Ermetic on Thursday released a study by Osterman Research that found 84% of respondents were at an entry-level (one or two rating, with four being the highest) in terms of their cloud security capabilities.
The study found that only 16% ranked on the Ermetic Cloud Security Model at the top two levels, and 80% of companies said they lack a dedicated security team responsible for protecting cloud resources from threats.
“One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed,” said Michael Sampson, senior analyst for Osterman Research and author of the report. “Less than 10% of companies with more than 10,000 employees reported being at the top two maturity levels, while nearly 20% of smaller enterprises have achieved repeatable or automated & integrated cloud security capabilities.”
The report shows why new cloud data breaches are being reported all the time, said George McGregor, vice president of Approov. McGregor said multi-cloud deployments, plus low investment in security does not make for a good combination.
“Keys and other secrets harvested from cloud repositories are being used to replicate apps and target APIs,” McGregor said. “Of course it’s important for companies to address their cloud security issues, but they must also have a solid strategy in place to defend against malicious use of stolen credentials when they are stolen.”
Bud Broomhead, chief executive officer of Viakoo, said the new frontiers of cybersecurity, such as cloud security or IoT security are often at early stages of maturity. Broomhead said organizations that are mature in their IT and data center security are already overwhelmed and stretched thin.
“That’s why automation and simplification will help organizations accelerate their maturity in areas like cloud security,” Broomhead said. “There’s a mistaken belief that cloud computing environments inherently have security built-in — they don’t. Organizations like the Cloud Security Alliance are great resources to evaluate the security for cloud environments under consideration.”
Garret Grajek, chief executive officer of YouAttest, added that a Palo Alto Unit 42 survey said 99% of cloud permissions are over-privileged. Grajek said that’s an astounding gap, one the attackers are driving trucks through.
“It’s important to understand that identities are the gatekeepers to cloud access — just the way firewalls were to on-premise network resources,” Grajek said. “Identity governance is no longer an option or something that needs to be done just once a year for a SOC2, SOX of HIPAA report. It should be part and parcel of the enterprise, and most intelligently coupled with both cloud and a zero-trust network access program to close all the holes.”