Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:20 AM
Connect Directly

5 Reasons Enterprises Still Worry About Cloud Security

Cloud spending and adoption has been on the rise for years, but the gap in cloud security confidence still causes pause with enterprises.

The notion that the cloud is less secure than traditional networks and infrastructure is still a fear for many despite a recent survey that found that 55% of respondents had not experienced a cloud-related security incident in the last 12 months (survey was conducted from March – April 2016). 

The survey, which gathered responses from 2,200 professionals from the Information Security Community on LinkedIn, also found that over half (52%) of respondents believe that cloud apps are as secure or more secure than on-premises applications. 

That still leaves a big gap in cloud security confidence and the issue couldn't be more top of mind in today’s enterprise IT environment. According to the study, one of the major barriers to cloud adoption is the fear of data loss and leakage (49%). It’s not surprising that this is a deterrent; the news is littered with data breaches and those are just the ones being reported, says Holger Schulze, founder of the LinkedIn community and author of the Cloud Security 2016 Spotlight Report 

The cloud has been around since the late nineties (some would argue before), so why isn’t security there yet? Here are five reasons why enterprises still stresses about cloud security. 

1. Cloud computing has progressed so fast that it’s hard for the security industry to keep up 

Cloud computing has seen Moore’s Law-style exponential growth over the last ten years or so and there seems to be no plateau in sight. World-wide spending on public cloud infrastructure -- hardware and software -- is expected to reach $38B this year and $173B by 2026, with Amazon holding the largest infrastructure as a service (IaaS) market share. Schulze believes we’re only seeing the tip of the iceberg and that Amazon as a cloud provider will be more dominant and influential than the likes of Microsoft, Apple, or any of the major tech giants. 

“Most [security] vendors were not surprised but overwhelmed by the rapid adoption of cloud and they may not have ramped up enough,” says Schulze. He also notes that cloud computing is just a whole lot more complex than traditional environments. The dynamic nature of clouds environments -- workloads moving from one data center to the next and sometimes in different time zones -- is difficult to secure. 

Schulze also believes that the government should play a role in helping the security industry along. “[The government should] mandate encryption and enforce penalties for companies that suffer data breaches,” he says. “I’d like to be optimistic, but this year we don’t see that trend [of security catching up to cloud innovation] shifting. Maybe next year,” he chuckles. 

2. IT still feels like they don’t have the proper tools to secure the cloud 

The survey found that 59% of respondents believe that traditional network security tools/appliances worked only somewhat or not at all. “Most of the security platforms and tools today…have not been built for the cloud,” says Schulze.  “They were designed for traditional IT environments, traditional data centers and networks hosted in a physical data center, in your data center” [and] security tools were designed around that static environment. 

“It turns out, not surprisingly, that these security tools do not work at all in the cloud,” says Schulze, which, unlike traditional environments are not static but highly virtualized and dynamic. “It’s completely putting on its head the traditional network model.” he says. 

3. Storing and accessing data in the cloud could be a lawsuit waiting to happen 

The benefits of the cloud abound, but companies are realizing that it can be a liability to host data there and it causes pause for those that haven’t taken the migration plunge. According to the survey, legal and regulatory compliance fears moved from the No. 7 concern in 2015 to No. 4 in 2016 (42%, up from 29%). 

Schulze attributes the rise to organizations’ decisions to store and access more types of data in the cloud. “Cloud computing has been a pilot project…companies dipped their toes in the water” with non-strategic data, he says. But as companies have seen the benefits of cloud: cost, speed, agility… "they’re moving more business critical apps and data into the cloud and that whole notion of compliance is kicking in."

Healthcare providers, for example, Schulze says, are putting patient data in the cloud and enterprise customer data is also increasingy moving to the cloud. As a result, he says, companies need to lock down compliance loopholes -- even in environments where they don’t have control and trust the cloud partner to be the “custodian of their data.” 

4. Lack of visibility and the fear of letting go 

The natural fear of losing control over the data center and the feeling that IT lacks visibility into their cloud security is also a top concern for current and prospective cloud adopters, survey respondents said.  Nineteen percent of respondents cited a lack of data visibility and transparency as a top cloud security concern. Visibility into the security infrastructure ranked the second highest (49%) after verifying security policies (51%). 

Schulze also pointed to respondents' fear of not having control over data if it’s hosted in a public cloud. “If they’ve been breached they might not see it,” he explains, noting that over half of respondents indicated that they do not believe their cloud environment has been breached and over half also believe that the cloud is more secure.

5. Security is still an afterthought, or not a thought at all 

It turns out enterprises might have reason to fear cloud security since a frightening 15% of respondents said that security is completely ignored in their organization's continuous development methods like DevOps and 46% said that security slowed down DevOps. The good news is that 31% of respondents said that security is fully integrated in with DevOps.

In order to fully realize the benefits of the cloud, Schulze warns that built-for-cloud-security products must adhere to the DevOps process. At the end of the day, he says, it’s about employing the right people who understand the technology and know how to protect the company’s data. 

Related Content: 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-23
Upwork Time Tracker doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
PUBLISHED: 2019-07-23
GNUBOARD5 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...