STE WILLIAMS

RSA CONFERENCE 2020 – San Francisco – The theme of Verizon’s 2020 Mobile Security Index is innovation – on the part of both enterprise security professionals and the attackers trying to work past their best efforts.

Mobile devices are getting abused by cybercriminals, but companies are still giving those devices the security short-shrift. “About 40% of our respondents across the board report having a mobile security compromise,” says Bryan Sartin, executive director of global security services at Verizon. That’s an increase from 33% of organizations in Verizon’s 2019 report.

The annual report, released here today, is based on surveys and interviews with more than 1,100 business and cybersecurity professionals. 

While many companies have experienced a mobile compromise, 43% report that they have sacrificed the security of mobile devices in the name of “getting the job done.” And the main reason for security sacrifice will sound familiar to most security professionals.

Nearly two-third of those responding, 62%, said that expediency was the reason for short-changing security, while 52% listed convenience. The short-term convenience of lowering security standards had ramifications that persisted, though: According to the report, 66% of companies described the impact of mobile security breaches as major, and 55% said that the impact was long-lasting.

Small and medium-sized businesses made up 28% of the victims, while those with over 500 employees represented 44% of the total. The small and medium-size business portion of the population is growing in both total representation and the importance mobile devices play in their business, Sartin says.

“80% of our respondents in small, midsized business say that mobile security is now key to productivity and profitability. That’s huge,” he says. “That was a nonexistent number last year. And now, 84% say that they are almost completely reliant on cloud and mobile security.”

The use of cloud- and mobile security echoes the adoption of mobile devices and cloud services in general, and Sartin says that there are numerous reasons for companies to be adding to their populations of both mobile devices and cloud applications.

“Adoption for reasons like scalability, flexibility, diversified supply chain work from home employees, and increasingly, mobile workforces that have to get access to protected company systems, data, and platforms are driving this,” Sartin says. “I think the necessity to have this functionality available is driving things, and that security is an afterthought.” 

How to Protect Mobile Devices

Containerization of both apps and data on the mobile devices one way to protect mobile devices from attacks.

“Containerization has two interesting side effects,” Sartin says. “One, of course, is creating kind of an island out of each device. It makes it very difficult to compromise consumer and personal information, as well as broader compromises on the corporate side,” he explains. “So it makes pivoting more difficult. It also allows you to implement certain security countermeasures defensively, like password rotations, forcing those down on the end user.”

A zero-trust model of security is another way to protect mobile devices, according to Verizon.

In the Verizon report, Aspi Havewal, director of collaboration and mobility at Verizon, provides additional advice. “First and foremost, prioritize the user experience. Make it part of every risk discussion you have, because a bad user experience is a big risk in and of itself,” Havewal said. “You should give your employees a range of options to do their work securely, and stay connected with your users. The more you communicate with them about the policy and controls that are in place, the more your users will appreciate security.”

Related Content:

• Latest Security News from RSAC 2020
• 7 Tips to Improve Your Employees’ Mobile Security
• 5G Adoption Should Change How Organizations Approach Security
• Companies Pursue Zero Trust, but Implementers Are Hesitant
• How Enterprises Are Attacking the Cybersecurity Problem – 2019

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “SSRF 101: How Server-Side Request Forgery Sneaks Past Your Web Apps.“

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/mobile/verizon-attacks-on-mobile-devices-rise/d/d-id/1337136?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA CONFERENCE 2020 – San Francisco – Nearly 80% of organizations say will need even more technical security staff – security engineers, security architects, analysts, incident responders, forensic analysts, for instance – in the next 12 months, according to new data from ISACA.

The data comes from a survey of mostly ISACA members as well as other organizations, more than half of whom say their security teams today are understaffed. Most are not satisfied with the qualifications of the job applicants they get: some 73% cite hands-on security experience as a key job qualification, followed by security credentials (35%), and hands-on training (25%). The study is based on data gathered from more than 2,000 respondents from more than 100 countries.

