Although many enterprises have user access security measures in place, both on-premises and in the cloud, they may not have enough, warned the Cloud Security Alliance in a new report.
The report, "Identity Solutions: Security Beyond the Perimeter," was released April 21. It's based on 325 online interviews conducted worldwide by the CSA. The findings revealed "no significant differences in security solutions used" between respondents who reported a breach and those who didn't, according to the report, which was sponsored by Centrify, maker of identity security tools for the enterprise.
When asked in the CSA survey if their company had ever reported a data breach, 17% of respondents said yes, 26% said they were unsure, and 57% said no. Of those who said their company had reported a breach, 22% said the breach was caused by compromised credentials.
Data breaches, account hijacking, and malicious insiders were identified by the CSA earlier this year as being among the 12 critical issues to cloud security. The CSA report, "The Treacherous Twelve: Cloud Computing Top Threats in 2016," was released in February and sponsored by Hewlett-Packard Enterprise. It concluded that these top threats occur because existing identity access management systems don't always scale to all the systems that need them.
In some cases passwords weren't used at all, according to the Treacherous Twelve report. That report advised extensive deployment of multifactor authentication, and recommended that cryptographic keys, passwords, and certificates all should be rotated more frequently than they commonly are.
John Yeoh and Hillary Baron, authors of "Security Beyond the Perimeter," used the February report as a springboard into a discussion of the entirety of identity, access, and credential management as the leading security shortcoming of cloud use.
[Want to see the latest in perimeter threats? Read How Hackers Have Honed Their Attacks.]
In their report, Yeoh and Baron said rapid adoption of cloud services had pushed the enterprise boundary into additional data centers, allowing partners, third parties, and customers to access corporate systems and data. While beneficial to the economics of the enterprise, the addition of the cloud "adds complexity, with more people having access to company data," the report noted.
The cost of a breach is so high that economic gains flowing from the expanded enterprise perimeter are somewhat countered by the expanded threats. "In addition to the value of the data lost, company reputation, legal action, financial penalties, and jobs are at stake," the report said.
It's obvious that thinking outside the traditional security perimeter is necessary. Less obvious is how much "controlling the access to data" will contribute to firms being able to adopt cloud services and technologies more safely, Yeoh and Baron continued.
The survey identifed seven types of perimeter-based security products, and asked respondents how many of them were in use in their organizations. As the table below shows, antivirus, anti-spam, and Virtual Private Networks were the top three solutions in use by respondents.
Table 1: Which perimeter-based security solutions does your company employ to protect its network?
|Email spam filter||82%|
Note: respondents chose all that applied. Source: Cloud Security Alliance," Identity Solutions: Security Beyond The Perimeter," April 21, 2016.
The report showed a disparity between large and small companies in products being used. Respondents whose companies had between one and 1,000 employees were less likely to have Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) in place than their larger counterparts. These organizations were also less likely than large firms to have next-generation firewalls, VPN, and Web application firewalls, according to the report.
So, what types of access controls and processes do respondents have in place? The majority of respondents (73%) said they used multi-factor authentication tokens and management, which are often employed with mission-critical applications using sensitive data. More than half (55%) of respondents said they used single sign-on (SSO) to enable employees to access Web and Software-as-a-Service applications. SSO is also used for access to enterprise applications by 53% of respondents.
But systems specific to managing the growing body of Apple Macs in the enterprise appeared to be in short supply. Only 18% of respondents reported using such a system.
When it comes to access control measures designed to protect users, 32% of respondents said they had shared account password management, and 50% had superuser password management. Privileged access management was cited by 80% of respondents, while 38% said they used privileged session management, according to the report.
When the question turns to which access measures are in place for partners, outsourced IT, and other third parties, the picture changes quite a bit. Only 62% of respondents said they had privileged access management in place for such users, 25% had application to application password management, and 32% had secure password storage.
So, which types of organizations have the best practices in place? According to the report, companies engaged in the use of big data that have 50,000 or more employees have the best data protection measures. "Those that embraced this (big data) technology also consistently used more security solutions across the board," wrote Yeoh and Baron.
One additional solution cited by the authors was a full identity management platform, which provides the means to control access to the network, enterprise compute resources, endpoints, cloud-hosted environments, and cloud applications. Such defense in depth of identity and authentication won't solve all problems, but it addresses the most frequent exposure found in both on-premises and cloud environments, the authors said.Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio