The SANS Institute released a new cloud security report recently based on a survey of several hundred companies across the US, Asia, Europe, and Canada. The companies surveyed ranged from the small (under 1000 employees) to the very large (over 50000 employees) and represented a variety of industries including 32 percent from the technology sector and 11 percent from the finance sector.
The survey, conducted by researcher Dave Shackleford, presented companies with questions about the applications and data they had on the cloud, their concerns about cloud storage, the cloud attacks they had experienced in the past, security technologies they had implemented, and the challenges they faced.
Nineteen percent or nearly one in five of the companies surveyed said that they had suffered a breach at some point in the previous year. Seventy-two percent were absolutely sure they hadn’t experienced a breach, while 9 percent said they were not sure.
Most respondents listed “unauthorized access by outsiders” as their biggest security concern. The concern categories more likely to actually cause intrusions, however, were lack of skills and training to operate securely in the cloud environment, not configuring cloud components and interfaces with security in mind, inadequate or non-existent auditing practices, and downtime.
Credential hijacking was reported as the most common attack method, followed by poor configurations and privileged user abuse. Other significant attack methods were insecure interface compromise, shadow IT, DoS attacks, and data exfiltration.
The responses in the security-technologies segment of the survey were concerning, with only 44 percent of the surveyed companies using APIs provided by the cloud service provider. More than 65 percent said they had integrated in-house and cloud MFA. Over 50 percent had integrated vulnerability scanning, anti-malware measures, and network access controls.
The report concluded that, overall, cloud security seemed to be getting stronger and more effective with time. Better built-in security features in cloud services, an increase in solutions to cover gaps in home-cloud integration, more frequent penetration testing, and increased awareness about threats had all contributed to the positive change.