Greg Touhill, ISACA board director and president of Cyxtera Federal Group, says the evolution of security’s defense-in-depth technology has helped lead to this conundrum: “We invested in a strategy of defense-in-depth, so we added another layer upon another layer, and all of these layers cost tremendous amounts of manpower – and [require] a lot of highly skilled” talent for each tool and platform that get added to those layers, he explains.

Interestingly, non-security skills are also high on employers’ list: one-third of the respondents cite one of the main gaps they see in job candidates are soft skills – aka non-technical proficiencies such as communication, social, and leadership qualities – followed by IT knowledge and experience (30%).

ISACA Director Pam Nigro, who is also the senior director of information security in the GRC practice at Heath Care Service Corporation (HCSC), says even traditional security professionals need to be able to communicate what a vulnerability they found, for example, actually means risk-wise to the organization. “Leadership’s eyes are going to glaze over” if you can’t clearly articulate what that security flaw could mean for the organization, she says.

Nigro says HCSC runs a six-month rotation program for it security teams to help hone and expand skills. Red, blue, and purple teams, vulnerability scanning and firewall staff rotate into different teams to help brush up on skills or learn new ones. So red teamers can join the blue team to better understand how to defend against attacks they typically perform, and blue teams can sit in the red team seat and think like an attacker. “When you broaden horizons, you start to look at all the things that go into cybersecurity, and you start to be able to do really good critical thinking,” Nigro says.

Meantime, organizations need to be more realistic about the qualifications they expect candidates to have for security positions, notes Touhill. “This drives a greater need for a workforce development plan … and synchronization with the human resources folks” in the recruitment process, he says.

Related Content:

• Latest Security News from RSAC 2020
• It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
• 6 Emerging Cyber Threats That Enterprises Face in 2020
• How Enterprises Are Developing and Maintaining Secure Applications

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “SSRF 101: How Server-Side Request Forgery Sneaks Past Your Web Apps.”

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/operations/wanted-hands-on-cybersecurity-experience/d/d-id/1337137?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA CONFERENCE 2020 – San Francisco – The security team, instead of operating in silos, can lower overall post-breach costs if it collaborates with other teams across the organization.

Cybersecurity is still a top priority for executive leadership, researchers say in Cisco’s “2020 CISO Benchmark Report.” The survey of 2,800 IT decision-makers reveals key trends and pain points as companies face issues such as alert fatigue, mobile security, and private cloud security.

Ninety percent of respondents agree business executives have created clear metrics for assessing the effectiveness of a security program. Time-to-detect ranks highest as a key performance indicator (KPI); however, for reporting to the C-suite or board, time-to-remediate is equally key because it represents the total impact of an incident: downtime, records affected, cost of investigation, lost revenue, lost customers, lost opportunities, and out-of-pocket costs.

Organizations reporting more than 100,000 records compromised in their most severe breach grew from 15% in 2019 to more than 19% in 2020. A major incident has the greatest effect on business operations (36%), followed by brand reputation (33%), finances (28%), intellectual property (27%), customer retention (27%), and supplier relationship (26%), researchers found.

Alert fatigue is a major issue when you consider the number of security products cluttering enterprise environments. There is a gradual trend to reduce complexity through vendor consolidation, with 86% of businesses using up to 20 vendors, and only 13% using more than 20. In 2019, 15% of companies used more than 20 vendors; in 2018, that number was up to 21%.

“We’re starting to see this move toward fewer consoles and move toward greater collaboration with other teams,” says Wolf Goerlich, advisory CISO with Duo Security (now under Cisco). “CISOs who act on those two trends have better outcomes for the organization.”

As companies consolidate their vendor use, they voice a greater challenge to handle the tools they have: 28% feel managing a multivendor environment is “very challenging,” up from 20% in 2017. More than half (53%) feel it’s “somewhat challenging” and fewer (17%) say the process is easy. “My team is stretched beyond the capabilities for which they can be effective,” says Ben Munroe, director of product at Cisco, of common customer concerns.

