The State of Public Cloud Data Security – Complex and in the Shadows

Public cloud services adoption has surged in the past two years from $270 billion USD in 2020 to an estimated $397 billion in 2022. This fast-paced transformation gave way to the rapid development of digital products and services — but didn’t come without compromise.

IT was rapidly implementing new models in the cloud, including hybrid work, and diluting security controls. With their heads in the clouds focused on bringing in more revenue for their organization, security professionals unknowingly put themselves at risk. IT and security now lack visibility into where cloud data is stored and whether databases contain sensitive information.

But how can you protect what you can’t see?

In 2021, companies faced a 50% rise in attacks, and cyber risks are now the No.1 concern for businesses of all sizes. What is abundantly clear is that organizations need a better security strategy to gain visibility into their sensitive data, enable digital business growth and safeguard their valuable cloud-enabled data stores.

To gain a deeper understanding of problems plaguing organizations with public cloud infrastructure today, Laminar released the first-annual State of Public Cloud Data Security Report. We heard from 500 security professionals on their perspective of the current weak and fragmented state of public cloud data security and their concern over lack of visibility.

Here’s what we learned:

1 in 2 Respondents Experienced a Cloud Breach in 2020 or 2021.

Digital transformation has become a breeding ground for adversaries. In our survey, 50% of respondents acknowledged that their cloud environments were breached in 2020 or 2021, with 13% saying they were unsure. Five percent also said they preferred not to answer, likely indicating that they, too, had been breached.

Hackers are Increasingly Looking to Build on Past Results

Of the respondents who had been breached, 58% said their cloud data had been knowingly leaked and/or exfiltrated.

With that data, adversaries are creating detailed profiles on individuals on the dark web, buying and selling user credentials and mining data for further vulnerabilities. In turn, cybercriminals are then able to commit greater harm or launch repeat attacks.

Organizations are Struggling with Cloud Complexity

Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure, IBM Cloud and Oracle have gained the majority of companies’ cloud business and each offer hundreds of services. Organizations typically engage with more than one vendor in order to gain access to a broader mix of capabilities, align spending with a chosen vendor’s expertise and reduce risk.

With 56% of respondents working with two or more cloud service providers (CSPs), many are struggling with a complex infrastructure design.

The Vast Majority of Data Security Professionals Expressed Concern Over Shadow Data

Shadow data is company data that is likely copied, backed up or housed in a data store that is not governed, under the same security structure, nor kept up-to-date. Our survey found 82% of respondents are extremely or very concerned about shadow data.

It is a concern that is well-founded: less than half (49%) of respondents have full visibility when developers spin up new data repositories, only about 35% have partial visibility and 12% have no visibility at all.

Public Cloud Data Needs Cloud-native Tools

The survey revealed that data security professionals are struggling to keep pace with cloud data growth. To address digital transformation, gain visibility into data and adequately protect themselves, organizations must adopt cloud-native security solutions.

Among survey respondents who had adopted such solutions:

  • 49% believed that cloud-native security solutions are dynamic, effective and extremely scalable
  • 46% state that they are asynchronous and don’t disrupt data traffic flow or performance
  • 44% say they are agentless and API-based, resulting in lower total cost of ownership (TCO)

Company Leaders are Seeing the Light

The one upside of organizations experiencing a drastic increase in cloud security breaches is that it has increased executive and board of directors’ buy-in for cybersecurity. Half of the companies surveyed have experienced an increase in buy-in over the last two years, and 81% of respondents have reported a >40% security budget increase since January of 2020.

How Laminar Can Help

Companies have opened Pandora’s box when it comes to the public cloud, security teams can’t simply shut it and reduce their use of public cloud services or consolidate cloud providers. To do so would halt digital transformation progress.

Our survey illustrated the benefits of cloud-native security solutions. Laminar’s platform is uniquely designed to protect sensitive data for everything organizations build and run in the cloud. We work with all public cloud infrastructures, all cloud data types and all data policies. As a result, teams gain a single solution to protect and control their multi-cloud holdings.
Download the full report

The Largest Threat to Your Data You’re Not Aware of is Lurking in the Shadows

Your Data is Your Difference – Do You Know Where it Lives? 

