The shift to the cloud and the accelerated adoption of critical software as a service (SaaS) data applications has proven to be a security challenge for many chief information officers (CIOs) and chief information security officers (CISOs).

A Foundry survey commissioned by Keepit found uncovered data protection struggles amid cloud and AI expansion, with key systems and custom applications still vulnerable, even though seven in 10 respondents have data protection strategies for financial applications.

Less than half of customer relationship management (CRM) and enterprise resource planning (ERP) systems are covered by data protection strategies, and just half of e-commerce and HR management systems are protected.

Half of respondents said they have included cloud-stored data for critical SaaS applications in their disaster recovery plans, with 40% planning to do so.

Nearly all organizations prioritize AI data protection, with 52% already implementing tools for chatbots and AI platforms and 43% considering them.

Stephen Kowski, field CTO at SlashNext Email Security+, explained emerging AI technologies are introducing new data protection challenges for financial applications, including the need to secure AI models and training data.

“Advanced threat detection using AI can help identify and mitigate risks to sensitive financial data in real-time,” he said. “Proper governance frameworks are crucial to ensure AI systems comply with data protection regulations.”

He pointed out that common vulnerabilities in key systems and custom applications often include misconfigurations, outdated software and insufficient access controls.

“Insider threats and social engineering attacks targeting employees with access to these systems pose significant risks,” Kowski said.

He recommended implementing continuous security monitoring and automated threat detection to help identify and address these vulnerabilities proactively.

Adding Guardrails, Reducing Friction

Rom Carmel, co-founder and CEO at Apono, said automation can help organizations put guardrails around their sensitive data without adding friction, giving users the right access to the right data at the right time in a secure way.

“The more assets and applications you have to worry about, the larger the attack surface you have to defend,” he said. “We’re seeing more and more security leaders consolidating access management to one platform to enhance their visibility and control across all their highly decentralized cloud resources.”

He pointed out the recent Snowflake breaches as a key example of how the lack of unified policy enforcement, such as requiring MFA on accounts, can have wide-reaching impacts.

“This raises the need for a change in strategy that puts a greater emphasis on securely managing access to resources,” he said.

The report also revealed the degree to which emerging AI technologies impact current data protection strategies for financial applications.

From the perspective of Gal Ringel, co-founder and CEO at Mine, much of the conversation around AI governance remains more theoretical than practical.

“What is clear is that AI technologies carry more risk and bring more capable tools into the hands of bad actors,” he said.

This means data protection needs to adapt, from being more selective about data collection and processing to keeping a careful eye on data retention timelines and data processing agreements with third parties.

“The scope of vigilance organizations will need to have is drastically larger than it ever has been before,” Ringel explained.

Improving Compliance in Cloud, AI Environs

To improve compliance with data protection regulations as they transition to more cloud-based and AI-driven environments, organizations must ensure proper visibility over the AI systems within the data stack and how they are using personal data — particularly if those systems are operating in the cloud.

“If you can’t identify and pay extra attention to AI-powered products, how are you going to combat the new security threats posed or even comply with emerging AI regulation?” he asked.

Organizations can balance the need for robust data protection with the growing demands for agility and innovation in their IT environments by being selective about which data systems they’re comfortable using.

They must also understand the risks of each data system, and work closely with third parties to safeguard the consumer data they’re passing along.

Rignel explained even with data protection regulations globally, it wasn’t until the past few years that many started prioritizing compliance and best practices, and now AI is compelling enterprises further to expand the scope of their compliance programs.

“If you can manage that with a streamlined data stack full of software that isn’t playing fast and loose with consumer data, you can have the best of both worlds with data protection and innovation,” he said.