Cloud: The Issues

INSIDE THE SPRING 2019 EDITION OF THIS MAGAZINE WE REPORTED HOW Gemalto’s Global Cloud Data Security Study 2018 had indicated that of the companies surveyed, more had moved their data to public Cloud Service Providers (CSPs) in the expectation that it would be safer hosted on their systems. While, for the Gemalto study’s sample, cost and faster deployment time were the most important criteria for selecting a CSP, security as a winning factor increased from 12% of the poll in 2015 to 26% by 2017. According to some sources, that level of confidence has continued to make gains over the 12 months since. Some 72% of organisations surveyed by the Oracle and KPMG Cloud Threat Report 2019 held that they view public clouds as ‘much more/somewhat more secure’ than the security assurance they can deliver on-premises – a 10% increase from the previous year’s report’s response on this question. However, as the cloud market has further matured, new security-related issues have also emerged that could indicate that confidence in the resilience of public clouds may have passed an apex. As public cloud service offerings have diversified and commoditised, giving rise to extra complexity and costs, it has brought new challenges for cloud security management. Confusions around the public cloud Shared Responsibility Security Model (SRSM) is an instructive case in point. The SRSM depicts the division of assigned responsibility between CSPs and the customer of a given cloud service (or services) for how that service, and the data it contains, is secured. This model is regarded in many quarters as the primary foundational construct of cloud security strategies, although it is more a simple reference model than an industry standard.

This confusion has fermented for at least three years. A 2017 survey of 1,000 enterprise IT practitioners by consultancy 2nd Watch found that 73% of IT professionals did not fully understand the public cloud SRSM, with many under the impression that their cloud providers had greater responsibility for securing applications and data than they in fact did. Forty percent of respondents believed their applications and data were ‘fully protected’ by their CSP at the time, while 34% believed security is their own company’s responsibility entirely – an equally erroneous working assumption. The establishment of ‘demarcation lines’ between CSP and customer, and disestablishment of ambiguity in regard to where security responsibilities lie, is critical for businesses that use cloud services – for several reasons. These reasons have become more tangled in recent years due to the complex managed infrastructures that users have assembled due to ‘as-a-Service’ products from CSPs, and the added compliance obligations imposed by data protection regulations; it is at this nexus that senior executive leadership could be drawn into what might otherwise seem a fairly straightforward IT procurement issue.

Popular ‘as-a-Service’ options provide virtualised alternatives to the basic building blocks of IT infrastructure that organisations would, otherwise, have to build and operate themselves in their own physical data centres. The three principle service categories are Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Each category has eight service delivery layers: the security responsibility for each of those layers is assigned to either the CSP or its customer. However, while the SRSM defines how those responsibilities should fall, it does not constitute a mandated industry standard; and while it might be customary for CSPs to provide levels of native cloud security controls (e.g., data encryption), typically it remains the responsibility of their customers to apply/manage those controls or those provided by a third-party. The Oracle/KPMG report findings are echoed by a survey from Barracuda Networks, which indicates that many IT buyers – and it’s not altogether clear whether these are IT practitioners or business managers – buy into public cloud on the assumption that because they are effectively outsourcing the running of their infrastructure to a trusted third-party, the CSP ‘will take care of everything’. But Barracuda found that this ain’t necessarily so. Sixtyfour percent of EMEA IT leaders polled here asserted that their public IaaS provider is ‘responsible for securing customer data in the public cloud’, applications security (61%), and Operating Systems security (60%). These assertions are at odds with what Amazon Web Services, Microsoft, and others say, Barracuda Networks adds – a misunderstanding that ‘exposes countless organisations to unnecessary risk’. The fact that 61% of the survey respondents declare themselves to ‘fully understand their cloud obligations’ further underlines the ‘dangerous disconnect between perception and reality’ when it comes to public cloud security adoption, Barracuda concludes.

Fifty-four percent of respondents to the Oracle/KPMG report registered confusion with the SRSM for SaaS and 47% polled the same with respect to IaaS. The study also found that many customer personnel who should have the best knowledge of the SRSM do not, in fact, seem to possess it. Just 10% of the CISOs surveyed, and 25% of CIOs, declared that they ‘fully understand’ the SRSM. This is more of a revelation than it might, at first, seem. The report suggests that the cyber security leaders’ lack of assured clarity indicates a lack of involvement in the use of cloud services; that’s because use is often drivenautonomously by line-of-business heads, who (perhaps) are none too concerned about potential security liabilities.