You’ve likely heard the term “shadow IT.” This is the technology, hardware, software, applications or technology projects that are run outside the governance and oversight of your corporate IT. 

At one point, shadow IT was scary, a major threat to the security of an organization’s data. However, as the challenge became more known and companies took it seriously, teams figured out how to manage and contain it. 

Since then, major advancements in technology – like the mass migration to the cloud – have brought us data democratization, which in itself is a boon to all organizations and consumers. Your data is important, and allowing greater access to this data for those who need it, creates more opportunities, more effectiveness. 

However, the cloud also allowed data to be spread around to various places you may not even be tracking. Gone are the days of completely self-contained, on-premise systems. With greater access comes greater risk. And now a new threat has arrived. One that, in comparison, dwarfs the risk of shadow IT. It’s the largest threat to your data security: shadow data

Do you know where your sensitive data lives? And do you have the tools and resources to manage it? Shadow data is a prominent yet frequently overlooked problem, but there are tools and resources to tackle it and secure your most valuable currency – your data.

What is Shadow Data? 

In simple terms, shadow data is your company’s data that is likely copied, backed up or housed in a data store that is not governed, under the same security structure, nor kept up-to-date. 

As an example, think about your main production data store. Of course, this is where you have your content, applications and data accessible to all those who require it, but you also are keenly aware of it, keep it up to date, and have rigid security protocols in place. 

How Does Shadow Data Occur? 

As more and more companies move their data to the cloud, more risk is incurred as traditional data security strategies fail to keep up. 

There are four major factors that have changed data protection in the cloud and given way to the spectre of shadow data: 

  1. The proliferation of technology and the associated high complexity: Dozens of technologies are used to store, use and share data in the cloud. They can be managed by the service provider or developers directly, and often each one is configured differently. This has created multiple architectures that rapidly change and bring new risks. Today, developers can spin up or copy an entire datastore in seconds.
  2. Data protection teams have fallen behind: Today, data protection teams can’t stop developers from making changes but merely try to set guardrails to allow fewer mistakes. They are relegated to a ‘catch up’ mode. Continually kept in the dark, they can no longer assume they know where all the data is. So they spend more time asking questions and hoping that policies are being followed.
  3. Data democratization: As more value is placed on the concept of making data available to all that need it, the risks increase. And manual efforts to categorize and secure all the data stores are ineffective.
  4. No on-premises perimeter: Cloud data is a shared data model. It’s meant to be accessible from anywhere, given the right credentials. There is no longer a single choke point of protection and monitoring. 

Where is Your Shadow Data? 

Think about where all of your data might live. And then think about where copies of this data may exist. In a typical example, you likely have the following:

  • Test Environment: Most organizations have a partial copy of their production or RDS database in a development or test environment, where developers are building applications and testing programs. Many times developers are moving quickly and may take a snapshot of the data but fail to properly remove or secure the copied data. Or simply forget about it.
  • S3 Backups: You’ll also have at least one backup data store, as a means to be prepared for any breaches or damage to your production environment. It’s your contingency plan and it stores exact copies of your production data. But these are often an afterthought and less monitored therefore can mistakenly expose large amounts of data to the public.
  • Leftover Data from Cloud Migration: As many organizations move to the cloud, it obviously requires a “lift and shift” data migration project, where the original database was moved into a modern cloud data store. But more often than not, the original data never got deleted, so that lingering instance remains unmanaged, unmaintained and often forgotten.
  • Toxic Data Logs: Developers and log frameworks log sensitive data, which creates sensitive files that are not classified as sensitive, lack the proper access control and encryption, and can be easily exposed.
  • Analytics Pipeline: Of course, your data is only useful if you can consistently reference and analyze it, so many companies will store data in some type of analytics pipeline using the likes of Snowflake or others. 

All of these are unique data stores in and of themselves and any of them can be a dangling S3 backup, an unlisted embedded data store, or just become a stale data store. The problem is, they all contain sensitive data: customer information, employee information, financial data, applications, intellectual property, etc. And most likely they’re not visible to your data protection teams. They’ve become invisible, unmanaged, and unsecured. 

This is your Shadow Data. 

Unused, Outdated, and Incredibly Vulnerable

Shadow data can be your biggest vulnerability. In a lot of cases, this data is not used anymore. Forgotten about or not even visible or accessible to corporate IT teams. On the whole, the people in your organization who should know about these stores of data don’t know about them, leaving it open prey to cybercriminals. 

