With the increasing popularity of bring-your-own-device (BYOD) policies and public cloud offerings, enterprises are moving from on-premises applications to cloud apps – but they still lack faith in cloud security.
A recent July Bitglass study found that 67 percent of respondents believe cloud apps are as
secure or more secure than on-premises apps — a significantly higher statistic than the 40 percent recorded in 2015. Despite this, 93 percent of respondents are at least moderately concerned about the security of the cloud.
“So you have this kind of seeming contradiction where people say, ‘yes, it’s just as secure or more secure, than on-prem ways of doing things.’ But also, ‘we’re very concerned about it,'” said Jacob Serpa, researcher with Bitglass in a podcast interview with Threatpost. “So I just think that one thing that really jumped out of the report was that emphasis on the shared responsibility model of security, and how organizations can say, hey, the cloud is secure. But we have to use it wisely.”
Below is a full podcast interview with Serpa breaking down the top takeaways from the report and how enterprises are challenged by cloud security threats and concerns. Also scroll down for a transcript.
For direct download, click here.
Below is a lightly edited transcript of the podcast.
Lindsey O’Donnell: This is Lindsey O’Donnell with Threatpost. And I’m joined today by Jacob Serpa at Bitglass to discuss the top challenges, trends and solutions when it comes to cloud security. Jacob, thanks so much for joining us today.
Jacob Serpa: Absolutely, thanks for having me.
LO: Yeah. So Bitglass recently came out with a new 2019 Cloud Security report called ‘Guardians of the Cloud.’ And I’m actually a big Guardians of the Galaxy fan, Jacob. So I definitely appreciate the reference there.
JS: Absolutely. Yeah. Big Marvel fan.
LO: So cloud security is a huge topic these days, especially with complex cloud environments, and especially with the popularity of remote working and bring-your-own device and apps. So you know, with all that in mind, can you tell us some more about the background of this report and what you guys were trying to really dig deeper into when it comes to cloud security?
JS: Yeah, really good question. So you touched on a little bit of it, in the question itself, but you know, things are changing now more quickly than they have in the past when it comes to enterprise security. And it used to be that the enterprise had all their data and applications and everything on-premise. But as we become more of a cloud-and BYOD-world (BYOD, of course meaning bring your own device where employees can work from their personal devices), a lot of our traditional security tools become less and less useful. And so what we really want to do with our research is just kind of uncover what’s happening in security in the enterprise: Are organizations prioritizing the things that they should be, what are they using to protect their data now, so on and so forth. So really just curious about what’s happening in the enterprise today.
LO: What was the main kind of crowd that you guys were looking to survey and research for this report?
JS: We did a survey that connected with IT and security professionals and a little bit of IT operations. There were a few compliance folks in there as well, I believe; it was IT and compliance and security. And then, as far as company size, it was a pretty big split, we had some companies that were smaller than 10, and then some that were over 10,000 — and everything in between, so a pretty broad set of demographics.
LO: So what were the biggest takeaways from the report? Or maybe even something that just surprised you, something that you found might have changed in 2019 verses 2018?
JS: One thing that really jumped out at me was, we asked “how concerned are you about the security of the cloud?” And the other question was, “when compared to on premises apps, how do you see public cloud apps? Are they more secure or less secure, as secure?” On the whole, most organizations think that public cloud apps are at least as secure or perhaps more secure than their on premises alternatives. Now, when you combine that with the other question, 93 percent of respondents were at least moderately concerned about the security of the cloud. So you have this kind of seeming contradiction where people say, “yes, it’s just as secure or more secure than on-prem ways of doing things.” But also, “we’re very concerned about it.”
I think what that taps into is this shared responsibility model of security where, you can trust the Amazons and the Microsofts to make sure that their offerings are secure on the back end; Office 365 and AWS are examples. They’re designed in such a way that the security of the application is a big priority. The issue is, how do we use those securely? Who do we allow to access data? How do we prevent data leakage and external sharing? So I just think that one thing that really jumped out of the report was that emphasis on the shared responsibility model of security, and how organizations can say, hey, the cloud is secure. But we have to use it wisely.