And they should be: 82% of public cloud users polled by the Cloud Threat Report 2019 say that they have experienced adverse security incidents due to ‘confusion over SRSM’. Thirty-four percent of organisations polled state that such confusion about SRSM has led to the introduction of malware (34%) and a similar number of respondents (32%) think it has exposed them to increased risk of auditory and regulatory penalties. This lack of a clear understanding of the SRSM also puts data at risk: 30% of organisations report that, as a result, data was accessed by persons unauthorised to do so. Additionally, 29% of respondents said an unpatched or misconfigured system was compromised due to SRSM confusion. Another contributory confusion factor is a lack of consistency in SRSMs between CSPs, which has also had ramifications. These days it is fairly usual for an organisation to use two or more difference CSPs. Keeping current with the differences between CSPs, sometimes nuanced ones, is a ‘significant challenge’, and one that 46% of Cloud Threat Report 2019 respondents indicate requires one or more dedicated human resources to manage. Indeed, it could well be argued that confusion, and the resulting consequences, around the differences in the SRSM between CSPs is, in part, the cost of using multiple CSPs. The old promise that cloud adoption would make the administration of IT simpler now looks very last-decade indeed... Another survey by McAfee approached the subject from the perspective of trust, and uncovered more disparities between assumed responsibility and actual risk.

The Cloud Adoption and Risk Report 2019 asked respondents how much they ‘trusted their cloud providers to keep their organisation’s data secure’. What happens to data once uploaded to a CSP continues to be one of the biggest concerns of respondents to McAfee’s poll. Fewer than 50% of service providers specify that customer data is ‘owned by the customer’; the rest either claim ownership over all data uploaded, or do not legally specify who actually owns the data. An even smaller number of CSPs delete data ‘immediately’ on account termination, with the remainder keeping data up to 12 months, with some claiming even the ‘right to maintain copies of [customer] data indefinitely’.

However, a total of 69% of McAfee’s respondents reported that they did ‘trust the cloud providers to keep their data secure’, and 12% of same respondents claimed that the CSP is ‘solely responsible for securing their data’, despite the provisions of SRSM, and there is no CSP delivers total security assurance The McAfee report opines that it’s likely, therefore, that (the polled) organisations’ lack of knowledge (at best) and/or ignorance (at worst) means that they are ‘underestimating’ security risks they are subject to by trusting CSPs entirely without applying their own set of controls.

Shadow IT is another cloud-related security challenge that is now making a bigger blip on IT security risk-awareness radars. Despite its essentially illicit nature, Shadow IT has, nonetheless, had some success in normalising the broad notion of cloud-based enterprise computing solutions procured and deployed by staffers without the explicit approval of their IT departments, and paid for on their personal company credit cards. Even as far back as 2016, the Logicalis Global CIO Survey suggested that Shadow IT is ‘now a fact of life for the majority of CIOs’: 90% of IT chiefs polled for that research admitted that they are ‘now by-passed by line-ofbusiness colleagues at least occasionally’.

Subsequently, its proponents sought to re-label Shadow IT less threateningly as ‘flexible IT’ or even ‘devolved IT’, and rather than try to quash the grassroots trend, caught-in-the-middle CIOs were advised by their executive masters to instead enfold it into their management plans. More fatalistic IT chiefs have thought hard about bringing Shadow IT under the remit of ‘progressive’ enterprise IT strategies, but may retain an anti-Shadow stance toward those c-suite execs susceptible to tell of Shadow IT’s perceived business benefits. Those c-suiters with cyber governance nous, however, were and are less likely to be won over by unquantifiable claims put forward by the pro-Shadow lobby; rather, as an expectation arises that – even though they have no innate influence over, or knowledge of, Shadow IT adoption – they should assume responsibility for remediating security-related incidents where Shadow is the known cause, they feel the need to bring forward countervailing arguments more stridently. As Shadow IT proliferates, so too have the potential system security-related issues that it is likely to cause.

