1.2 million personal data records
Early in June 2018, Dixons Carphone, a UK consumer technology retailer, reported "unauthorized data access" to its servers that compromised some 1.2 million personal data records. The significance is that this was the first headline-grabbing incidence of data breach at a large European corporation following the introduction of the European Union's (EU) General Data Protection Regulation (GDPR) on 25 May.
While we await the outcome of how GDPR will be applied, what this episode underlines is the fact that attitudes toward cybersecurity have to change, and in the complex world of enterprise computing, being "secure by design" is not enough.
79% consider cloud applications to be important to their current operations
Gemalto's 2018 Global Cloud Data Security Study, found that 79% of respondents consider cloud applications to be important to their current operations, and even more will become reliant on cloud services over the next two years. At the same time, 75% believe that management of privacy and data protection regulations is more complex in the cloud than when using on-premise servers, and just 44% have defined roles and accountability for safeguarding sensitive information in the cloud within their organization.
95% of all cloud security failures will be "the customer's fault"
Gartner research vice president Jay Heiser believes that Infrastructure as a Service (IaaS) providers are becoming so reliable and well protected that by 2022, some 95% of all cloud security failures will be "the customer's fault".
"For now, most of the reported security incidents in cloud are shown to be a result of failures on the user side," says Jim Reavis, CEO of industry group Cloud Security Alliance (CSA). "Examples include improper configurations of storage buckets, failure to utilize multi-factor authentication to protect users and administrators, and improper use of APIs."
4 areas of focus
Chris Martin, CTO of UK telecommunications provider Powwownow, says there are four key areas to focus on when it comes to reducing the complexity of cloud security.
"User identification is very important," Martin says, "and, alongside that, segregation of data that ensures customer data is not accidentally shared with a competitor who uses the same cloud provider. Thirdly, restricting access to data to only those specific employees who need to use it to fulfil their role, and, finally, ensuring data is encrypted in transit and at rest, to reduce the risk of data being meaningful in case it gets breached or compromised."
51% say it's harder to restrict access to services in the cloud
IT departments still worry about loss of control, particularly when it comes to access and user privileges, and visibility into behaviors while accessing cloud services. Fifty-one percent of respondents in the Gemalto survey said that it's harder to restrict access to services in the cloud, while 43% lack confidence that they even know about all the cloud services in use within their enterprise.
1,799 confirmed data breaches in the Verizon report
In its 2018 Data Breach Investigations Report, US telecommunications provider Verizon found that there were so many data breaches involving user credentials stolen by malware that it had to exclude them from its overall analysis.
Even without these numbers, in the 1,799 confirmed data breaches used as the basis of the Verizon report, stolen or misused credentials accounted for nearly 50% of the attacks.
Compounding the issue, some 67% of respondents to the Gemalto survey believe that user identity management is harder in the cloud than in the traditional IT environment – one of the few statistics that hasn't improved over the past three years.
IDaaS to account to 40% of all identity services by 2020
It's a shame that confidence isn't growing, because solutions to identity management in the cloud exist. Identity and Access Management as a Service (IDaaS) is a relatively new but rapidly growing sector, which Gartner is predicting will account for 40% of all identity services by 2020.