Let’s be honest here: cloud vendors have been pushing businesses forward for the last decade. Box, Dropbox, Google, Microsoft… they have proven that implementing cloud services is good for business. It allows us to focus on the things that really matter: making our businesses better, more efficient, and more streamlined, with the ultimate goal of making more money. But these new technologies didn’t just change the way business is done; the technology supporting and protecting the business has changed as well.
Think about it for a moment. Before cloud services, when everything was stored on premises, organizations were responsible for everything regarding security and access. It was simple, clear, and the responsibilities were well-defined. If you needed remote access, you needed a VPN or a reverse proxy. Firewalls were maintained. Devices were managed with the right software, anti-viruses installed on desktops and laptops, we used strong passwords and multifactor authentication and an arsenal of other security-related software. A number of actions were taken with one thing in mind: keep our data safe, make sure everything is protected.
And then it all changed!
Two big movements within the IT industry changed this whole concept. Bring Your Own Device and The Cloud. The BYOD movement turned an organization’s workstation pool from a well-defined, homogenous, protected environment to a heterogenous environment with a mix-match of devices with or without management software, all using different operating systems, and with different permissions level for the end-users. This structure opened a number of doors for end-users to invite security issues into the business. Blurring the security lines further, the cloud shift made it possible to work from everywhere and also relieved the business of the burden of managing hardware, uptime, backups… All of these annoying things we had to cover ourselves are now provided by vendors like Box, Dropbox, Google or Microsoft.
Organizations now think that their cloud provider is responsible for everything: uptime, backup, restoration, and more importantly, security. And this is exactly what the issue is. Your cloud provider will provide you with the tools to make your environment as secure as possible but YOU, yes YOU, are responsible for setting them up, identifying which ones make sense for your environment and how to implement them so they have the biggest ROI for your organization. Most organizations just fall back on the combination username and password, and they think they are done.
Gartner: “Through 2022, at least 95% of cloud security failures will be the customer’s fault.”
The organization’s naivete, or simple lack of accountability, is so obvious that even Gartner picked up on it. Cloud service providers and vendors are doing a great job of providing the necessary tools. There isn’t a single one out there that doesn’t support multi-factor authentication, but how many organizations decided to turn it on? Very few!! When we look Microsoft’s security assessment tool, Secure Score, we see that the average score of Office 365 tenants is alarming low. Most cloud providers do not provide an assessment like Microsoft, but if we use the criteria that it uses to define if you have a secure tenant, you don’t need to be a rocket scientist to see that they are very standard security implementations such as MFA, auditing, reporting, risky sign-ins, permissions, etc. I doubt that Box and Google users are much different in their behavior so let me go on a limb here and just assume that the same issues exist with those cloud providers.
So, what’s next then?
Well, if your cloud provider hands you the tools you need to make your data more secure and you are not using them, well… let’s get real. At some point, your security will be compromised. Potentially valuable data will be stolen or lost, and you will turn to your cloud provider hoping they can fix it. The chances are high that you as an organization will have to deal with the consequences of not taking your security seriously enough.
But it’s so hard!
Involve your IT department –you know, those same people have been dealing with security on-premises for decades. I am sure they can help you implement your cloud security as well. While the technology has changed, the principles have not. Talk to your cloud provider specialists, read their documentation, work with a security expert. Whatever you do, just don’t sit on your hands and hope the security Gods from sky will come and save you, because I won’t… I mean, he won’t. 😉
If you are using Office 365 and Secure Score, you can use my eBook to get all the information you need around how to configure your security settings. Download it here.