In fact, most data breaches often occur in shadow data environments. 

Take for example the very recent SEGA Europe data breach, where the massive gaming company inadvertently left users’ personal information publicly accessible on an Amazon Web Services S3 bucket. 

The mishap left wide open for hackers and cybercriminals to dig into many of SEGA Europe’s cloud services, along with API keys to their instances of MailChimp and Steam, which provided full access to these services for anyone who found it. 

Fortunately for SEGA, the joint efforts of SEGA’s internal security team, combined with a team of external security researchers, the mishap was discovered and access to sensitive data was contained. 

How did this happen? Shadow data. Someone inadvertently stored secure, sensitive files in a publicly accessible AWS S3 bucket and didn’t realize the extent of vulnerability. It is quite easy to misconfigure an Amazon AWS bucket, and that little mistake could have cost the company irreparable damage.  

Twitter also experienced something quite similar, where, due to a ‘glitch’ that caused user’s personal information and passwords to be stored in a readable text format on their internal system, rather than disguised by their process known as “hashing”.  

The mishap caused embarrassment and scrutiny for Twitter. The major social platform had to publicly urge its more than 330 million users to change their passwords. 

For many organizations, a simple breach of one of their shadow data environments could be crippling. 

Keeping Up, Keeping Secure, and Managing Your Data – Wherever it Lives

Unmanaged data stores inevitably occur. Shadow data occurs. It’s not often intentional, and it’s a normal byproduct of an organization moving at the pace of the cloud. But there are ways to ensure you’re protected and have the proper visibility into every place your data may live. 

Cloud-native monitoring solutions built in the cloud, for the cloud now exist to combat shadow data and allow data protection teams to move at the speed of the cloud. These solutions must Discover and Classify continuously for complete visibility, Secure and Control to improve risk posture and Detect Leaks, and Remediate without interrupting data flow.

As you evaluate solutions to protect your sensitive cloud data, ensure you have a platform that can scan your entire cloud account and automatically detect all data stores and assets, not just the known ones. Ensure that once data is scanned, the solution can categorize and classify the data, maintaining a cloud datastore framework that allows you to prioritize and manage all of your assets effectively. 

Having full data observability lets you understand where your shadow data stores are and who owns them. Doing so leads to a secure environment, faster, smarter decision-making across the enterprise, and the ability to thrive in a fast-moving, cloud-first world.

The Top 5 Cloud Security Predictions for 2022

New threats, new apps, new players, but data plays the biggest role in shaping the future.

2021 Attacks Set New Records

You may get tired of hearing all the doom and gloom of hooded cybercriminals and potential threats. But the reality is, your data, your company, and your personal identity is at continued risk. 

Just looking back, 2021 had its fair share of cybersecurity incidents, and some incredibly resounding ones at that. There was the Colonial Pipeline breach, where suddenly, the U.S. fuel supply was at risk of coming to a grinding halt. A ransom of $2.3 million in Bitcoin was paid to avoid that catastrophe. 

In the land of social media, tens of millions of Facebook, Instagram and LinkedIn profiles were exposed due to an unsecured database. The monolith that is Facebook went down, along with Instagram. 

Even online retailers were targeted. Bonobos, a popular men’s clothing retailer, was hacked and a cybercriminal snatched addresses, phone numbers, and partial credit card data belonging to over 7 million shoppers. 

Not to mention the added impact of COVID-19, and the number of healthcare organizations that were opportunistically attacked at a time when they were stretched way too thin.

So where is all this going in 2022? 

You can likely expect a continued rise in attempted attacks and new methods of targeting. But the one element to the advancement of security measures that will make a huge difference next year is data. And more specifically, cloud data. 

According to Techjury, it’s estimated that 1.145 trillion MB of data is created per day.  On average, every human created at least 1.7 MB of data per second in 2020. Per second, think about that. And 2021 saw over 4.66 billion active internet users. That’s 60% of the world’s population. Data is the key treasure in every situation and having a plan to safeguard yours is paramount. 

The Top 5 Cloud Security Predictions (Plus a Bonus One)

1- Increased Investment will Lead to Better Cloud Security

Each and every year we see more and more investments in cloud security. And that’s a good thing! 

