Moving to the Cloud Means Security Is Not My Problem, Right? Wrong.

Here's the bottom line of McAfee's 2018 report on cloud security: "As sensitive data moves to the cloud, it's natural that bad guys will follow." That's what Sekhar Sarukkai, an executive at McAfee LLC's cloud security unit, told The Wall Street Journal, about the report's conclusions.

Of the 1,400 IT execs whose experiences are included in the study, 20 percent say their organization has suffered advanced attacks against their cloud infrastructure. Twenty-five percent report data stolen from their public cloud.

That's not surprising when you consider two other findings from the report:

1. Organizations reflected in the McAfee study record an average of 2,200 security incidents per month as a direct result of misconfigured cloud services (14 on average at any given time.)
2. More than 80 percent of cloud deployments include confidential information — 21 percent of which includes sensitive information like credit card numbers, health data, trade secrets, personally identifiable information (PII), and confidential emails.

Poor security coupled with high-value data that is often inadvertently open to the public is a recipe for a data disaster (and, increasingly, a regulatory fine). But why is cloud data so vulnerable?

McAfee says the root cause is often a lack of skilled cloud security team members and a continued reliance on manual processes, mirroring the same issues faced by teams deploying apps on-prem. But there is a more basic reason, according to the WSJ.

"A lot of companies feel they have less responsibility for security once they move to the cloud and that vendors will be accountable. That's not the case," said Dannie Combs, chief information security officer at Donnelley Financial Solutions Inc., of Chicago.

That's understandable since many executives have the mistaken impression that once you move to someone else's environment, the burden for application and data security is built-in to the services you have purchased. Even some cybersecurity professionals think that using their vendors' minimal security tools is "good enough." Both views are dangerously wrong.

When moving to a public or private cloud, you're still responsible for the security of your applications and data. That also means if your Web Application Firewall (WAF) is not providing the level of security you want or need in your data center; it's not going to perform any better in the cloud (neither is your cloud provider's WAF if they offer one). Likewise, if you are struggling to patch or upgrade your enterprise web applications today, you will continue to risk attacks and compliance issues by failing to patch or upgrade on a timely basis in the cloud.

Cloud Application Security

Moving your infrastructure to the cloud has clear advantages for most organizations, but reduced responsibility for application and data protection is not among them. Improving your cybersecurity posture by easily moving to the latest and most effective security technologies is.