Cloud migration yields security gains, even in the heavily regulated financial services and healthcare sectors, according to a new report commissioned by digital services provider Presidio.

Just over half of the more than 1,000 IT leaders surveyed by Censuswide for Presidio in April and May said cloud technologies make it easier to keep up with changing data privacy and infrastructure security regulations, including 57% of respondents from financial services companies and 56% of healthcare executives.

The survey highlights the paradoxical relationship between cybersecurity and modernization. Three in five respondents believe cloud enables faster and more flexible threat response capabilities, but the same number see cyber concerns as both an obstacle to and a reason for cloud adoption.

Efficiency gains, innovation opportunities and CapEx reductions are, by now, obvious motivations for aggressive cloud adoption. Caution fueled by security and compliance concerns embody a looming counterforce, particularly in highly regulated sectors.

Many companies continue to rank security challenges as the top impediment to cloud adoption, a dynamic that’s particularly acute in finance and healthcare, according to Presidio.

These concerns are not unfounded. Cloud security professionals expect an uptick in cloud data breaches over the next year and SaaS application proliferation has opened up new threat vectors, according to recent reports.

“The hardest piece of this whole thing is secure connectivity,” said Presidio CTO Rob Kim in an interview with CIO Dive. “It's only gotten more difficult, especially when you have to distribute data and application access to a remote workforce."

“You need to develop a completely different security strategy, apply policies to enforce that strategy, and deploy technologies to make sure that you're fulfilling compliance,” said Kim

Better alignment between providers and compliance standards, coupled with clearer security guidance from CISA, NIST and the Cloud Security Alliance has given companies a clearer way toward improved security and compliance, according to the report.

The perceived cost of new cyber solutions, lack of clarity around cloud security protocols and trouble sourcing cyber talent are the three primary roadblocks companies are grappling with.

Buy-in on the concept of cloud is not an impediment.

“AWS and Microsoft don't need help convincing clients to do cloud native-based development work,” Kim said.

Microsoft CVP and CISO Bret Arsenault said cloud is a key component of cybersecurity defense amid a climate of increasing identity-based attacks, speaking during a Washington Post Live event.

Microsoft analysis shows a 60% increase in password-based attacks, Arsenault said. Password attacks went from 600 per second last year to 920 in 2022, according to Arsenault.

"You want to be able to have a signal that helps you see, predict and protect you from those kinds of situations," said Arsenault. "That honestly can really only be done at cloud scale."

Consider the threat landscape an organization must grapple with today. From insider threats to remote ransomware attacks or supply chain software compromises, the watchword is: trust no one.

No organization is immune to attacks, especially as sophisticated actors target the authentication process. A recent text-message phishing campaign dubbed Oktapus or Scatter Swine compromised almost 10,000 user credentials across 136 organizations.

The pervasiveness of identity-based attacks led Microsoft to begin a journey toward a passwordless environment that is years in the making. 

"Instead of saying 2FA everywhere, which meant having a smart card or some other component, we said: what if we could just get rid of passwords? And that became a design change principle for the way we did things," said Arsenault.

Having the power of the cloud to detect, track and respond to threats has been a key component to cyber defense at Microsoft, he said.

"The ability to have signal and then to act on that signal, and I see it repeatedly in our environment, is really changing the game for us," said Arsenault.

Arsenault depicted a "brilliant basics" model to fending off attackers:

• Make sure you have multifactor authentication
• Only allow access from certifiably healthy devices
• Ensure you're collecting the telemetry that lets you look for and/or detect anomalies as they happen at cloud-scale.

Organizations thinking through their security posture see the cloud as both an enabler and a risk factor, research shows. 

Three in five companies believe cloud leads to faster and more flexible threat response, but the same proportion says cyber concerns constitute an obstacle to, and a reason, for cloud adoption, according to a report from Presidio. 

Cloud implementations are an attractive target for malicious actors. 

More than 4 in 5 companies report they've had a cloud-related security incident in the last 12 months, Venafi data shows. Nearly half of companies say they've had at least four incidents over the same period. 

Risk assessment is one of those best practices that is easy to overlook or de-prioritize until it’s too late. Perhaps your organization has sidelined risk assessment to take care of other tasks that bring in revenue, but when you lack a solid risk assessment program, you may not realize how many revenue opportunities are lost. Perhaps you’ve performed a risk assessment at a bare minimum level to tick a checkbox on a compliance audit but you know your organization is still vulnerable.

No matter where you are in your risk assessment journey, the below will help you achieve a more robust, thorough risk assessment while also making the process easier for you to manage.

Risk assessment 101

There are countless methods and strategies for managing risk, but the industry-accepted gold standard is ISO risk assessment - the risk assessment process specifically detailed in ISO 27001. This is what Vanta has used for the basis of our enhanced Risk Management solution.