According to tech analyst Gartner, ​​worldwide spending on information security and risk management technology and services was forecasted to grow 12.4% in 2021 to reach $150.4 billion in 2021. That’s nearly double the spending growth from 2020, at 6.4%. This aligns with Gartner’s 2021 CIO Agenda survey, where 61% of those surveyed stated increasing investment in cybersecurity was their top priority. 

And the spending spree won’t slow down for a while. Cybersecurity Ventures is predicting that, because of the need to protect increasingly digitized businesses, IoT devices, and consumer data, global spending on cybersecurity products and services will rise to $1.75 trillion cumulatively for the five-year period from 2021 to 2025. 

More specifically, cloud security is growing faster than the rest of the security market. According to Gartner, cloud security spending is projected to increase 41.2% between 2020 and 2021. Cloud security was the “smallest, but fastest growing” market segment, expected to reach $841 million this year. 

What does all of this mean? Better cloud security. 

While the spend is astronomical, the need is there. Data protection is the highest priority for many organizations, especially since much of the data is housed in the cloud. Consumers and businesses expect protection and they will weigh in with their dollars. It’s essential for companies, governments, and other entities to continue to invest in data protection in order to reach a better outcome; enable the democratization of data, but safely. 

In short, life will be better, business will thrive, and cybercriminals will begin to be thwarted as more investments are made. 

2 – Cloud Data Protection Will Make Strides to Keep up With Data Democratization

Digital Transformation. While that phrase is being batted around a bit frivolously, the reality is there: Every organization, no matter how big or small, is changing the way they operate through digital technology. And the majority of these changes involve taking processes and data to the cloud and making data accessible to everyone in the organization. This is data democratization. 

How does one define data democratization? In our view, it’s the ongoing process of enabling everybody in an organization, irrespective of their technical know-how, to have universal access to data, to work with data comfortably, and as a result, make data-informed decisions in their roles, creating new opportunities and improving customer experiences. 

Simply said, in our continual movement toward digital transformation, data is the new currency. It becomes the critical factor in making informed business decisions, making the right investments, and delivering personalized experiences that consumers are not only anticipating, but expecting. 

Think about how many organizations exist solely for the data they have. Companies like Facebook (now Meta), YouTube and Twitter offer free services but bring in huge revenues from advertising based on the customer data they hold. Many companies rely on, and pay significantly for, access to the customer data. So as more data moves to the cloud, and more access is gained, the need for data protection increases. 

Also in our view, we recognize how important data is, and how even more important it is to protect it. Protecting and monitoring your data is crucial to survival. 

You have to know the answers to five very important questions: 

  1. Where is my data? 
  2. Who has access? 
  3. What’s the security posture? 
  4. Who owns the data?
  5. Where is my data going? 

Right now, data democratization is outpacing data security, as developers have more freedom and agility with shift left, data protection teams have been left behind. But one sensitive breach can bring a company to its knees. So as more investments are made in the digital transformation, more investments are going to be made in data security and risk management. 

2022 will see cloud data protection begin to keep pace with data democratization. 

3- Cloud-Native Security Tools Will Become Mainstream

As more data is moved to the cloud, more workloads, processes and solutions are being natively built and run there.

A cloud-native tool or application is a program that is designed for a cloud computing architecture. These applications are run and hosted in the cloud, and are designed to capitalize on the inherent characteristics of a cloud computing software delivery model.

Security solutions built for the cloud, in the cloud aren’t totally mainstream yet, but are growing much faster than their legacy counterparts. In 2022 we’ll start to see many more of them arise and mature. 

Some larger and established organizations recognize this and are beginning to add capabilities to keep up. Many have made huge investments in acquisitions to try and re-define themselves as cloud-native and serve customers better. 

There are many advantages to security apps that are built and run in the cloud, and we will see that become mainstream in the course of the next year. 

4 – Security Teams Will Move from Gatekeepers to Enablers

In many organizations, the security team is deemed the gatekeeper. The ones that stop business teams from launching their newest project, or forcing developers to pass through rigid steps before finishing their application. It’s incumbent upon the security team to ensure every process follows strict security protocols, so historically, they are viewed as a barrier or hindrance within the organization; the ones stifling progress for rules that everyone else doesn’t understand. 

