Of the over 400 IT professionals who responded to Cyber-Ark Software's fourth annual "Trust, Security and Passwords" survey, 41% admitted to abusing administrative passwords to access sensitive or confidential information, such as HR records and customer databases. This is an increase of 8% since last year's survey.
Considering the somewhat small sample size, and the fact Cyber-Ark sells vaulting technology specifically designed to solve this type of problem, the results of this survey should be viewed with some skepticism. But it highlights significant challenges in internal data security and the migration towards the cloud.
As we reported Monday, 87% of respondents in a recent cloud computing survey are concerned with security in the cloud, but many enterprises' own internal security processes are far from perfect.
According to the Cyber-Ark survey, 70% of organizations have controls to monitor privileged access, but 61% say of respondents say they can circumvent these controls. The other 30% of organizations have no protection against admin abuses at all.
Meanwhile, 35% of respondents believe that sensitive data had been leaked to competitors by ex-employees. Only 10% of data leaks were believed to have been the result of malicious external hackers.
As pointed out in a report by the Cloud Security Alliance, storing data in the cloud increases the total number of individuals with potential access to sensitive data, and thereby increases the risk of data theft by a malicious insider. But many of the same practices used to protect against internal data theft can be applied in the cloud as well.
Security software company Trend Micro has some suggestions for dealing with this issue as well:
Enforce strict supply chain management and conduct a comprehensive supplier assessment.
Specify human resource requirements as part of legal contracts.
Require transparency into overall information security and
management practices, as well as compliance reporting.
Determine security breach notification processes.
Another possible solution is to encrypt all data stored in the cloud (Trend Micro has promised a cloud encryption solution).
In our new free report The Future of the Cloud: Cloud Platform APIs are the Business of Cloud Computing, Mike Kirkwood writes that data tracking will be as important as data protection in the cloud.
And of course, read these 12 Questions To Ask a Provider About Cloud Security.
Thanks to Mirko Zorz of Help Net Security for bringing this survey to our attention.