Respondents who report alert fatigue are more likely to struggle in a multivendor environment: Of those who claim fatigue, 93% receive at least 5,000 alerts per day. The amount of companies receiving 5,000 or fewer alerts per day dropped from 50% in 2017 to 36% in 2020; during the same time frame, the amount receiving 100,000+ daily alerts grew from 11% to 17%.

Network, Security Collaboration Cuts Costs
More than 91% of respondents say they are “very” or “extremely” collaborative; collaboration between endpoint and security teams is also high, at 87%. This trend can have financial benefits in the aftermath of a breach. In 2020, 59% of companies that say they are very/extremely collaborative between networking and security teams experienced a financial impact under $100,000 for their biggest breach, the lowest category offered for breach cost.

“A lot of it has to do with dwell time: How do we detect what’s going on in our environment; how do we remediate what’s going on in our environment,” Goerlich explains. “To detect, you have to have a really solid understanding of what’s going on in our networks and the cloud infrastructure we’re plugged into.”

And who better to detect than the subject matter experts? The networking team has a better understanding of the environment; as a result, team members know what’s typical and what isn’t. “There’s a reduction in time to detect because they understand what normal looks like, so they can help us understand what abnormal behaviors are,” he continues.

The networking team can also help stop threats. When a security operations center analyst spots an event, often because good practices they won’t pull out the equipment. They’ll pass this off to the subject matter experts, and the networking team takes over for quarantine, remediation, and cleanup.

“When you have those tight collaborations, you can say, ‘This is what we see, this is what needs to happen,’ and the handoff is much smoother,” Goerlich says.

Key Concerns: Unpatched Vulnerabilities, Private Cloud
Forty-six percent of businesses report a security incident caused by an unpatched flaw, up from 30% in last year’s study. Of those that suffered a major breach due to an unpatched bug, 68% suffered data loss of 10,000 records or more — significantly more than the 41% that lost the same amount due to breaches from other causes.

Mobile security is another key concern for this year’s study: 52% of respondents say mobile devices are now “very” or “extremely” challenging to defend. Half of respondents say the same about securing private cloud infrastructure, and 41% say the same about securing network infrastructure.

Building on Data: Cisco SecureX Launch
Alongside its release of its “2020 CISO Benchmark Report,” Cisco today launched a new security platform, SecureX. This is meant to connect Cisco security products with the tools in existing enterprise infrastructure, to improve visibility for endpoints, applications, networks, and cloud. The idea is to provide a single view of threat detections and policy violations in one place.

“Fatigued organizations, an overwhelming number of alerts, a need for automation [are] directly reflected in the way we have brought SecureX to market,” says Munroe.

SecureX can scan data and traffic from Amazon Web Services, Microsoft Azure, and Google Cloud, along with private data centers. Security operations teams can share context with IT operations and network operations to create and strengthen security policies across workflows, facilitating the level of collaboration that can potentially drive down the cost of an incident.

Related Content:

• Latest Security News from RSAC 2020
• Assessing Cybersecurity Risk in Today’s Enterprise
• 7 Tips to Improve Your Employees’ Mobile Security
• Popular Mobile Document-Management Apps Put Data at Risk
• Microsoft Announces General Availability of Threat Protection, Insider Risk Management
• 5 Strategies to Secure Cloud Operations Against Today’s Cyber Threats

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “10 Tough Questions CEOs Are Asking CISOs.“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/security-networking-collaboration-cuts-breach-cost/d/d-id/1337132?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

(Image: Mirko — stock.adobe.com)

Most organizations support a bring-your-own device (BYOD) protocol in which employees use their personal mobile devices in lieu of corporate-owned ones. But it’s a mixed bag: Enterprise-owned devices offer more control over security; however, the business incurs the expense and full liability for them. BYOD puts the burden of buying devices on employees, but it could present a greater risk to the company.

“A bit of a trade-off has to happen, as they’re managing an aspect of something that is personally owned by the employee, and they’re using it for all kinds of things besides work,” says Sean Ryan, a Forrester analyst serving security and risk professionals.