The Oracle/KPMG Cloud Threat Report, meanwhile, reckons that Shadow IT is ‘here to stay’, and will continue to flourish independent of attempts by the IT security function to control usage with policies, despite the specific jeopardies it presents to data protection and security governance regulations that have come into force since 2016. The challenge of stemming the tide of Shadow IT is evidenced by the lack of adherence to policies. Business units that use non-approved cloud services and apps for business purposes blatantly ignore the rules, the Cloud Threat Report reminds its readers. Even though most organisations now have a formalise policy to review and approve cloud applications, there has been a substantial year-over-year increase in the concern that such policies are being ignored, violated. Indeed, the 92% of research participants reporting concern that their company has individuals, departments, or lines-of-business in violation of their security policies for the use of cloud applications is a notable 10% point increase from last year’s research (see Cyber Security Europe Spring 2019 issue). But is the concern that individuals, departments, or lines of business are not following policies, resulting in actual Shadow IT application usage? A sizeable 69% of organisations stated that they are aware of a ‘moderate’ or ‘significant’ amount of Shadow IT apps, with another 15% stating they are aware of a few such apps in use.

All that notwithstanding, use of Shadow IT applications has had adverse consequences. The findings in the Cloud Threat Report 2019 survey results clearly indicate that Shadow IT has led to the very outcomes cyber security personnel aim to guard against. Exactly 50% of the respondent organisations report the use of shadowy apps ‘has led to unauthorised access to data’, which is easy to understand when tools like Enterprise File Sync and Sharing (EFSS) services are widely used to share corporate data internally and externally, for instance. Nearly as many organisations polled – 47% – report ‘actual loss of data due to the use of Shadow IT apps’. Such incidents include storing sensitive corporate data in an unauthorised personal cloud application – data that is lost, should a Shadow-inclined employee move on. Shadow IT has also often resulted in the introduction of malware (48%), as malevolent threats employ cloud apps as a cyber attack vector.

Another noteworthy point with regard to the implications of Shadow IT is the ongoing fundamental difference in perceptions between CISOs and CIOs, with CISOs generally of the view that Shadow IT is more problematic than do CIOs. CISOs report incidents caused by Shadow IT apps at more than twice the frequency of CIOs (23% versus 10%). CIOs may, in fact, even see a budgetary benefit from the use of Shadow IT apps, with the cost being submitted as a business expense rather than a funded IT line item. CISOs are unlikely to make such a distinction as they feel responsible for securing all applications and services in use, whether they are approved or unauthorised. Wherever the buck might be supposed to stop, the risks Shadow IT poses are cyber security risks, and so CISOs and their teams are bound to be most sensitive to them; CIOs, arguably, must balance the proliferation and propensity toward Shadow IT against some other considerations. For instance, does it help a workgroup achieve productivity targets? What is the evidence that even known exploits result in security breaches? Does Shadow IT represent acceptable or unacceptable risk? There can be little doubt that these differences of opinion between chief officers are informing lively debates in many board and c-suite executive meetings.

Research in a study by Snow Software, also found that most global workers are ‘going rogue’ with cloud applications despite having been made aware of the potential business risks their actions could result. Rogue Resourceful surveyed 3,000 professionals in Europe, Asia/Asia Pacific and the US, uncovered stark contrasts between the mindset of large sections of today’s workforce and the priorities of IT security leadership. This rift is especially notable in younger ‘millennial’ employees, who are almost twice as likely to go circumvent the security ground-rules than older workers: 81% of those millennials polled admit they have used or accessed something on their work device without proper permission versus just 51% of seniors who have done the same. However, Rogue Resourceful also found that exec-level employees – for example, senior manager, director, vice president, for - were almost twice as likely to use unauthorised professional or personal applications compared to middle-ranking respondents (e.g., entry-level, associate or specialist staffers). At senior levels, c-suite executives (including Presidents and VPs) led the way in using work apps (57%) and personal apps (51%) on their work device without properly authorised permission from their IT managers. There is a disconnect between workers’ behaviour and understanding the business risks of unsanctioned and unmanaged technology. For example, just 7% of the executives polled said that they do not think it causes any business issues – yet 57% have engaged in that exact behaviour by downloading work applications and software without IT’s permission.

ACCREDITATION Words | James Hayes