Some 60% of global security professionals misunderstand the concept of “shared responsibility” in the cloud, potentially putting their organizations at risk, according to Centrify.
The identity and access management (IAM) vendor polled 700 cybersecurity pros to compile its new report, Reducing Risk in Cloud Migrations: Controlling Privileged Access to Hybrid and Multi-Cloud Environments.
It found that nearly two-thirds of respondents incorrectly believe that their cloud provider is responsible for securing privileged access. In fact, under the shared responsibility model espoused by Amazon Web Services, Microsoft Azure and others, the provider is only responsible for the infrastructure of the cloud itself — the hardware, software, networking and other functions.
Customers are responsible for security “in” the cloud, which includes customer data, apps, operating systems and network and firewall configurations.
The report also revealed that many organizations aren’t deploying a common security model or enforcing least privilege access, according to best practices.
What’s more, three-quarters (76%) are using more than one identity directory to manage cloud users, which Centrify claimed puts them at risk of “identity sprawl” and potential security gaps.
“As the enterprise threat-scape expands, organizations are faced with new challenges to secure modern attack surfaces, and this report makes it clear that the cloud is no exception,” said Tim Steinkopf, Centrify CEO.
“We know that 80% of data breaches involve privileged access abuse, so it’s critical that organizations understand what they are responsible for when it comes to cloud security, and take a least privilege approach to controlling privileged access to cloud environments. Too much access and privilege puts their workloads and data at risk.”
Some 60% of respondents said that security is their number one challenge when it comes to cloud migration projects. This is slightly at odds with a Nominet study from September that revealed CISOs believe the cloud to be as safe as on-premises infrastructure.