On nights and weekends, for example, employees are more likely to let their guards down and connect to public Wi-Fi or neglect security updates. Sure, some people are diligent about these things, while some “just don’t care,” Ryan adds.

This attitude can put users at greater risk for phishing, which is a common attack vector for mobile devices, says Terrance Robinson, head of enterprise security solutions at Verizon. Employees are also at risk for data leakage and man-in-the-middle attacks, especially when they hop on public Wi-Fi networks or download apps without first checking requested permissions. Mobile apps are another hot attack vector for smartphones, used in nearly 80% of attacks.

A major challenge in strengthening mobile device security is changing users’ perception of it. Brian Egenrieder, chief risk officer at SyncDog, says he sees “negativity toward it, as a whole.”

“I think there’s just an overwhelming trust, where that trust probably hasn’t been deserved just yet, in how your data is protected and how your device is protected,” he explains.

Most security professionals have to walk a fine line between securing devices and providing a seamless user experience. “There is this uneasy relationship between trying to make things user-friendly and not add a lot of friction,” Ryan says. Mobile security policies should be stringent enough to protect the devices but not cumbersome to employees.

Here, these three security experts share their advice for security managers seeking to improve the security of their employees’ mobile devices. Have any tips you don’t see here? Feel free to share them in the Comments section, below.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/mobile/7-tips-to-improve-your-employees-mobile-security/d/d-id/1337081?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA CONFERENCE 2020 – San Francisco – Kelly Jackson Higgins, Sara Peters, Kelly Sheridan, and Curt Franklin offer news and analysis of keynote presentations, press conferences, and interviews with speakers and attendees. Content is updated regularly.

Zero-Factor Authentication: Owning Our Data 2/19/2020
Are you asking the right questions to determine how well your vendors will protect your data? Probably not.

RSAC Sets Finalists for Innovation Sandbox 2/6/2020
The 10 finalists will each have three minutes to make their case for being the most innovative, promising young security company of the year.

Vixie: The Unintended Consequences of Internet Privacy Efforts 2/5/2020
Paul Vixie says emerging encryption protocols for endpoints could “break” security in enterprise – and even home – networks.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/latest-security-news-from-rsac-2020/d/d-id/1337045?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As we have seen in several major cybersecurity breaches, attackers will prey on a system’s weakest points to harvest its data. An important source of vulnerability occurs at runtime, when data is in use. In response, enterprise developers must leverage runtime encryption technologies with effective key management to secure sensitive data — and this is especially true in the cloud/multicloud environment.

However, while runtime encryption solutions using hardware-aided security have been available for years, they were not available in the public cloud. But this is changing. [Editor’s note: Fortanix is one of a number of companies that offer runtime encryption services.] Cloud service providers (CSPs) now offer hardware platforms that enable runtime encryption solutions to be deployed in the cloud. Innovative new solutions for key management, along with an end-to-end approach to encrypting and securing data when it’s at rest, in transit, and in use, are critical, as are related functions required to make cloud runtime encryption viable.

Data Security: The Two-Thirds Solution
Traditionally, it has been possible to protect data by encrypting it at rest and in transit. This got organizations two-thirds of the way to complete data protection. At runtime, however, data pulsing through the CPU was exposed. Before today’s increasing adoption of technologies such as Intel Software Guard Extensions (Intel SGX), runtime encryption was impractical. Comparable solutions, such as fully homomorphic encryption, have proved impractical for many of today’s complex application use cases.

Requirements for Effective Runtime Data Encryption
New runtime encryption solutions fill the security void when data reaches the CPU by creating a trusted execution environment (TEE) within which sensitive applications and data are protected. TEEs enable general-purpose computation on encrypted data without exposing plaintext application code or data and are designed to provide complete cryptographic protection for applications at the performance level that enterprises require.

To provide holistic protection, however, runtime encryption solutions must take a life cycle-based approach to data security. From the earliest stage of application development, the solution must be capable of integrating encryption and/or tokenization to secure sensitive data, in addition to the hardware-aided security provided by a TEE. Leveraging centralized logging of cryptographic operations and policy definition/enforcement for auditability and compliance should also be an important part of the management life cycle. The solution must be able to guarantee the execution of validated software securely inside a TEE, where it is protected from all threats while ensuring the security of data at rest and in transit.

