Rush to 'digital transformation' leaving security behind

News by Mark Mayne

Enterprises as a whole are aggressively pursuing digital transformation, but data security is often not being correctly implemented, especially in cloud environments.

While digital transformation has been a popular theme for some years, and the volume of sensitive data involved has increased, security levels are not keeping pace with change, according to a new report.

Thales’s 2019 Data Threat Report: The rush to digital transformation is putting sensitive data at risk found that while 97 percent of respondents plan to use sensitive data on digitally transformative technologies they are developing, fewer than 30 percent of respondents are using encryption within environments such as cloud when developing, and a significant 60 percent have been breached at some point in their history, with 30 percent experiencing a breach within the past year alone.

Bridget Kenyon, global CISO, Thales eSecurity told SC Media UK that: "Cyber-attacks are the fifth biggest threat facing our world today, with the rush for organisations and individuals to embrace new technologies raising risk levels day by day. The numbers in our Global Data Threat Report are stark: 60 percent of organisations have had a breach, 30 percent in the last year - and the overwhelming majority (82 percent) expect the risk of cyber-attacks leading to data theft to increase in 2019. In today’s tech-dependent world, every business must have a clear and understandable cyber-resilience plan in their arsenal. This is a necessity, not a 'nice to have'."

The Thales eSecurity 2019 Data Threat Report also notes that many transformation programmes involve migrating valuable customer data from relatively secure vaults within the perimeter to edge network, cloud and IoT scenarios, leaving security professionals with a significant challenge.

Dan Pitman, principal security architect at Alert Logic told SC Media UK that often enterprise is not choosing the right approach to new deployments. "This is interesting from the point of view that cloud environments should be easier to deploy and maintain security visibility in comparison to traditional infrastructures.

From experience, the usual underlying cause for this is an attempt to apply traditional infrastructure and application design, with traditional operational models, on top of the cloud. Often there is also a misguided approach that multi-cloud means using the different clouds for an application’s disaster recovery or resilience rather than deploying business workloads on the most appropriate platform based on its strengths and weaknesses and using their in-built availability capabilities.

"Encryption is traditionally seen as difficult to deploy, with cloud services provided to deliver IoT, Big Data and the like; this is made much simpler and will account for the above average figures. New technologies, such as containers, also make this easier and combined with the challenge in getting visibility into the container ecosystem from many security models mean more belts and braces are added without really delivering a positive security outcome.

"When dealing with public cloud, encryption is only as powerful as the application security maturity. The majority of breaches in the past years would not have been helped by public or back end encryption, with hackers gaining access to the same systems that are also provisioned unencrypted access to data (the application, the operating system) or hijacking the cloud accounts."

Indeed, the Thales report did find some areas with above average encryption adoption, including IoT (42 percent), Containers (47 percent) and Big Data (45 percent).

Felix Rosbach, product manager at comforte AG said that the sheer breadth of the challenge is still an issue: "Sensitive data is everywhere. And for every data set, there are about 10 copies in your network that aren’t being properly secured. Most organisations know that. But there are many barriers to implementing data security – they vary from budget to technical complexity.

Especially with more recent technologies like Cloud, Big Data Analytics and IoT, organisations have to find a balance between fast adoption and protection. It’s always easier to implement new solutions without taking security into consideration, but with the growing risk of breaches and new, stricter regulations all around the world, sophisticated data protection is a must."

"Data-centric security is a great approach to protecting sensitive data – especially solutions that preserve the format and utility of data for analytics. To make it affordable yet usable, vendors have to make sure that their solutions are as easy to integrate as possible. This is especially true for cloud and hybrid environments where sensitive data moves between a variety of systems and independent of any technological or political borders."

Interestingly, the report found that security budgets are increasingly flat, with 50 percent of companies (compared to 79 percent last year) expecting an increase in budget. The result is likely to be a general slowdown in point security solution sales, and a rise in ‘better value’ platform-based security solutions with options for on-premises, cloud and hybrid solutions.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews