To address critical public cloud data security needs, organizations are turning to defense-in-depth strategies.
As the amount of data stored in the cloud continues to increase, so too do the challenges of securing that data from malicious attackers. According to research from TechTarget's Enterprise Strategy Group, organizations are more confident in their ability to secure on-premises data than data saved in the cloud. Indeed, 54% of organizations surveyed consider their on-premises data security strategies to be more effective than their public cloud infrastructure and application data security.
This shouldn't be a surprise. Organizations have complete knowledge and control over the on-premises IT infrastructure in which their data resides. Organizations also have developed trusted relationships with many third-party security vendors and are familiar with their capabilities.
The same can't be said of their cloud-resident data. Organizations must assess how well their cloud service provider's (CSP) native tools and controls secure their cloud-resident data. While survey respondents were confident in their CSP's monitoring, logging and auditing capabilities, their level of confidence in other key activities for securing data -- including risk assessments, encryption and access policies -- was lower.
Preference for defense in depth
The lukewarm confidence in CSP-native controls for securing sensitive data and the perception that third-party tools provide better security capabilities are evident when looking at how organizations currently secure cloud-resident data.
More than half (51%) of organizations said they use a combination of CSP-native controls and third-party controls, with nearly a quarter relying on a managed service provider (MSP) for some or all of their cybersecurity controls.
The preference to employ multiple CSP-native and third-party tools not only reflects an organization's confidence in selecting third-party vendors but also shows organizations recognize defense-in-depth strategies improve their ability to secure sensitive data in the cloud.
Defense in depth offers better outcomes
A defense-in-depth strategy helps reduce data breaches. The research found organizations that relied only on CSP-native controls were twice as likely (55%) to have lost data as those using a combination of CSP-native and third-party tools.
SaaS, IaaS and PaaS are complex cloud environments with large attack surfaces. Multiple, often overlapping, tools provide a better security outcome for organizations. Having several tools have could solve some problems that organizations incurred, including the following:
- 33% lost data through SaaS misconfigurations.
- 32% lost data through IaaS and PaaS misconfigurations.
- Policy violations
- 33% had a data-exposure event due to data misclassification.
- 26% had data exposed via unsanctioned apps or services.
- 25% had incorrect or insufficient security policies.
- Access controls
- 26% lost data to an attacker masquerading as an employee via stolen credentials.
- 23% lost data via unauthorized access by an over-provisioned account.
It's hard to build a single security tool that can defend against the myriad ways data is lost. Instead, using multiple overlapping layers of defense proves to be much more effective than a single point of defense.
MSPs provide an additional layer of defense
Organizations that relied only on CSP-native controls were three times as likely to have lost data compared to organizations using a combination of CSP-native and third-party tools managed by an MSP.
- MSPs have the time, staff and resources to become experts in each security tool and can use their experience with the tools across multiple disparate environments to tune them and their operations to get the best outcomes.
- As the proverbial saying goes, a rising tide lifts all boats. In the MSP realm, they can apply to all their customers their experience in identifying, responding to and mitigating an attack against one of their customers, often before multiple customers get targeted.
Because many organizations have expressed reservations about relying solely on CSP-native data security controls, defense-in-depth strategies have taken hold. And these strategies have proven to be successful, as much as two times more effective in preventing data loss.
A defense-in-depth strategy isn't perfect, however. It can often require additional investments in tools, people to run the tools and people to stitch the tools into a coherent cybersecurity stack. CISOs and security architects should approach their defense-in-depth strategy with an eye toward balancing the investments against their desired outcomes.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.