Threats, Regulations, and Vendor Responses to Risks in the Cloud
As more companies get comfortable with cloud services, trust and usage will go up, and that will inevitably attract the attention of cybercriminals. Although an increasing array of sensitive and confidential data is moving to cloud storage and processing, we expect that most businesses will continue to keep the crown jewels in their own data centers. This may actually increase risk. We believe that with deeper and broader security resources, public clouds are arguably more secure than private clouds.
We discussed the future of cloud threats, regulations, and likely vendor responses with McAfee thought leaders and distilled their ideas in the McAfee Labs 2017 Threats Predictions report. Some of the top threats include continued risk from antiquated authentication systems, insufficient visibility into and control of cloud workloads, and ongoing regulatory challenges.
Continued risk from antiquated authentication systems
People and their passwords continue to be the most frequent vulnerability exploited in data breaches. Stealing credentials gives criminals seemingly legitimate access to systems, often undetected by security defenses. Stealing credentials for cloud systems, especially those of administrators, can enable access to hundreds or thousands of customer databases and workloads. We expect targeted attacks against cloud administration accounts to increase, whether through brute force, phishing, or other social engineering vectors. Security vendors will respond with new types of multifactor and biometric identification systems, expanding from fingerprints to other unique factors such as irises, faces, and heartbeats.
Insufficient visibility into and control of cloud workloads
The ability to move data and workloads around is an important cloud benefit, but it also increases risk. Not knowing where data is going or not being able to control where workloads run can affect regulatory compliance or expose data to theft. Capabilities that restrict data movement or workloads lag well behind the need. We expect that increasing cloud awareness will be built into data loss prevention and policy orchestration tools, enabling better coordination of security controls and policies across internal and external clouds.
Ongoing regulatory challenges
Perhaps the biggest uncertainty in cloud services is the growing gap between usage and regulation, and the legal disparity between jurisdictions. Lawmakers cannot keep up with the rate of technological change in this area, and so will use phrases such as “due diligence” and “reasonable efforts” in cloud privacy and security legislation. As a result, cloud service providers, cyber insurance providers, and their customers will face years of litigation. We expect some jurisdictions to impose minimum operating or auditing requirements for cloud service providers, while others will restrict data movement. These conflicting and sometimes even contradictory regulations will be a significant challenge for multinational corporations, and may even restrict cloud adoption in some markets.
To read the full details about these and other cloud predictions, download the McAfee Labs 2017 Threats Predictions report.
This blog was written by Jamie Tischart.