The following is an excerpt from our White Papers, “Understanding Microsoft Cloud Services and Security.” Click here to claim your free copy!
Perceived Cloud Security Risks
Many of the reasons organizations have not moved to the cloud is because of perceived threats. Most organizations enjoy the safety and comfort of hosting all infrastructure and services themselves. The ability for the Security and IT teams to see the servers and update, monitor and control all devices brings comfort that most management and executive teams require.
Though the cloud may seem new, organizations have been outsourcing services and technology for years. Providers delivered hosted technology offerings that are located offsite with client access via private or public connections. However, for some reason, the thought of moving everything into a public cloud service, such as Microsoft’s Office 365, raises concerns.
In a survey completed in 2015, the top perceived security threats with cloud services were:
Interestingly, the most common security breaches such as malware and denial of service attacks were not in the top perceived security threats.
Real Cloud Security Risks and Concerns
The top perceived security fears may be justified, considering that more organizations have experienced a security or data breach within their public cloud service than their on-premises applications. On this main issue, when comparing percentage of breaches within cloud applications versus on-premises applications, the cloud has a higher rate of security breaches.
However, dig a little bit deeper into the data and you’ll find that oftentimes the attack within the cloud was not a brute-force attack on the service itself, but more of an attack on the end user and their account. Breaches that took place on-premises were a mix of the same account attack and (a higher percentage of) core infrastructure attacks. When dealing with a security or data breach, the follow up actions and events performed by Security and IT teams can have a great impact on the potential damage caused.
In speaking with Chris Givens, a Microsoft MVP and Sr Cloud Architect at Solliance, he stated “Office 365 has the possibility of being secure, but not right out of the box. It requires some effort. The customer must choose to take the right security precautions.” From our research, most organizations responded that they had not put the effort into their security configuration, and often did not even own the correct licenses required to implement the services.
The fact is, the real security concerns come from the misunderstanding that an organization loses some level of security and control by going to the cloud. In fact, according to Eric Raff, a Cloud Solutions Architect at JourneyTeam, “Office 365 doesn’t come out of the box secure, it doesn’t have the visibility and tools necessary. To get a comprehensive security solution for Office 365 you really need to add the Microsoft Enterprise Mobility Suite. However, this adds another level of complexity and another stack of things to understand and implement.” He also added, “It is a fine line that Microsoft walks. Office 365 is a collaborative environment where things are meant to be shared, but ‘sharing’ is the thing one is trying to prevent in terms of cyber security.
Therefore, sharing is one of the biggest security risks with Office 365, and it is up to the user to ensure that only the right people can access the company’s sensitive information.”
The Bottom Line
Many of the respondents of the CollabTalk survey stated that they had concerns with Microsoft security in the cloud. At the same time though, many respondents also stated they did know about Microsoft’s overall security strategy and thought that it was appropriate. For example, understanding that Microsoft has a dedicated Red and Blue Team for both Office 365 Services and Microsoft Azure, respondents agreed that Microsoft is showing a real commitment to security.
The discrepancy between concerns over Microsoft’s cloud services while acknowledging their industry-leading cloud security programs and efforts highlights an important fact: the perceived threat comes from a lack of education and understanding, not from Microsoft’s failure to provide adequate cloud security measures.
Second, respondents also stated that they did not want to pay for extra services and licenses that would provide the required security to remove the risks and concerns. This is especially true for services that would protect end user accounts, which are the often the primary attack vectors.
Jeremy Grant, Managing Director at Venable LLP, stated in a congressional hearing, Identity Verification in a Post Breach World, that “There is no such thing as a ‘strong’ password in 2017 and we should stop trying to pretend otherwise.”
Third, we identified that many organizations felt they had inadequate in-house security professionals to implement what is needed to create a cloud security infrastructure. From our findings, lack of education and lack of security IT budget will also be a stumbling block for many organizations.
If there really are no secure passwords, then this is a significant issue for Microsoft. Microsoft has security offerings that are much stronger than a password. Multi-Factor-Authentication comes with an additional cost, leaving many organizations behind who think they are saving money by purchasing less expensive licenses. They don’t understand its necessity, and thereby introduce serious security risks to their environments.
Found this article informative? Don’t forget to subscribe to our blog for more on cloud security.