LO: Yeah, that’s really interesting. And it kind of leads me to a separate point that stuck out to me, which was that you guys found that 75 percent of companies are leveraging multiple cloud solutions, but only 20 percent of them have full visibility over cross-app, anomalous behavior. Why do you think that is? I thought that was just a really interesting tidbit. And it also points to a big challenge that a lot of firms are facing.
JS: What happens a lot of the time is that organizations start moving to the cloud with just one sanctioned application, usually, it’s going to be Office 365, or some big kind of productivity suite like that. And, they start with that application, or that set of applications that are all owned by Microsoft, and they say, yeah, this is useful and efficient. And we like the native security functionality in here. You know, we kind of just inherently trust Microsoft, because they’re a known vendor, all this kind of stuff.
Then they say, okay, well, cloud apps are useful, what else can we use? And so then they adopt more and more, they go into Salesforce for instance, all these kinds of things. So what happens as they do that, they find very quickly that for these cloud applications, their native security features are quite disjointed and quite disparate. And so what I mean by that is, not all of them provide the same levels of visibility and control. And a lot of the time they are reactive, “after the fact” security controls rather than proactive in-line security. So that’s the first issue, that they vary quite widely.
And the second is that, these apps are standalone products, right? And so what your IT teams are forced to do is go in and manage each of these individually and configure each of these individually and set security policies on a one-off fashion, in whatever way they can with each application. That’s not an ideal setup for security; for your IT team and security teams that’s kind of a logistical headache. So we are seeing more organizations waking up to that as they adopt more and more cloud applications, because it becomes more and more challenging to manage all of them individually.
And that’s where people are turning to tools that provide cross-app visibility and cross-app control in a way that’s consistent. So not just cross-app, you want to make sure that your data is protected comprehensively, wherever it goes.
LO: Right. It seems like that’s not something that people had any foresight into when they were first adopting all these different cloud apps solutions as well. So definitely emerging challenge there.
Another interesting point for me was the top concern that a lot of the IT professionals surveyed had this year was malware. And you had asked them about the most concerning data-leakage vector for firms. In previous years, a lot of professionals were mostly uncertain about app infrastructure vulnerabilities and compromised accounts. Was there any particular incident or set of incidents, or overarching trends, that are really triggering this concern around malware?
JS: Yeah, it’s really interesting. One of the things you touched on in there was the fact that concerns around app infrastructure vulnerabilities have gone down pretty significantly. And what we noticed in our data was that concerns around misconfigurations in the cloud went up. And so I think, once again, that goes back to organizations realizing the underlying infrastructure of these apps can be trusted, they’re secure, but we have to use them properly, and make sure that they’re configured in a way that protects data, according to the standards that we want to set forth.
So that’s one kind of shift with a little bit of an explanation. But as far as malware, I think it’s always kind of been the bogeyman, and rightfully so. We had WannaCry a couple years ago, that was shutting down enterprises around the world, in a really widescale fashion. And even a couple of months ago, WannaCry was still one of the most common malware infections that were out there, along with a number of others, like Ghost and Coinminer and Trickbot and some of these. So I don’t think it’s necessarily that there has been one specific strain of malware that is, throwing everybody into a tizzy, I think, rather, it’s just the continued reality of there are a lot of a lot of threats out there. And it can be complicated to defend against them, particularly when you have more and more threats being created every single day, by the thousands in fact.
You have this known malware out there that’s been seen before, and it’s a little bit easier to defend against those. But it’s the zero-day stuff that’s really dangerous, because A), signature-based tools don’t know what to look for, and B), we don’t know how these things are going to behave. And so it’s a big question mark, maybe some are pretty benign, but others might completely just tear up your infrastructure. But either way, malware is a huge concern.