The Cloud: A Runtime Data Security Conundrum
A potential barrier to the end-to-end security that runtime encryption must provide has been the need to host the keys used to encrypt and decrypt sensitive data by the CSP. Although securing data at runtime using a TEE protects application code and data from unauthorized system or root-user access, the data remains vulnerable unless organizations maintain exclusive control over their cryptographic keys. With “bring your own key” (BYOK) functionality, organizations can provide a known key to encrypt and decrypt data, but the CSP holds this key within its proprietary key store — which should make security managers uncomfortable. The problem of securing data and cryptographic keys on a CSP’s platform must be resolved if the benefits of runtime encryption are to be fully realized.

Better Security Controls for Cloud Workloads
Innovations in cloud-native APIs make it possible for users to integrate their own key management systems in order to retain control of the keys that applications deployed in the cloud require. With a “bring your own key management system” (BYOKMS), organizations store their encryption keys in a hardware security module (HSM) in their data centers or within a contracted facility. The API connects the HSM to the cloud service, with keys retrieved from the HSM when needed by an application. This enables keys to work seamlessly with runtime encryption in the cloud, with a single point of control for management and auditability. As a unified system, BYOKMS solutions can handle data encryption, tokenization, and shared secrets while spanning on-premises, hybrid cloud, and public cloud environments.

With BYOKMS, organizations retain exclusive control over who can see their data. This enables a number of specific benefits, including:

• Compliant application mobility: When organizations control their own keys, they can move applications to the public cloud, even if they are bound by regulations.
• Distributed security: By combining a zero-trust model and an “interconnection-first” approach, organizations can distribute security as a means to address scale and integration challenges.
• Keys less likely to be compromised: BYOKMS cuts down the odds of key secrecy being violated in shared infrastructure. Even the CSP or government officials won’t be able to access them. 
• GDPR compliance: Key management with regional isolation provides compliance with the EU’s General Data Protection Regulation (GDPR) and other data sovereignty laws.
• GRC standards met within a multicloud environment: If your organization’s governance, risk, and compliance (GRC) policies call for pervasive data encryption, you can now adhere to the policies while migrating applications and data into multicloud, public cloud, or hybrid environments.

More broadly, the BYOKMS approach leads to predictable consumption. Organizations can move workloads across multiple clouds to manage load levels without concern for data vulnerability. They can also integrate applications more flexibly because it doesn’t matter where the data resides. Data is protected at runtime across all instances, even in the public cloud. This is possible without negatively affecting application performance. By storing keys in data centers that are close to critical apps, end-to-end cryptographic security incorporating runtime encryption won’t slow down data processing.

Putting Cloud Runtime Encryption to Work
Moving sensitive data to cloud infrastructure is only partly about getting the right tools. Trusting the cloud involves a change in mindset. You must be ready to embrace runtime encryption in the cloud. Your developers should understand the new APIs for securing data in the cloud. Security staff tasked with key management must think differently about the key management life cycle. All of this is possible, though. Runtime encryption in the cloud is real.

Related Content:

• 10 Tips for Building Compliance by Design into Cloud Architecture
• 6 Emerging Cyber Threats That Enterprises Face in 2020
• Online Malware and Threats: A Profile of Today’s Security Posture
• Why Ransomware Will Soon Target the Cloud
• The “Art of Cloud War” for Business-Critical Data

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “8 Things Users Do That Make Security Pros Miserable.“

Faiyaz Shahpurwala is the Chief Product and Strategy Officer for Fortanix. Prior to Fortanix, he held key senior leadership positions at IBM and Cisco. He was most recently VP/GM for IBM Cloud, and before that he was SVP at Cisco Systems, … View Full Bio

Article source: https://www.darkreading.com/cloud/solving-the-cloud-data-security-conundrum/a/d-id/1337074?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA CONFERENCE 2020 – San Francisco – The majority (59.4%) of IT and security professionals are concerned about their ability to effectively secure cloud-based enterprise services as businesses continue to adopt them.

