Vulnerabilities / Threats
5/19/2016
11:20 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

5 Reasons Enterprises Still Worry About Cloud Security

Cloud spending and adoption has been on the rise for years, but the gap in cloud security confidence still causes pause with enterprises.

The notion that the cloud is less secure than traditional networks and infrastructure is still a fear for many despite a recent survey that found that 55% of respondents had not experienced a cloud-related security incident in the last 12 months (survey was conducted from March – April 2016). 

The survey, which gathered responses from 2,200 professionals from the Information Security Community on LinkedIn, also found that over half (52%) of respondents believe that cloud apps are as secure or more secure than on-premises applications. 

That still leaves a big gap in cloud security confidence and the issue couldn't be more top of mind in today’s enterprise IT environment. According to the study, one of the major barriers to cloud adoption is the fear of data loss and leakage (49%). It’s not surprising that this is a deterrent; the news is littered with data breaches and those are just the ones being reported, says Holger Schulze, founder of the LinkedIn community and author of the Cloud Security 2016 Spotlight Report 

The cloud has been around since the late nineties (some would argue before), so why isn’t security there yet? Here are five reasons why enterprises still stresses about cloud security. 

1. Cloud computing has progressed so fast that it’s hard for the security industry to keep up 

Cloud computing has seen Moore’s Law-style exponential growth over the last ten years or so and there seems to be no plateau in sight. World-wide spending on public cloud infrastructure -- hardware and software -- is expected to reach $38B this year and $173B by 2026, with Amazon holding the largest infrastructure as a service (IaaS) market share. Schulze believes we’re only seeing the tip of the iceberg and that Amazon as a cloud provider will be more dominant and influential than the likes of Microsoft, Apple, or any of the major tech giants. 

“Most [security] vendors were not surprised but overwhelmed by the rapid adoption of cloud and they may not have ramped up enough,” says Schulze. He also notes that cloud computing is just a whole lot more complex than traditional environments. The dynamic nature of clouds environments -- workloads moving from one data center to the next and sometimes in different time zones -- is difficult to secure. 

Schulze also believes that the government should play a role in helping the security industry along. “[The government should] mandate encryption and enforce penalties for companies that suffer data breaches,” he says. “I’d like to be optimistic, but this year we don’t see that trend [of security catching up to cloud innovation] shifting. Maybe next year,” he chuckles. 

2. IT still feels like they don’t have the proper tools to secure the cloud 

The survey found that 59% of respondents believe that traditional network security tools/appliances worked only somewhat or not at all. “Most of the security platforms and tools today…have not been built for the cloud,” says Schulze.  “They were designed for traditional IT environments, traditional data centers and networks hosted in a physical data center, in your data center” [and] security tools were designed around that static environment. 

“It turns out, not surprisingly, that these security tools do not work at all in the cloud,” says Schulze, which, unlike traditional environments are not static but highly virtualized and dynamic. “It’s completely putting on its head the traditional network model.” he says. 

3. Storing and accessing data in the cloud could be a lawsuit waiting to happen 

The benefits of the cloud abound, but companies are realizing that it can be a liability to host data there and it causes pause for those that haven’t taken the migration plunge. According to the survey, legal and regulatory compliance fears moved from the No. 7 concern in 2015 to No. 4 in 2016 (42%, up from 29%). 

Schulze attributes the rise to organizations’ decisions to store and access more types of data in the cloud. “Cloud computing has been a pilot project…companies dipped their toes in the water” with non-strategic data, he says. But as companies have seen the benefits of cloud: cost, speed, agility… "they’re moving more business critical apps and data into the cloud and that whole notion of compliance is kicking in."

Healthcare providers, for example, Schulze says, are putting patient data in the cloud and enterprise customer data is also increasingy moving to the cloud. As a result, he says, companies need to lock down compliance loopholes -- even in environments where they don’t have control and trust the cloud partner to be the “custodian of their data.” 

4. Lack of visibility and the fear of letting go 

The natural fear of losing control over the data center and the feeling that IT lacks visibility into their cloud security is also a top concern for current and prospective cloud adopters, survey respondents said.  Nineteen percent of respondents cited a lack of data visibility and transparency as a top cloud security concern. Visibility into the security infrastructure ranked the second highest (49%) after verifying security policies (51%). 

Schulze also pointed to respondents' fear of not having control over data if it’s hosted in a public cloud. “If they’ve been breached they might not see it,” he explains, noting that over half of respondents indicated that they do not believe their cloud environment has been breached and over half also believe that the cloud is more secure.

5. Security is still an afterthought, or not a thought at all 

It turns out enterprises might have reason to fear cloud security since a frightening 15% of respondents said that security is completely ignored in their organization's continuous development methods like DevOps and 46% said that security slowed down DevOps. The good news is that 31% of respondents said that security is fully integrated in with DevOps.

In order to fully realize the benefits of the cloud, Schulze warns that built-for-cloud-security products must adhere to the DevOps process. At the end of the day, he says, it’s about employing the right people who understand the technology and know how to protect the company’s data. 

Related Content: 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.