There are more companies than ever utilizing the cloud—and that number is only expected to grow. Recent projections are predicting that the cloud computing market is expected to grow from $233 billion in 2019 to $295 billion by 2021.
That increase has also led to a surge in cyberthreats, with a research study conducted by global intelligence firm IDC finding that nearly 80% of the companies surveyed experienced at least one cloud data breach in the past 18 months, and nearly half (43%) reported 10 or more breaches.
As a result, companies need to step up their security to protect themselves and keep business running smoothly. However, many organizations mistakenly believe that meeting the standards of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework protects them from security issues in the cloud.
While the NIST framework helps to improve IT measures and standards—including how to protect data—there are serious issues with its cloud security standards. According to Doug Hazelman, the Senior VP & Chief Evangelist for CoreView, a company that specializes in SaaS management, some of the biggest gaps include the fact that learn there is no NIST standard that stipulates log files should be kept longer than 30 days.
“This is an extremely short timeframe when you consider the wealth of information present in logs. This lack of retention creates a major reporting challenge for organizations, especially large enterprises,” he wrote. “Given it takes more than four months on average to detect a data breach, the current 30-day limit simply doesn’t cut it. Extended audit log retention ensures IT teams have the forensic data they need to investigate potential root-causes of security incidents.”
In addition, Hazelman believes that the shared responsibility model results in gaps in visibility and security monitoring applications, and NIST also does not specify tenant delegation, which can create major security challenges when PII and intellectual property are concerned.
Given companies’ increasing dependency on the cloud, it will be important to identify these gaps in the framework to ensure that companies are implementing the best possible security practices to protect their data.