Spending on the basics, not just technology is vital for cloud security: Report

Share post:

CISOs have known for years that money alone doesn’t buy security in on-premises environments. The lesson is the same in the cloud, according to a new report.

Produced by IDC and sponsored by Bell Canada, the analyst’s brief released this month is based on a survey of the cloud adoption of 300 medium and large organizations, their security capabilities, and their success at delivering strong security outcomes.

Among the surprising findings: The highest security technology spenders had more breaches than average. Technology alone wasn’t keeping organizations in the study secure. It also needs to include processes, tools, and people.

Only 52 per cent of organizations studied were able to protect themselves from a security breach, the survey concluded.

It also showed that only 34 per cent deployed cloud security posture management solutions, “leaving the remainder exposed to misconfigurations,” the study concluded.

In a lot of ways, said David Senf, a senior manager in Bell Canada’s security practice, the study shows IT departments need to focus on cybersecurity basics.

“What organizations aren’t doing enough of is focusing on knowing what they have in the cloud, what are the misconfigs, what are the actual risk levels, so they can allocate resources more effectively.”

Survey results also showed that organizations that focused on detection — including logging and monitoring IT network activity and automating response — did better than others.

The study grouped responding organizations into four categories:

Traditionalists, who are stuck in legacy skills, processes and technology, and had limited cloud adoption;

Pragmatists, who had slower than average cloud adoption but were starting to take the right security actions. Generally they fared better than others in security outcomes;

Strategists, who took a measured approach to the cloud and had the best security outcomes.

Denialists, who had rapid cloud migration but primarily relied on security technologies for data protection. They suffered the worst security outcomes of the four groups because the right security processes were not in place.

IT departments should strive to emulate the approach of Strategists, says the report.

The organizations in this group find the proper balance between speed of cloud adoption and taking time to implement security processes,” the report says.

“In addition, they focus on increasing the security skills of developers and IT and security staff. They do not rely as heavily on technology solutions as the less-secure Denialists do. They acknowledge that improving security maturity involves a continuous investment of resources and ongoing management; it is a strategy, not a project. They recognize that maintaining security takes time and if planned properly, without significant hardship.”

Strategists

–use security frameworks such as those from the Cloud Security Alliance, the U.S. National Institute for Standards and Technology (NIST), the ISO and the Centre for Internet Security (CIS);

–focus on key security processes, such as having an ongoing inventory of cloud services, continuous assessment of cloud configurations, managing entitlements, and threat detection;

–both shift left (integrate security early in their application development process) and shield right (execute strong security of their live applications);

–use cloud security posture management tools and processes to detect misconfigurations and drifts from a known good state;

–automate security tasks where possible;

–and ensure cloud control through the use of cloud access security brokers and zero-trust network access.

“Things like how fast do you respond to an incident, how much protection did you put in place, how fast can you recover are important” in cloud environments, said Senf, “but if you don’t have the foundational elements of ‘what’s the inventory [of cloud services]’, ‘can I detect when something’s happening’, then, relative to your peers, you’re not going to be performing as well [as other organizations] from a security perspective.”

The post Spending on the basics, not just technology is vital for cloud security: Report first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Cyber Security Today, Week in Review for week ending Friday, March 22, 2024

This episode features discussion on lessons learned from the ransomware attack on the British Library, advice for managing expectations of IT/security teams, why firms are leaving Google Firebase unprotecte

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways