Survey: Cloud-Centered Digital Transformation Efforts Can Boost Risk of Identity-Related Attacks
An eye-opening survey of enterprise IT professionals reveals that some digital transformation efforts may increase the risk of hacks and identity-driven attacks. IDN looks at the study from CyberArk that suggests the pursuit of agility and automation can compromise well-established security.
An eye-opening survey of enterprise IT professionals from CyberArk reveals that some cloud-centered digital transformation efforts may increase the risk of hacks and identity-driven attacks. Among the results are indications that the pursuit of agility and automation can compromise well-established security.
The CyberArk Global Advanced Threat Landscape 2019 Report reveals that less than half of organizations have a privileged access security strategy in place for technologies foundational to digital transformation initiatives – including DevOps, IoT, Robotic Process Automation (RPA) and a host of cloud-centric technologies.
More than one-third of survey respondents (39%) noted that the ability to offload security was a significant benefit of adopting cloud. Ironically, it is the murkiness that can arise over how to define and manage security in a ‘shared’ responsibility model between the enterprise and the cloud provider.
Due to this lack of strategy and coordination, hackers can easily exploit legitimate privileged access to move laterally across a network to conduct reconnaissance and progress their mission, CyberArk’s survey found.
“The risks caused by a lack of clarity about who is responsible for security in the cloud is compounded by an overall failure by organizations to secure privileged access in these environments,” said CyberArk executive vice president Adam Bosnian in a statement.
“Despite the often sensitive and highly regulated data being stored in the cloud, it was surprising to see that less than half of organizations don’t have a strategy in place for securing privileges in the cloud, a finding that remains unchanged since our last report,” he added.
As organizations utilize the cloud to accelerate digital transformation, Bosnian suggested the results also reveal there needs to be greater awareness of potential security risks. One notable takeaway from the survey is that 75 percent rely on the cloud provider’s built-in security. This, despite 50 percent of this number recognizing cloud providers’ built-in security is “not sufficient,” he added.
Other survey findings include:
49 percent of respondents migrate business-critical applications (i.e., ERP, CRM or financial management) into the public cloud
45 percent of store customer data subject to regulatory oversight in the public cloud.
39 percent use the public cloud for internal development, including DevOps
The CyberArk survey also sought to define and quantify threats. Among the top security threats on enterprise radars in 2019 are (in descending order):
Hackers – 78%
Phishing, ransomware and other external attacks – 59-60%
Organized crime – 46&
Hacktivists – 46%
Shadow IT – 45%
Privileged insiders – 41%
The survey also found that organizations view “privileged access security” as a core component of an effective cybersecurity program. That said, this area remains a top vulnerability, the survey found.
For example, 84 percent of respondents admitted their IT infrastructure and critical data are not adequately protected unless privileged accounts, credentials, and secrets are also secured. Despite this, less than half (49 percent) said they have a privileged access security strategy already in place for apps or cloud infrastructure. DevOps and IoT do even worse, with 35 and 32, respectively.
In summarizing the report, Bosnian noted, “Organizations are showing an increased understanding of the importance of mitigation along the cyber kill chain and why preventing credential creep and lateral movement is critical to security. “But this awareness must extend to consistently implementing proactive cybersecurity strategies across all modern infrastructure and applications, specifically reducing privilege-related risk in order to recognize tangible business value from digital transformation initiatives.”