Cloud security: Increased concern about risks from partners, suppliers

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

There’s an ever-increasing push to the cloud.

This comes with growing risks from partners, suppliers and third parties, vulnerabilities and misconfigurations that can be compromised in any number of ways, and complex software supply chains and infrastructures that complicate remediation. 

But, while enterprises are concerned about all these implications, many have yet to implement advanced cloud security and data loss prevention (DLP) tools, according to a report released this week by Proofpoint, Inc., in collaboration with the Cloud Security Alliance (CSA).

Hillary Baron, a research analyst at CSA and the report’s lead author, pointed to the rush toward digital transformation amidst COVID-19. While this facilitated remote work and kept businesses up and running, there were unintended consequences and challenges due to large-scale — and hastily implemented — structural changes. 


MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

“One of those challenges is developing a cohesive approach to cloud and web threats while managing legacy and on-premise security infrastructure,” said Baron. 

Increased concerns in complex landscapes

“Cloud and Web Security Challenges in 2022” queried more than 950 IT and security professionals representing various industries and organizational sizes. 

Notably, 81% of respondents said they are moderately to highly concerned about risks surrounding suppliers and partners, and 48% are specifically concerned about potential data loss as the result of such risks. 

It seems a warranted concern, study authors point out: 58% of respondent organizations indicated that third parties and suppliers were the target of cloud-based breaches in 2021.

Also troubling, 43% of respondents said that protecting customer data was their primary cloud and web security objective for 2022 — yet just 36% had dedicated DLP solutions in place. 

Also from the report: 

  • A majority of respondents were highly concerned (33%) or moderately concerned (48%) with security when collaborating with suppliers and partners. 
  • 47% said that legacy systems were a key challenge in improving their cloud security posture.
  • 37% said they need to coach more secure employee behavior. 
  • 47% said they had implemented endpoint security, 43% said they had implemented identity management solutions, and 38% said they had implemented privileged access management.

Meanwhile, organizations are concerned that targeted cloud applications either contain or provide access to data such as email (36%), authentication (37%), storage/file sharing (35%), customer relationship management (33%), and enterprise business intelligence (30%).

Experts and organizations alike agree that there’s much room for improvement in existing processes for managing third-party systems and integrations. 

Context is often lacking for software-as-a-service (SaaS) platforms in use — the data they hold, the integrations they facilitate, the access models in place, said Boris Gorin, cofounder and CEO of Canonic Security.

Also, these aren’t continuously monitored. He advised organizations to ask themselves whether they have an inventory of all third-party integrations and add-ons, and what access and reach these integrations have in their environments — or if they are active at all. 

“Most breaches happen because we didn’t execute on a policy, not because we didn’t have one,” said Gorin. Controls are overlooked, thus creating vulnerabilities. 

Dave Burton, chief marketing officer at Dig Security, also noted that there are many unaddressed uncertainties around cloud complexity that make it difficult for enterprises to understand exactly where cloud data is stored, how it is used, whether it includes sensitive information and if it is protected. 

Organizations must understand all of their data stores, ensure that they have backup capabilities in place, regularly perform software updates and implement the right tooling, he said. Tools such as DLP and data security posture management (DSPM) are also essential. 

Strategic practices, culture shifts

Another of the many byproducts of cloud technology adoption is the loss of governance, said Shira Shamban, CEO at Solvo. Also, too often, sensitive data is found in places where it shouldn’t be and is not appropriately secured. 

Ultimately, it’s not realistic to not store data in the cloud, he acknowledged, but organizations must only do so in cases where it is absolutely necessary — not just arbitrarily. Access must also be distinctly specified and limited.

Also, critically: “security cannot be just a yearly audit,” said Shamban. “It’s an ongoing process that consists of frequent auditing, validating and updating — much like cloud applications themselves.”

Similarly, the best tools are only effective when coupled with a culture of security within and around an organization, said Mayank Choudhary, EVP and GM for information protection, cloud security and compliance, at Proofpoint. 

“As organizations adopt cloud infrastructures to support their remote and hybrid work environments, they must not forget that people are the new perimeter,” he said. “It is an organization’s responsibility to properly train and educate employees and stakeholders on how to identify, resist and report attacks before damage is done.”

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.