And I think organizations have to be able to defend against it in new ways, especially as we move into more and more of a cloud and BYOD world. So traditional strategies of, “well, we’ll just install endpoint protection on every endpoint” don’t necessarily work that well anymore, because now you have data sitting inside of cloud applications that might carry malware, you have unmanaged or personal devices that that don’t have that endpoint protection or anti-malware stuff installed on them, and then you’re going to allow those to access your corporate resources. So there are a lot more attack vectors, a lot more ways for malware to get into the enterprise today. I think that it’s really critical for organizations to adopt tools that can defend against malware anywhere, not just on these managed corporate assets, where they want to install endpoint software to try to defend against malware there, you also have to defend against infections in the cloud, across your applications and even on personal endpoints. So the picture’s gotten quite a bit more complicated in recent times.
LO: Right. Even just looking at that question about data-leakage vectors, they’re all pretty big threats that enterprises are facing, like you mentioned, misconfigurations, I feel like I see different misconfiguration-based data exposures almost every day now in the news, unfortunately, and compromised accounts seem pretty obvious at this point. And then unmanaged devices too like you were saying is also a big threat, which, I also wanted to talk about.
We briefly touched upon this, but BYOD policies, and the increase in more remote workers and what that means for cloud security for enterprises, did you get any kind of sense about how companies are prioritizing securing mobile devices and 2019 at all, or what kind of sensibilities they have around that area?
JS: Yeah, BYOD is a is another really big kind of topic in security, because organizations want to secure these devices, but they’re kind of a new challenge. When it’s just a managed device (it’s owned by the company, it’s a corporate asset) IT departments can do whatever they want to them (they can install software on them, they have physical access to them whenever they want, all that kind of stuff). But when it comes to personal devices, these are owned by employees, and a lot of the time IT departments are never going to get to actually physically see these things. So it does require a different kind of strategy to secure them. And I think what a lot of organizations are experiencing is some growing pains around, how do we secure these devices as we seek to enable more organizational flexibility and let our employees work in the ways that they want to, so that they can collaborate more, and we can have greater efficiency and all this kind of stuff.
What they’ll do a lot of the time is say, “well, we just use agents, like we do with managed devices,” and they’ll install those on personal devices. But that that doesn’t always work, because employees will often reject those, because they do look into everything that happens on that device. If it’s a managed endpoint, it belongs to the company, then that’s fine. It’s company property. But if an IT department is going to have visibility into everything that an employee is doing personally on their personal device, well, now you have an invasion of privacy potentially, so a lot of employees are rejecting those things.
So that’s one route that enterprises go a lot of the time is, “well, we’ll just use agents.” And other is they say, “well, we don’t want to use agents, but we don’t have any way to secure BYOD endpoints. So we’re just not going to allow personal device access.” And then the other kind of extreme is “well, we’ll just let all them access it, we don’t really have a good way to protect them, etc., etc.” So I think there’s still a little bit of confusion out there about how exactly do we do this; organizations have picked one of the strategies of either just let them have all the access they want, we’re going to try to put agents on all these things, or no more personal device access.
I think what they should be thinking about instead is how do we enable these securely in a way that is custom-tailored to BYO endpoints. I think it will grow as a concern in the enterprise as BYOD is enabled more and more. But for right now, in the data, like you mentioned, malware and compromised accounts seem to be the two concerns that are kind of leading the pack. BYOD I think is primed and ready to increase in priority in next year’s report.
LO: Right. Well, Jacob, thanks so much for joining us today to discuss the top cloud security trends and break down Bitglass’ 2019 Cloud Security report.
JS: Absolutely. Thanks for having me. It’s been a pleasure.
LO: Great. Once again, this is Lindsey O’Donnell with Threatpost, talking with Jacob Serpa with Bitglass. Catch us next week on the Threatpost podcast.