GRC Tuesdays: Cloud Security Fears Rise—SAP Reinforces Control
Cloud Security Breaches Are Growing
SAP customers—and companies in general—are investing in cloud computing infrastructure for familiar and well-established reasons. These reasons include improved data scalability, higher resource availability, ease of user training, ease of use, business continuity and IT cost reduction.
As organizations across the world continue to invest in cloud resources, cloud-related security incidents and breaches continue to escalate. From the middle of 2017 through the middle of 2018, 18% of organizations polled experienced at least one cloud security incident. This is double the number reported in the 12 months from the middle of 2016 to the middle of 2017, according to the most recent report published by Cybersecurity Insiders.
Along with the rise in the number of incidents, concerns over cloud security are increasing. According to the Cybersecurity Insiders’ report, 91% of security professionals polled admitted that they’re worried about their ability to detect and deter breaches in their cloud environments. This represents an increase of 10% from the previous year’s poll, when 81% of cybersecurity professionals indicated their concerns, reversing a downward trend on this issue over the previous four years.
These findings are included in Crowd Research Partners’ 2018 Cloud Security Report. This report is based on a comprehensive annual online survey of 570 cybersecurity professionals, including CISOs, security analysts, and IT managers. As the latest report shows, fears over security that have hindered cloud adoption in the past are still in play.
Security Challenges Abound
Organizations face a range of issues as they begin to rely more heavily on cloud infrastructure for their technology resources. Among other considerations, companies have learned that their legacy security tools have limited capabilities in the cloud. Encryption of data-at-rest (among 64%t of respondents) and of data-in-motion (for 54%) top the list of the most commonly used cloud security technologies, followed by Security Information and Event Management (SIEM) platforms (at 52%).
A mere 16% of organizations surveyed believe traditional data protection tools can manage security across their cloud platform (representing a 6% decline from the 2017 survey). Most security professionals (84%) maintain that legacy solutions either don’t function in cloud environments or provide only limited functionality.
The leading security challenge according to these organizations is ‘visibility into infrastructure security’ (for 43% of respondents) and ‘compliance’ (according to 38%). Respondent companies struggle with establishing consistent security policies across cloud and on-premise environments (at least 35% struggle) and are concerned that cloud security appears to be behind the pace of change in applications (35% have this concern).
Most respondents said that ‘misconfiguration of cloud platforms’ is a key threat to cloud security (62% of those surveyed), followed by ‘unauthorized access’ due to the misuse of employee credentials and improper access control (at 55%) and insecure interfaces/APIs (at 50%). Fifty percent of respondents said they use their cloud provider’s security tools and 35% deploy third-party security software to ensure that cloud security controls are in place.
The top data security challenges in the cloud environment according to survey respondents were as follows:
- Protecting against data loss and leakage—67%
- Threats to data privacy—61%
- Breaches of confidentiality—53%
A New Hope
Despite the large concerns regarding cloud security, the 2018 Cloud Security Report revealed some positive indicators around security education. For a second consecutive year, ‘training and certification of existing IT staff’ ranked as the most popular method (among 56% of respondents) of serving growing security needs. As technology changes and threats evolve in the cloud, updating related internal skills is critical.
Organizations surveyed also understand that continued investment in security is necessary, as nearly half of them (49%) expect their cloud security budgets to increase in the foreseeable future. The median expected increase in the security budget is 22% (year-on-year).
From the overall findings of this year’s survey, as cloud investments continue to grow, more effort must be focused on securing the rapidly emerging cloud environment to minimize threats and to ensure the overall safety of cloud computing.
SAP Cloud Security Standards
Fortunately for SAP cloud customers, SAP has developed and implemented an integrated cloud security compliance framework based on multiple international standards. This approach provides a consistent, secure service that meets both customer and regulatory requirements. We maintain secure operations in our cloud services through the effective application of this framework, which includes continuous improvement and prevents nonconformity.
All SAP cloud units are certified against ISO/BS standards and are audited annually by our certification body. Our cloud security compliance standards include:
ISO/IEC 9001 Quality Management System standard based on several quality management principles including strong customer focus, the motivation and implication of top management, as well as a process-based approach to continuous improvement.
ISO/IEC 27001 Security Management System is a well-known global standard in the ISO family providing a holistic, risk-based approach to security and a comprehensive and measurable set of information security management practices.
ISO/IEC 22301 Business Continuity Management System is the international standard for business continuity management designed to protect business operations from potential disruptions that include extreme weather, fire, flood, natural disasters, theft, IT outages, staff illnesses and terror attacks.
BS 10012 Personal Information Management System covers areas such as employee security awareness training, risk assessments, data retention and disposal and establishes policies and procedures that enable the effective management of personal information on individuals.
ISO/IEC 20000 Service Management standard providing measurable quality guidance for the best-practice framework IT Infrastructure Library (ITIL) and elements from other frameworks such as Control Objectives for Information and Related Technologies (COBIT).
SAP Service Organization Control Reports
SAP also offers service organization control (SOC) reports to provide assurance and insight into the design and operating effectiveness of internal control systems implemented within cloud delivery units. SOC reports involve industry independent audit standards. Cloud solutions from SAP are audited by our external auditor at least once a year.
SOC 1 Reports: The auditor of our customer’s financial statements receives information about controls for cloud solutions from SAP that may be relevant to a customer’s internal control over financial reporting. The SOC 1 report follows the SSAE 16 and ISAE 3402 standards on auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.
SOC 2 Reports: Customers and prospects are given insight into the control system relevant to the security, availability, processing integrity, confidentiality and privacy of the data in use. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. The report includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.
SOC 3 Reports: Interested parties receive a report on the control system implemented within cloud solutions from SAP that are relevant to security, availability, processing integrity, confidentiality and privacy. The SOC 3 report is a short-form record that provides a description of controls testing and results and summarizes the results of the respective SOC 2 audits.
- Learn more about the full range of SAP security offerings
- Please continue to read all of the blogs in our GRC Tuesdays series