Nearly 80% of companies have suffered a data leak from their cloud infrastructures in the last 18 months, according to a recent study by Ermetic. Although the scope of this kind of study, carried out by a company specializing in data protection in the cloud, should be put into perspective, it confirms that companies are not doing enough to tackle this issue.
Microsoft corroborates Ermetic's study, pointing out that 44 million of its active accounts use credentials that have been filtered in the past.
When it comes to responsibility in the cloud, service providers like Amazon or Microsoft and users rely on the "shared responsibility model": the former take care of infrastructure security and the latter of configuring the tools and resources purchased.
Unfortunately, many users don't have the knowledge or skills to handle their share of the responsibility... Which is why analyst firm Gartner predicts that 95% of security problems in the cloud will be attributable to users.
Although companies are beginning to understand the various facets of the cloud (SaaS, IaaS and PaaS, to name but the main ones), they are still a long way from applying basic cybersecurity rules.
According to a recent study by security vendor McAfee, the majority (91%) do not encrypt inactive data, do not support multi-factor authentication, do not delete data immediately after closing an account...
More than ever, it's urgent to strengthen data security in the cloud. There are three main reasons for this:
1 - Don't wait any longer!
Most cloud service providers do an excellent job of integrating multiple levels of security into their platforms. But at the same time, they are making it so easy for employees to store data and access it, that strict identity policies are urgently needed. The democratization of the cloud means that rules have to be put in place, otherwise, sooner or later, sensitive data will be hacked.
2 - Make an inventory
Many companies don't know where all their data is located within its original perimeter (that of pre-cloud integration). And the situation is becoming Kafkaesque with the cloud: many businesses are themselves using applications in the cloud without informing their CIO or IT manager. This is the famous Shadow IT, the bête noire of cybersecurity experts.
Exhaustive mapping is therefore essential. For two major reasons. Firstly, you can only protect what you know. Secondly, you can't be RGPD-compliant, in particular, without knowing exactly who is processing personal data.
3 - Seal internal leaks
In his book, Philippe Trouchaud, partner at PwC, estimates that "35% of incidents are generated by in-house staff", inviting us to rethink cybersecurity by reclaiming the human element.
Ease of access to data is an argument in favor of the cloud. But it's also a double-edged sword. To prevent the cloud from turning against you, it's essential to prioritize access according to business lines and responsibilities.
These three reasons have a single aim: to make you aware that the cloud is an opportunity for growth, but that it needs to be exploited with method and vigilance.