The five stages of risk assessment

ISO risk assessment or risk management is laid out as a five-step cycle for continuous risk assessment. Let’s take a brief look at each of these five stages and how they form a rich and productive risk assessment program.

01. Identify risks

The first stage is to identify risk scenarios that could affect your business. These are hypothetical situations that have the potential to occur. Those risks will vary based on the organization. For example, there are certain risks that are inherent to organizations that have remote employees. At this stage, you aren’t assessing vulnerabilities or how to mitigate them. You’re merely determining whether the risk is hypothetically possible.

02. Assess and prioritize risks

Now that you have a list of potential risks for your organization, this second stage involves reviewing each of those risks individually. You’ll consider each risk and determine how high-priority or low-priority it is based on factors like the likelihood of the problem occurring and the impact it would have if it were to occur.

03. Treat risks

The third stage is to plan how to treat each risk. Some you may be able to eliminate entirely, while for others, there may be ways to make them less likely or less impactful. Some risks may be so low-likelihood or low-impact that it isn’t practical to make any changes. At this stage, you’re making a plan of action (or inaction) for each risk.

04. Implement treatments, track progress and verify

In the fourth stage, you’re putting your risk treatments into action. You’re also establishing a way to track the progress of these implementations and verify their success.

05. Report and re-evaluate

The final risk assessment step is to report your organization’s risks, how you’re approaching them and what impact your risk management efforts have had. This stage also includes setting up a process to continuously evaluate your risks and continue the cycle.

While the five stages above are commonly accepted risk assessment practices, Vanta uses this as merely a starting point. We dive into further detail by basing our Risk Management solution on the RA process in ISO 27001. 

Top challenges with risk management

Excessive risk

Quite frankly, the risk assessment process can seem unconquerable and overwhelming when you first begin. Finding all the risks that could possibly affect your business might seem akin to listing all the potential illnesses you could come into contact with as you go about your daily life.

With this mountain in front of them, many organizations end up doing the bare minimum to meet any auditing needs they may have, while neglecting their long-term risk management. In the meantime, the organization remains highly vulnerable, leading to high cybersecurity risks, high cyber insurance costs and potentially a loss of revenue opportunities. The solution is a more proactive and continuous approach to risk assessment. Organizations need an optimized workflow that makes it al more manageable. This lowers the organization’s risks and cyber insurance costs and gives them confidence that they have a long-term solution that meets any standards they need to comply with. It’s all about having a genuine ongoing program, rather than checking a box on an audit. 

Manual and complex process

For many organizations, the risk assessment process is manual, complicated and downright arduous. There’s a complex web of spreadsheets, documents and emails that are hacked together. You’re creating reports and content from scratch, trying to juggle task management and potentially spending hours of valuable analyst time or valuable consultant time to take you through the process. When audit time comes, you’re also drowning in emails and phone calls with your auditor to send them the evidence and information they need.

The solution is an automated and simplified SaaS-based platform that manages everything in one place. Ideally, this SaaS platform can guide you through the process (so you can skip the expense of a consultant) in addition to providing templates, automated tracking and testing and a unified platform that compiles all the evidence your auditor needs in one place.

Inflexibility

Many existing platforms for assessing risk offer little or no customization. They’re designed to work in a specific way and teams end up paying top dollar, but then struggle to make its process fit their workflows when the processes simply aren’t flexible enough to customize. Many tools are highly segmented, in that they only support one infosec standard with little or no ability to work with each other. Organizations find themselves purchasing several tools and constructing a cumbersome workflow that jumps around between them. There is also the issue with a tool being so overly simplistic that it can’t scale with the organization as it grows, so teams find themselves reinventing their risk management program every few years. The solution is a single platform with scalable, robust capabilities. A tool that can handle multiple infosec standards allows organizations to integrate all their risk assessment needs into one place, and if well-constructed, these solutions are applicable for managing risk outside of compliance requirements too. Organizations need the ability to customize their risk assessment, such as by adding custom risks and treatment plans in addition to migrating existing risk assessment work from their old system.

Vanta’s Risk Management was designed to address all of the challenges above in order to be the unified, customizable, integrated, scalable solution you’ve been looking for. Not only can you ensure that you’re ready for any audits you need to pass, but you can have confidence that you’ve addressed your risks as thoroughly as possible.

To learn more, read the full guide here, or connect with a team member today.

More than 80% of organizations have experienced a cloud-related security incident over the past 12-month period, according to research from Venafi. Almost half of those organizations reported at least four incidents over the same period. 

Companies are rapidly undergoing digital transformation to the cloud. Organizations in the study currently host 2 in 5 applications in the cloud, however that figure is expected to reach 3 in 5 over the next 18 months. 