You might have had this experience. Frustrating, right? Even when you know there is a legitimate reason, it’s still keeping you from finishing your project the way you had intended. The security team has always been thought of as the “you can’t do that” department, but we want the security team to be the “I want you to do that but in a safe fashion“. 

Well, 2022 is going to see that change, as security teams move from being the ever-scorned gatekeepers, to the much-adored enablers. 

Why is this? Because as mentioned in item number three above, more applications are being built in the cloud, as opposed to on-premises. Cloud application developers don’t have as many restrictions, and don’t have to wait on a vast array of stakeholders to move to the next phase. At the same time, security teams are beginning to deploy cloud-native solutions that continuously monitor and enforce policy enabling a “trust but verify” stance. This way developers are not hindered and security teams can also move at the speed of cloud. 

Businesses need to move fast. They have to adapt, adjust, and grow to keep up with market demands, go after opportunities when they arise, and meet their customer’s ever-changing expectations. They can’t afford to have security shut them down. So to continue the digital transformation yet stay secure, the once-restricted gatekeepers will harness the power of cloud development and become enablers. Everyone wins. 

5 – Best of Breed Tools Will Continue to Emerge, not Consolidate…Yet

Take a guess at how many cybersecurity vendors and solutions are out there. 250? 1,000? 2,000? 

According to The Cyber Research Databank, there are more than 3,500 cybersecurity vendors in the market. And that’s likely a conservative number. 

If you’re a security leader, you’re probably getting bombarded with offers, ads, and pitches for the necessity of every vendor’s solution. There’s no way to pay attention to it all. And you may wish there was just one tool that was best-of-breed and was the one-stop-shop for all of the features and capabilities you needed. How nice it would be to have one tool as opposed to 10. 

Yes, consolidation is happening. Yes, it would be great to have more consolidation. But we think proliferation and more best of breed will continue to dominate in 2022.. 

Why is that? 

Let’s take Covid-19 as an example. Think of the virus as a new breach. When that breach hits, people scramble to build the defense to battle it, keep it at bay and hopefully defeat it. You develop a vaccine and are feeling good, but then, the Delta variant pops up, and you scramble again. Hoping to quell that slight variant, the next one, Omicron, arises. And on it goes. How many variants will appear before we feel we’ve completely addressed each and every threat? There is no real way to tell, so you keep building your defenses to stay safe. 

The security tool world is similar: Each year we see new tactics arise, new threats that weren’t predicted, and we scramble to build the tools to combat them. It’s a bit of a cat and mouse game, chasing new threats as they arise. And until these breaches slow down, there will continue to be new tools in the market. 

6 – Bonus! Analyst Firms Will Come up With at Least Three New Acronyms That are Must-Haves for Your Cloud Security Toolbox

SPITS (Security Protocol Infrastructure Technology), SAPPY (Secure Access Protection Platform Yeti), CATS (Cloud Application Testing Security). These are all must-haves! At least that’s what the analysts will tell you. They need to weigh in on this, right? 

Yes, we made those up. But they could be real someday. 2022 will keep the analysts cranking and keep you trying to keep up with all the new tools you need! We can pretty safely predict that. 

The Year that Data Matters More

Data truly is the key element for business survival. And it’s also the element you need to protect the most. It is the new business currency and something everyone benefits from when harnessed securely. 

2022 will see better cloud security as investments continue to rise. And as data democratization continues to expand, cloud data protection needs to keep pace. The increase in protection, and the proliferation of cloud data, gives rise to more cloud-native tools, which, in turn, allows security teams to become enablers, not gatekeepers. 

In this cloud-first world, where digital transformation is happening fast and complexity is high, where development is happening in new realms, traditional methods are falling away. The ability to discover, classify, and categorize all the data within your public cloud environment is a necessity to stay safe and nimble.

Houston, We Have a Public Cloud Problem

Nice to meet you all. I’m Ido Livneh, VP, Product at Laminar. I have been spending most of my time this year speaking with CISOs, CDOs (Chief Data Officers) and data protection leaders about their challenges in protecting data in modern public cloud environments, and I found some common themes that almost everyone is struggling with.a. The central issue reminds me of the Apollo 13 line, “Houston, we have a problem.” In this case, it’s data protection in the public cloud. Old workflows and solutions just don’t cut it anymore as the environment has changed.This key challenge led us to focus on an extremely valuable and novel solution for our customers.

