The results are in: We have made zero progress since 2010. This was the year that IDC published results of a survey regarding cloud computing, and it found that security was the biggest barrier toward adoption. This statistic has found its way onto pretty much every presentation about cloud computing since 2010.
Well the year is 2016, and a recent Intel Security study asked 1,200 IT decision-makers what their biggest concern is; the most common answer was data breaches. What is remarkable about this is that the next question in the survey asked respondents to comment on what issues they have experienced, and they were not security related. In fact, the biggest issue was the difficulty in migrating services or data. Incidentally, this is likely to get worse as the use of platform-as-a-service and infrastructure-as-a-service become more ubiquitous.
This does beg the question as to whether the issue of security concerns is exaggerated. Indeed, those of you that have heard me speak know that I do not believe the term “cloud security” is even an issue. Firstly, the concept of cloud is misused. If we strictly adhere to the NIST definition as per NIST 800-145, then the number of service providers offering a cloud service is a lot smaller than Google results suggest.
One of the key characteristics of a cloud provider (as per NIST) is to provide offering on-demand self-service. In 2012, the website CloudSleuth investigated how many cloud service providers actually fulfilled this characteristic; its research found that “of the 20 companies we selected in this round, only 11 were fully self-serve, nine required some level of sales interaction, and astoundingly, three of those nine simply didn't respond to our requests.”
It's About Transparency
So the term “cloud service provider” in practical terms is simply a company offering computing resources over broad network access. (Thank you, NIST!) Now let’s move to the concern regarding security. The question is not whether a provider is secure -- moving away from the argument over what constitutes secure or not. The challenge is how to determine the level of security of a provider. Therefore, the challenge has never been about security, but about transparency; in other words, how can you determine the security posture of a third-party provider without the ability to physically audit? Of course, annual audits have been the default tool of choice for many years now, but this model only provides a certain level of assurance.
Work within the Cloud Security Alliance (with whom we collaborated on this research) has begun to develop the necessary tools to provide the transparency so desperately needed. For example, STAR is a registry that documents the security controls deployed by providers. But perhaps the most encouraging tool is STAR Continuous Monitoring, which provides transparency of the security posture of a provider even after the auditor has left the building.
Perhaps for 2017 the concern of cloud security will not make it onto the opening slide of every presentation, and we can discuss the adoption of tools such as STAR that provide the requisite transparency into third-party providers. If there is concern about the security of a cloud provider, then the simple answer will be not to use them and to find a provider that satisfies the risk appetite of the end customer.