For Firemon’s second annual “State of Hybrid Cloud Security” report, researchers surveyed 522 network/security engineers, IT operations managers, C-level execs, cloud architects, and cloud software engineers, among other technology pros. They learned 41.4% of businesses are deployed in hybrid cloud environments, up from nearly 40% in 2019. Protecting them is a primary concern.

“One of the biggest things that stood out was the fact that most people agree that their business has accelerated past their ability to confidently or consistently secure [cloud environments],” says Tim Woods, vice president of technology alliances at Firemon. This sentiment has remained relatively constant in the 14 months since its last survey, which he notes is significant.

“The needle hasn’t moved at all in that time period,” Woods points out. “I had expected that number to decrease.”

Where do most professionals struggle? Seventeen percent of respondents say lack of visibility is their biggest obstacle to securing public cloud environments. Other top concerns include lack of control (13.8%), lack of ownership (13%), lack of integration with other tools (13%), lack of qualified personnel (11.5%), lack of training (11.1%), and lack of automation (9.6%).

Their concerns have not slowed cloud adoption. In 2019, 25.6% of businesses were not using a public cloud platform. That number dropped to 9.8% in 2020. Nearly half (49.4%) of this year’s respondents are using two or more different public cloud platforms, slightly down from 53% in 2019.

Overall, 65.4% of IT and security pros are using manual processes in their hybrid cloud environments, and 35.4% don’t have any automation. Nearly one-third say misconfigurations are the biggest threat to their hybrid cloud setup; of these, 73.5% are using manual processes. The potential for error grows as providers, assets, and rules are added, driving greater complexity.

“People are doing repetitive, mundane tasks, and my resources are already stretched too thin, and as I move to the cloud I have a lack of qualified resources pertinent to what I’m trying to achieve,” says Woods of practitioners’ challenges in securing the cloud. “I hear repeatedly, ‘How can you help me to get back some time in the day to some of my best people so they can do the higher-skilled activities I hired them to do in the first place?'”

They only have so much time in the day, much of it spent doing low-skill tasks, he adds.

There is room for automation, Woods continues, but budgets and staffs are already stretched thin. More than 78% of respondents spend less than 25% of their total security budgets on the cloud, a marked increase from 57.5% last year. About 45% spend less than 10% of their security budgets on the cloud, including 8.2% who don’t use any security budget for the cloud at all. The numbers are looking up, with 55.2% who expect their cloud security budgets to increase in the next year.

Even for companies that have the budget to invest in new security systems, there is a widespread frustration of having too many security tools in the first place. “There is no lack of technology … but if you’re not empowering your people to use it effectively, you’re not going to get the return on investment you’re looking for,” Woods adds. Now businesses think they have to buy new tools for the cloud, further driving alert fatigue and complexity.

Nearly 70% of respondents have 10 or fewer people on their security teams, researchers report. Of these, 45.2% have fewer than five people. Fifty-nine percent manage both on-prem network security and cloud security, up from 54% in 2019. Of these, 66.4% are at businesses with fewer than 1,000 people.

Organizations across verticals report differences in who is responsible for securing cloud deployments, Woods adds. It’s not always the traditional IT security team, but stakeholders, DevOps, and business teams who deploy assets and resources without consulting security.

“No doubt they’re getting things wrong along the way without that collaboration,” he says. These teams likely don’t understand the shared responsibility model that exists in the cloud. Further, it seems businesses don’t follow a core unified security policy. As a result, there is nobody verifying cloud deployments or the security controls applied to them.

Related Content:

• 6 Factors That Raise the Stakes for IoT Security
  
• Solving the Cloud Data Security Conundrum
• All About SASE: What It Is, Why It’s Here, How to Use It
• How to Get CISOs Boards on the Same Page

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “10 Tough Questions CEOs Are Asking CISOs.“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/enterprise-cloud-use-continues-to-outpace-security/d/d-id/1337130?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple