Cloud vs. On-Prem: Why opting for on-prem can cost you your next data breach

April 5, 2021 6 minute read

Most CISOs and IT teams spend their time asking themselves “when”, not “if”, they will be the next company to suffer a data breach. And rightfully so. The frequency of data breaches is skyrocketing, with no sign of slowing down. 

To help quantify the problem, recent research from Canalys shows that there were more records compromised in the last 12 months than in the last 15 years combined. And that’s despite an increase in cybersecurity spending! So, it begs the question: With modern technology and growing budgets, why are so many companies still suffering from so many breaches? I believe it comes down to two common problems: stolen credentials and unpatched software. 

Stolen, weak, or phished credentials are something that we talk about a lot here at Yubico, but patching and updating old software is a conversation that is increasingly at the forefront of our customer conversations. For the purpose of this blog, I’ll be focusing on the latter and diving into some of the challenges with on-premise infrastructures and how cloud-first adoption can not only alleviate some of these pain points but also mitigate risk. 

What’s the problem with on-premise?

The Microsoft Exchange Server and Accellion FTA hacks are the most recent examples of large-scale issues that highlight the challenges with on-premise infrastructure, particularly patch management. Among these challenges is the task of maintaining a large and diverse infrastructure, the availability of expertise to do so, and the common problem of maintaining an accurate view of assets with the level of detail required to address vulnerabilities in everything from operating systems to individual library dependencies. 

The time between a release of a security patch and the exploitation of the vulnerability continues to converge. According to research from FireEye Mandiant Threat Intelligence, 58% of vulnerabilities in 2018 and 2019 were exploited as zero-days. What’s more concerning is that 42% of vulnerabilities were exploited once a patch was issued — 12% exploited within one week of patch issuance, and 15% within two to four weeks of patch issuance. This means that an attacker has understood, weaponized, and successfully attacked an enterprise before they have had a chance to apply the associated patch. Attackers know full well that companies take time to patch and they seize that window of opportunity.  

Additional research from UC Berkeley demonstrates the feasibility of automatically generating exploits based on patches, further underscoring the need for enterprises to patch quickly. 

Unfortunately, the size and complexity of large enterprises have led to a 30-60-90 day patching cycle in many organizations. In most cases, even if a company wanted to compress this timeline, they can only do it for a subset of their most critical and most exposed systems. Not to mention, this requires a significant amount of resources and an accurate and detailed inventory of hardware, software, and third-party sourced libraries — something that most companies struggle to maintain. For companies in heavily regulated industries such as financial services, healthcare, or the public sector, this problem is exacerbated by compliance requirements. 

Of course, there are tradeoffs with speed. The faster that IT teams move to patch an exploit, the greater the risk of breaking other systems or even losing online availability. This can be avoided by designing a staged process to identify negative impacts early on, but it also requires a level of maturity that many organizations lack. 

Cloud-first accelerates digital transformation  

Ultimately, the scale and maturity of on-prem infrastructure typically pales in comparison to what major cloud providers can offer. Although, while there are often benefits to moving to a cloud-based solution, companies should still regularly perform due diligence to ensure they are not inheriting different or more serious problems. 

When done well, and with appropriate vetting, cloud adoption allows organizations to benefit from the scale, agility, maturity, and overall investment made by the leading platform providers. Having access to automatic updates, patches, and real-time monitoring and response — all without requiring additional resources — is a key factor that has contributed to the continued rise of cloud adoption, especially within the last year. 

Enterprises reinvigorated digital transformation plans that were set to take place over the course of months or years and moved to the cloud in a matter of weeks to support a vastly dispersed and vulnerable workforce. In fact, recent data from Gartner shows that worldwide spending on public cloud services is forecast to grow 18.4% in 2021 to a total of $304.9 billion. This is validated by the shift we’ve seen in industries like the public sector, notorious for reliance on PIV and CAC cards, that have adapted overnight to support thousands of teleworkers with new methods of strong authentication

Given the evolving threat landscape, and the wide-sweeping impact of breaches like the Microsoft Exchange Server attack and PHP Git server compromise, companies serious about security should strongly consider large cloud providers’ capabilities versus their own when performing risk assessments. 

Identity assurance is critical in a remote, cloud-first world

For organizations that are ready to move to the cloud, a strong identity system based on Single Sign On (SSO) and strong phishing-resistant multi-factor authentication (MFA) must be considered early on. Not only does this allow enterprises to streamline access to decentralized applications across cloud providers using techniques like federation, but it allows this to be done with a high degree of trust in the systems, devices, and users accessing corporate assets. 

Of course, not all MFA is created equal, as a recent VICE article points out the flaws of SMS. Security keys, like the YubiKey, are the only MFA method proven in a Google study to protect against targeted phishing attacks 100% of the time. 

Yubico partners with several leading cloud identity providers like Axiad, Duo, Google, Microsoft, Okta, Ping, RSA, and more, to enable enterprises to achieve company-wide security with hardware-based YubiKey protection. By securing one centralized point of login with a single gesture, and enabling single sign-on (SSO) for any additional business-critical applications, enterprises can ensure that they are giving the right access to the right users at the right time, which is essential in a remote, cloud-first world. 

To learn about other leading cloud service providers that offer YubiKey support, visit our Works with YubiKey catalog

For more best practices on how to future-proof your identity and access management strategy with strong authentication, join our latest on-demand webinar with Capital One, “Authentication Best Practices to Protect Against Identity Phishing.”