Despite those rapid changes, more than half of all organizations said they consider the risk of security incidents higher in the cloud, compared with on-premises environments.

The operational and security concerns that emerge from moving to the cloud include hijacking of accounts, ransomware, data privacy issues and nation-state attacks.

Organizations most commonly encountered security incidents during runtime, unauthorized access and misconfigurations. All were cited by about one-third of respondents.

“Attackers are now on board with businesses' shift to cloud computing,” Kevin Bocek, VP of security strategy and threat intelligence at Venafi, said in a blog post. “The ripest target of attack in the cloud is identity management, especially machine identities.”

Responsibility for maintaining cloud security has also shifted within organizations, as 25% of enterprise security teams are the most likely to manage cloud security. Operations teams accountable for cloud infrastructure account for 23%, followed by collaborative teams and DevSecOps.

The study of 1,100 security decision makers was conducted by Sapio in July. The officials were based in a range of international markets, including the U.S., U.K., France, Germany, the Benelux countries and Australia.

Organizations have many reasons to move to the cloud — efficiency, cost control, nimbleness. While security may not top the list, or determine cloud provider selection, it’s an attribute that Amazon Web Services says helps win over prospective customers.

The security posture of applications and data that customers run on AWS is “materially better than in their own on-premises infrastructure or any other cloud,” AWS CEO Adam Selipsky said during his keynote at AWS re:Invent.

“The safety and security, the protection of your data and apps, are prerequisites for the confidence needed for the digital transformation so many companies are undergoing,” Selipsky said.

There are four elements, he said, that support the security of AWS’ cloud.

The first is foundational, where AWS infrastructure and services are designed and managed. That infrastructure, which is constantly monitored, “offers fault-isolation capabilities to improve resilience and allows encryption in all of the data flowing across the AWS network before it leaves our secured facilities,” he said.

Security is also woven into the development phase for organizations writing code for applications and services on AWS, Selipsky said. “Builders no longer have to trade off security with speed."

"On AWS, building securely is the path of least resistance,” he said.

The next layer contributing to the security of AWS is through cloud security products and features the company has built to help organizations identify, remediate and remove vulnerabilities and threats in their applications.

This includes products for automated security checks and vulnerability management, data discovery and protection, a managed DDoS protection service and threat detection via Amazon GuardDuty.

“We’ve taken our security learnings and your feedback to build machine learning models that intelligently continuously monitor and identify hard-to-detect threats, often a lot faster than other security products,” Selipsky said.

AWS earlier this year expanded GuardDuty’s purview to detect threats within managed Kubernetes environments, and that’s now being extended to include container runtime threat detection.

This feature will detect threats from software running inside a container by monitoring operating system-level behavior, such as file access, process execution and network connections.

“It can detect an attempt to access underlying compute nodes and obtain an instance’s credentials or identify a container that’s trying to communicate with the malicious actors' command and control server,” Selipsky said.

That level of specificity symbolizes the company’s strategy to provide embedded security controls where it can flex its expertise.

That strategy also leaves room for third-party vendors to sell services to AWS customers that fulfill distinct needs. 

Thousands of offerings on the AWS Marketplace are integrated into AWS, including products for application security, data protection, perimeter protection, compliance, and identity and access controls.

“Companies usually employ a wide range of these services and tools to help improve their security posture,” Selipsky said.

A majority of cloud security and engineering professionals expect cloud data breach risks to increase over the next year, according to an annual report on the state of cloud security published by Snyk. 

The heightened risk profile is consistent with the data breaches, leaks and intrusions organizations suffered in their cloud environments last year. Four out of five respondents said their organization suffered a serious cloud security incident last year, including breaches, leaks, intrusions, compliance violations, failed audits, system downtime and cryptomining.

Companies primarily using the cloud to host migrated applications suffered cloud security incidents most often, an experience reported by nearly nine out of 10 professionals surveyed. Serious cloud security incidents also impacted companies hosting third-party apps or building and running in-house apps in the cloud at a rate of at least 70%, the report said.

The perception of growing risk amid common occurrences accentuates the persistent cloud security challenges organizations confront as they deploy and invest in more cloud infrastructure.

System downtime due to misconfiguration and cloud data breaches were the most commonly reported security incidents among the 400 cloud engineers and security professionals surveyed. Snyk commissioned Propeller Insights to conduct the survey during the second quarter of 2022.

Just one out of five respondents reported no major cloud security incidents. However, a quarter of professionals said they worry their organization unknowingly suffered a data breach recently.

This gap in cloud infrastructure visibility underscores the increased complexity organizations encounter in cloud-native infrastructure. Two-fifths of respondents said cloud-native service and architecture adoption inflicts a major impact on cloud security efforts due to additional complexity.

Granting API access to the cloud control plane for cloud development and configuration opens a potentially expansive attack surface for threat actors to target.

