It is often assumed that encryption is the gold standard method for securing assets in the cloud. Cloud providers give assurances that all their services are “encrypted by default.” Several regulatory and cloud compliance policies mandate that organizations encrypt data at rest, in use, and in transit. All of this should make cloud environments secure, right? However, the reality is slightly more nuanced.
Many breaches occur not because encryption algorithms are weak or because attackers can crack them. They occur because attackers never need to. Instead, attackers exploit other weaknesses. Access may be over-permissive, key governance may be poorly managed, configurations may be exposed, and there may be an overall lack of visibility into how data is actually being used.
Read the original article: