to hide command & control. By John E. Dunn Nov 06, 2024 4 mins Vulnerabilities Open Source Security news analysis What Entrust certificate distrust means for developers Secure communications between web browsers and web servers depend on digital certificates backed by certificate authorities. What if the web browsers stop trusting your CA? By Travis Van Oct 30, 2024 9 mins Browser Security Web Development Application Security Resources Videos