Some projections for 2024 suggest the UAE public cloud market is approaching US$2 billion with SaaS accounting for about half of all revenue. Between now and 2029, the segment is expected to show a CAGR of 19% to top US$4.5 billion eventually. Behind the top-line figures is the growing area of cloud storage. Cloud storage is a tempting concept for companies that understand that the volume, quantity, and accessibility of their data will determine their relevance in a competitive market.
When storage follows a hybrid model; the increased complexity brings an expanded attack surface with it. Confusion reigns in these environments, even among technologists. Confusion leads to the emergence of memes and myths that create rushed judgments and missteps in risk management. For the sake of data security, let’s look at four of these myths and uncover the reality behind them.
- Cloud storage is secure by definition
IBM’s Cost of a Breach report for 2023 shows the Middle East to be at the number two spot. Cyber incidents in the region cost organisations an average of just over US$8 million. The same report’s global analyses included a breakdown of the sources of incidents. During post-incident forensics, only 18% of breaches were traced back to on-premises failures. Most were found in private cloud (16%), and public cloud setups (27%) or even found to have occurred across multiple environments (39%). While these figures arguably may reflect the global scale of migration to the cloud, they also show that data security is not guaranteed solely by migration.
These findings will cause concern among risk managers and among the security professionals tasked with identifying and containing threats. Cloud storage providers implement several security measures, but the responsibility is on customers to educate users on file handling – uploading, downloading, and sharing. There needs to be a comprehensive set of protocols for cloud and on-premises assets because, as IBM’s findings show, threat actors move with the times. If more attack opportunities can be found in cloud and hybrid environments, then that is where cybercriminals will strike.
- Antivirus will get you by
Research by organisations such as the US National Institute of Standards and Technology (NIST) has shown a wide array of detection rates by traditional antivirus (AV) software. NIST figures, for example, reveal single-engine rates of anywhere from 7% to 76%. AV cannot stand alone against the modern threat landscape. For a start, zero-day exploits are unknown to any engine. Social engineering is frequently used to steal credentials that allow threat actors to move through digital estates like authorised users, bypassing AV screening entirely.
Multi-scanning (using multiple AV engines in tandem), can improve the chances of success, especially when used alongside deep CDR (content disarm and reconstruction), which sanitises files by pulling them apart to remove harmful elements and stitching together the legitimate parts so that the file remains functional. The CDR approach allows security teams to detect almost all known threats and a great majority of zero-days using advanced heuristics and pattern-matching.
- Cloud security is the provider’s domain
When the UAE was still fighting with the implications of cloud computing, security was one of the major difficulties for organisations that were otherwise eager to partake in the many benefits of the cloud model. Eager to calm fears, hyperscale providers and SaaS companies made their multimillion-dollar security R&D budgets public. When mass migration occurred in the early 2020s, many customers thought that security was an implied service benefit, but in fact, it is a shared responsibility, with providers looking after cloud storage infrastructure and customers being responsible for the data itself.
Even in IaaS architectures, the customer is fully responsible for endpoint protection, application security, data classification, and identity and access management. Under IaaS, customers must also assume joint responsibility for network controls and host infrastructure; The provider takes complete responsibility only for physical security. Customers must therefore implement comprehensive security measures for data, including the principle of least privilege, which requires that every user and process is granted only the privileges needed to carry out mandated tasks. Keep in mind, that the UAE government has enacted strict data privacy regulations to hold lax security environments to account. Multilayered security is critical to ensure no file enters the environment without due scrutiny.
- When it comes to compliance, on-premises is easier than cloud
Cloud providers go through big obstacles to be compliant with a range of regulations. In the UAE, hyperscale providers like AWS, Microsoft, and Alibaba have already opened cloud locations, and a range of SaaS companies host, or have announced plans to host, their offerings through those locations. Compliance benefits range from local data residency up to and including international standards like GDPR.
While these benefits are automatically transferred to migrating customers, each customer must perform an independent assessment of a prospective provider’s ability to deliver on compliance issues. It may not be enough to point the finger at a provider in the event of an incident. Regulators are likely to still impose fines and call for audits.
One way of delivering on its obligations is for an organisation to adopt proactive Data Loss Prevention (DLP) technology, which is designed to align data operations with internal policies and regulatory requirements. Rules govern access, use, and sharing across storage environments. Proactive DLP applies these rules to ensure no sensitive data is seen by unauthorised parties (internal and external) or manipulated, stolen, or encrypted, as would be the case in a ransomware attack.
Being taken in by these myths can lead to a series of damaging missteps. It is important to be more prepared to take the security precautions that will protect your organisation as it makes its new home in the hybrid world.
Discussion about this post