French companies are still struggling to comply with latest data protection regulations
September 2017 by Bitdefender
Nine in ten IT professionals in France are concerned with the security of the public cloud, and almost 20% do not deploy security for sensitive data stored outside the company’s infrastructure, according to a recent Bitdefender survey. Half of those surveyed admit cloud migration has significantly expanded the size of the border they have to defend, while only one in six encrypts already migrated data.
These are some of the findings of a survey released today by security firm Bitdefender. The study explores the pressures cloud migration place on 1,051 IT security professionals from large enterprises with 1,000+ PCs and data centers, based in the US, the UK, France, Italy, Sweden, Denmark, and Germany. As EU’s General Data Protection Regulation (GDPR) goes into effect on May 2018 — roughly eight months away — many organizations still find themselves struggling to comply. The new requirements include that data be protected adequately, and when breaches do occur organizations had better have notification capabilities in place that align with GDPR standards.
The increasing adoption of hybrid cloud — a mix of public cloud services and privately owned data centers, already in place for 70 percent of companies on a global level – is giving rise to new security challenges and prompting CISOs to adopt different technologies to fight zero-day exploits, advanced persistent threats, and other devastating types of cybercrime.
Hybrid cloud brings hybrid issues
Some 81 percent of the CISOs say security software is the most effective security mechanism to secure public-cloud-stored data, followed by encryption (mentioned by 77 percent of respondents) and backups (trusted by almost half of those surveyed). According to the survey, most French companies – four in ten - secure 31 to 60 percent of data stored in the public cloud, while only 17% encrypt all data stored there. Another area of concern is that 19 percent of CISOs do not deploy security in the public cloud, while the same percentage do not encrypt data in transit from their own data center to an external one.
Bitdefender security specialists recommend that any data transfer between the client and the cloud service provider be encrypted to avoid man-in-the-middle attacks that could intercept and decipher all broadcasted data. Beyond that, any data stored locally or in the cloud should be encrypted to make sure cybercriminals cannot read it, in case of data breaches or unauthorized access. To become GDPR compliant, companies need to identify data that falls under the regulations’ control – “any information relating to an identified or identifiable natural personal” –, document how this data is secured, and create incident response plans.
The survey also shows that 73 percent of IT decision makers use a security solution developed for endpoints to protect physical and virtual infrastructures, but 24 percent have implemented separate tools. Out of those, 77 percent do it to protect sensitive customer and consumer data, 70 percent cite compliance with internal and regulatory requirements, and 45 percent want to prevent service interruptions resulting from attacks.
Tailor-made security against crafted cyber weapons
Bitdefender security specialists strongly advise CISOs to use a security solution specifically designed for the infrastructure in will run on (physical or virtual) instead of a single tool for three main reasons:
It generates overhead: installing an endpoint solution on different virtual machines hosted on the same servers impacts resources by continuously running redundant apps, like security agents
It significantly reduces performance: security tools tailored for virtual environments use optimized agents that integrate with a security virtual appliance on server/servers, so previously scanned files are not rescanned each time a user needs them
The typology of attacks is different: boot time security-coverage gaps leave the system vulnerable to malware attacks. As a result, virtual environments often face more sophisticated cyber weapons, such as advanced persistent threats, and targeted attacks, aiming at both companies and government entities (such as APT-28 and, just recently, Netrepser). In this respect, security for virtualized environments is by far the most effective way to detect and fight these complex tools.
What’s stored in the public cloud must not go public
Companies in France mostly store in the public cloud product information (52 percent), information about clients (44 percent), and financial information (45 percent), and avoid storing off-premise what they perceive to be more sensitive data, such as research into new products and competition – 40 percent and 32 percent, respectively; intellectual property – 17 percent. Thus, companies encrypt more often product info and specs (36%), information about clients (29%), financial info (35%), than backups (17%), research into competitors (17%) and intellectual property (12%).
Bitdefender security specialists recommend that, when opting for a hybrid cloud solution, an organization must analyze the type of data it handles and evaluate it based on its sensitivity – both for the company and its clients. Critical, personal and private data related to intellectual property must be stored on premise, with access only to authorized personnel. Organizations that handle sensitive or confidential data, or data related to intellectual property, need to ensure their private cloud infrastructure remains private. No one outside the local network should be able to access that data and only authorized personnel should be vetted for handling it. The private cloud needs to be completely isolated from public internet access to prevent attackers from remotely accessing the data through security vulnerabilities.
In terms of security challenges, 32 percent of French CISOs say that public cloud is their major concern, similar to those concerned by private cloud (34 percent). Another 16 percent say they are equally concerned about both, and 15 percent admit hybrid cloud is their major area of concern.
Lack of infrastructure-agnostic security, lack of predictability, and lack of visibility are perceived as top security challenges of cloud adoption by half of the companies surveyed.
The survey, conducted in May 2017 by Censuswide for Bitdefender, included 1,051 IT security purchase professionals from large enterprises with 1,000+ PCs and data centers, based in the US, the UK, France, Italy, Sweden, Denmark, and Germany.