We have benefited tremendously from our investor Insight Partners’ program — Insight IGNITE — which introduced us to hundreds of security and data protection decision makers. Speaking with these experts allowed us to validate the problem and solution. To perfect the product market fit, we wanted to utilize research and verification — not haphazard guessing. Which fits so well with another Apollo 13 quote by fight controller Gene Kranz, “Let’s work the problem, people, Let’s not make things worse by guessing.”

 

“Let’s work the problem ,people, let’s not make things worse by guessing”

Gene Kranz, flight controller, Apollo 13

 

Data is at the center of the cloud transformation

Enterprises now put data at the center of innovation. They understand that it is a key asset and a source of differentiation. They democratize it to unleash its full potential and make it accessible for developers and data scientists. Today, innovation happens in the cloud, and new applications run on cloud infrastructure. 

This cloud transformation is great for the business, but it also introduces significant changes to cybersecurity risks, workflows, and acceptable solutions. Recently, a train of Cloud Security Posture Management (CSPM) solutions addressed these changes for the actual infrastructure, the VMs, the boxes, etc. However, overwhelmingly, we found that data protection teams were left behind. The solutions they use and the manual processes they follow haven’t adjusted to this new environment, which makes their work much more challenging than ever before. Most data protection teams are blind to what sensitive data they have in the public cloud.

How the public cloud changed data protection

There are four major factors that significantly changed data protection in public clouds:

  • A sprawl of tech and high complexity

    There are dozens of technologies to store, use, and share data in the cloud. They can be managed by the cloud service provider (AWS S3 buckets, Google Cloud Storage, Azure Blob Storage, etc.), IT (AWS RDS), and even developers or DevOps (database that runs on an EC2 or a Kubernetes node). Each one is configured and used differently. Each one introduces new risks. Not only are these new architectures complex and confusing, they are dynamic and constantly changing. Developers are now in charge and can spin up or copy an existing datastore in a matter of minutes.
  • Data protection teams as business enablers

    Modern data protection teams don’t stop developers from making changes. They set guardrails to allow fewer mistakes. They do fewer architecture reviews as gatekeepers and more continuous monitoring and risk assessments as stewards. Therefore, data protection teams no longer assume they know where all the data is, but rather they are looking for a solution that allows continuous and automated discovery and classification.
  • Data democratization and the pace of change

    Changes to the data are pushed to production at an astonishing pace. More and more developers and data scientists leverage data every day. This makes manual efforts ineffective. By the time they are completed, they are no longer true.
  • No perimeter

    All data in the cloud is accessible from anywhere, given the right credentials or tokens. There’s no longer a single choke point to protect and monitor. Any data leak detection should be distributed and cover all channels of egress and the entire public cloud.

No visibility, context, accountability, or leak detection

The lack of proper solutions to address those changes made the work of data protection teams harder than ever before. They have limited resources to handle the increasing data risk, yet answering data protection questions is only getting harder. This can be split into four main problems:

  • Lack of visibility: where’s my sensitive data? Who has access? How is it configured?
  • Lack of context: what is this data? How did it get there? How is it used?
  • Lack of accountability: who made these changes? Who is the process owner?
  • Lack of leak detection: are my policies being followed? Are there any anomalies in data access and sharing?

 

“Be thankful for problems. If they were less difficult, someone with less ability might have your job”

Jim Lovell, Apollo 13 astronaut

 

A three-step approach towards public cloud data protection

These problems inevitably result in exponential growth of data leakage incidents in the public cloud. IDC recently reported 98% of all companies experience a cloud data breach within the past 18 months. Data policies are violated. Ensuring data privacy and compliance in the public cloud is a tedious struggle. To address that, we recommend that every organization take this three-step approach to Public Cloud Data Protection:

  • Discover and Classify continuously for complete visibility.
  • Secure and Control to improve data risk posture.
  • Detect Leaks and Remediate without interrupting data flow.

The launch of Laminar was about the problem, the opportunity. Learn more about why Public Cloud Data Protection Needs a New Approach.