The use of public cloud services has been widespread for several years, and the recent shift towards digital transformation and remote work has only accelerated the migration of data assets to cloud platforms. According to a research report by TechTarget’s Enterprise Strategy Group (ESG), titled “The Cloud Data Security Imperative,” there has been a significant increase in the storage of corporate data in the public cloud. Currently, 26% of respondents store at least 40% of their corporate data in the public cloud, and this number is expected to double in the next two years, with 58% of organizations projected to store at least 40% of their data in the public cloud.
Organizations are increasingly relying on cloud-resident data and public cloud services to gain a competitive edge in their business operations. They are utilizing advanced business analytics and machine learning capabilities to extract more value from their data. These capabilities are typically supported by data lakes, data warehouses, and data lakehouses, which aggregate data from various sources. Since sensitive data is crucial for effective business data analytics, it is unsurprising that 86% of organizations reported housing sensitive data in these cloud-based data stores.
The value of the cloud is further enhanced when it comes to the use of sensitive data. Consequently, the amount of sensitive data stored in the cloud is also growing. Currently, 16% of organizations have classified more than 40% of their Software-as-a-Service (SaaS) data as sensitive. This number is expected to nearly triple, reaching 45% of organizations in the next two years. Similar trends were observed for Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) data.
However, despite the increasing reliance on public cloud services and the growing amount of sensitive data being stored, there are concerns regarding the security of these cloud-resident data assets. According to the ESG report, there is a consensus among respondents that cloud data security is not keeping pace with requirements. A significant number of organizations believe that a substantial portion of their sensitive data stored in SaaS (30%) and IaaS/PaaS (59%) environments is insufficiently secured. This is particularly challenging due to the prevalence of multi-cloud strategies, with more than three-quarters of organizations storing sensitive data in multiple IaaS or PaaS platforms. Each platform has its own native policies and controls, making it difficult to ensure complete security across all cloud-resident sensitive data.
Another issue highlighted in the report is the occurrence of cloud data loss. Organizations recognize that not all of their cloud-resident sensitive data is properly secured. However, determining the exact location and time of data loss is a significant challenge. Within the past year, 39% of respondents confirmed that they experienced data loss, while an additional 20% suspect they have lost data without definitive knowledge. These data loss incidents are not isolated occurrences, as 84% of respondents reported multiple data-loss events in the past year, with 28% experiencing four or more incidents.
Data losses can happen in various types of data stores, including block, file, object, data warehouse, data lake, and database storage options provided by IaaS and PaaS platforms. Interestingly, the most common data loss incidents occur in SaaS applications, as indicated by 42% of respondents. This could be attributed to a lack of clarity regarding the shared responsibility security model and how to best secure sensitive data stored in SaaS applications.
Addressing these challenges and ensuring comprehensive data security in the public cloud requires organizations to possess the right tools and expertise. The tools and practices used to secure on-premises data may not be applicable when securing SaaS, IaaS, and PaaS-resident data. Cloud data security challenges become more complex due to different threat models, dynamic attack surfaces, amorphous perimeters, and disparate security tools provided by different cloud service providers. While point tools can address specific causes of data loss, relying solely on a few tools may not close all security gaps. Organizations should adopt a defense-in-depth strategy that utilizes multiple tools and capabilities to enhance the discovery, classification, and security of all cloud-resident data.
Furthermore, organizations must understand and account for the aspects of data security that fall under the shared responsibility model when implementing a defense-in-depth strategy. This is particularly crucial in SaaS environments, as there is often a misconception that SaaS providers adequately secure data for all their customers.
In conclusion, the increasing reliance on public cloud services and the migration of sensitive data to cloud platforms have raised concerns regarding the security of cloud-resident data. The ESG report highlights the need for organizations to address these challenges by employing appropriate tools and expertise, adopting a defense-in-depth strategy, and understanding their responsibilities in the shared responsibility security model. By taking these steps, organizations can enhance the security of their data and mitigate the risks associated with cloud data loss.