“Every major cloud data breach involves attackers compromising the cloud API control plane for discovery, movement and extraction,” the report said. These attacks exploit architectural misconfigurations involving more than one resource. 

Containers introduce additional cloud security risks, according to Snyk. One in five respondents that are using container-based architectures reported no container-related security issues.

Lackluster cloud security efforts cause application deployment delays and impose significant demands on cloud engineering and security teams, the report said. Respondents cited a lack of cloud security policy awareness as the leading cause of cloud security failures.

Google elevated Chronicle to be its marquee brand for its growing suite of security operations software and said it has no plans to change the strategy or branding for Mandiant, which it formally acquired in September for $5.4 billion.

Mandiant strengthens Google Cloud’s ability to contextualize and analyze the data it collects on every major threat actor and incident, Google Cloud VP and CISO Phil Venables said via email. He described it as a natural and complementary pairing that requires no changes. 

Google is on a mission to become a standalone and all-inclusive security brand, and executives shared multiple updates prior to Google Cloud Next that bolster that vision. 

Capabilities housed under Chronicle are more of a reactive defense designed to help customers sift through data and hunt threats to understand what went wrong and how to stop attacks, according to Venables.

“With Mandiant, we become proactive — we can use validation to see how well customers' current security tools are working, look at the attack surface for holes and gaps, take what Mandiant knows via their incident response programs and figure out how we can stop those threats from impacting our customers, proactively,” he said.

“Acquiring Mandiant inherently helps us become a proactive force,” Venables said.

Google’s reorganization includes the formation of Chronicle Security Operations, which combines Chronicle, its security information and event management technology, with the security orchestration, automation and response capabilities it acquired through Siemplify earlier this year.

Siemplify is now Chronicle SOAR and the security analytics capabilities have been rebranded as Chronicle SIEM. Google intends to lean on Mandiant to bring additional threat intelligence and incident response and exposure management to the Chronicle unit.

“Over the coming quarters, you’ll see a greater investment in new proactive offerings to better help us provide an end-to-end security operations stack for our customers,” Venables said. “Mandiant is helping us complete a big piece of the security puzzle, and we’re now better equipped to help our customers detect and respond to threats than ever before.”

Google also introduced Software Delivery Shield, its latest effort to improve software supply chain security with a fully managed offering that includes capabilities for application development, supply, CI/CD, production environments and policies.

The move follows Google’s unveiling of the Assured Open Source Software service in May, which packages the same workflows its developers rely on to strengthen and validate the open source software supply chain.

Venables, in an interview with Cybersecurity Dive in August, said Google expects to turn more of its internal technology into security products. Further acquisitions and organic growth in Google’s security business is likely, he said at the time.

“We think we can be a leading security brand,” Venables said, “because we’ve had so much experience in building security capabilities into our own platform, and doing it at significant scale.”

Confidential computing can secure the cloud, including the applications it powers, by isolating data and preventing unauthorized modification or access, according to executives at Google Cloud and Intel.  

The relatively nascent technology, which aims to encrypt data while in use, is gaining momentum as cloud providers and chipmakers hasten development and upgrade offerings. 

Confidential computing bolsters many of the strengths underpinning cloud infrastructure, Vint Cerf, VP and chief internet evangelist at Google Cloud, said during a call with journalists and analysts. 

“The important thing in a shared environment is to isolate everyone from everyone else, including from the provider of the cloud to certain facilities,” he said. “The confidential computing technique exactly achieves that objective so users are completely isolated from everyone including the vendor.”

Organizations that are compelled to show certain standards have been met to protect data for regulatory or insurance reasons could use confidential computing as evidence of their care for that objective, Cerf said. 

Confidential computing creates additional value in a cloud environment because it allows multiple parties to do more with the infrastructure and data they already have, according to Anil Rao, VP and GM of systems architecture and engineering in the office of the CTO at Intel. 

This includes machine learning services that preserve privacy in compute environments shared by multiple organizations.

“We want to make it such that people don't worry about the security and trustworthiness of their data,” Rao said. Organizations can use confidential computing to control their data and provide access to trusted parties in a manner that is verifiable, revocable and time sensitive, he said. 

Confidential computing can’t solve all of these challenges today, but it’s showing promise and it’s reasonable to assume confidential computing will be a common use case delivering on this vision within five years, according to the Intel and Google executives.

The global confidential computing market is projected to grow at a compound annual growth rate of almost 25% and hit almost $8.2 billion by 2027, according to an October report by Research and Markets.

There’s plenty of work remaining and not everything in the cloud has the capability to provide confidential computing yet, but the vision and hope for the technology is broad.

“My honest belief is that the mechanism of confidential computing may actually be a way of surrounding software that might be misbehaving in a way,” Cerf said. “It isolates it from everything else in the cloud.”