Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:20 AM
Connect Directly

5 Reasons Enterprises Still Worry About Cloud Security

Cloud spending and adoption has been on the rise for years, but the gap in cloud security confidence still causes pause with enterprises.

The notion that the cloud is less secure than traditional networks and infrastructure is still a fear for many despite a recent survey that found that 55% of respondents had not experienced a cloud-related security incident in the last 12 months (survey was conducted from March – April 2016). 

The survey, which gathered responses from 2,200 professionals from the Information Security Community on LinkedIn, also found that over half (52%) of respondents believe that cloud apps are as secure or more secure than on-premises applications. 

That still leaves a big gap in cloud security confidence and the issue couldn't be more top of mind in today’s enterprise IT environment. According to the study, one of the major barriers to cloud adoption is the fear of data loss and leakage (49%). It’s not surprising that this is a deterrent; the news is littered with data breaches and those are just the ones being reported, says Holger Schulze, founder of the LinkedIn community and author of the Cloud Security 2016 Spotlight Report 

The cloud has been around since the late nineties (some would argue before), so why isn’t security there yet? Here are five reasons why enterprises still stresses about cloud security. 

1. Cloud computing has progressed so fast that it’s hard for the security industry to keep up 

Cloud computing has seen Moore’s Law-style exponential growth over the last ten years or so and there seems to be no plateau in sight. World-wide spending on public cloud infrastructure -- hardware and software -- is expected to reach $38B this year and $173B by 2026, with Amazon holding the largest infrastructure as a service (IaaS) market share. Schulze believes we’re only seeing the tip of the iceberg and that Amazon as a cloud provider will be more dominant and influential than the likes of Microsoft, Apple, or any of the major tech giants. 

“Most [security] vendors were not surprised but overwhelmed by the rapid adoption of cloud and they may not have ramped up enough,” says Schulze. He also notes that cloud computing is just a whole lot more complex than traditional environments. The dynamic nature of clouds environments -- workloads moving from one data center to the next and sometimes in different time zones -- is difficult to secure. 

Schulze also believes that the government should play a role in helping the security industry along. “[The government should] mandate encryption and enforce penalties for companies that suffer data breaches,” he says. “I’d like to be optimistic, but this year we don’t see that trend [of security catching up to cloud innovation] shifting. Maybe next year,” he chuckles. 

2. IT still feels like they don’t have the proper tools to secure the cloud 

The survey found that 59% of respondents believe that traditional network security tools/appliances worked only somewhat or not at all. “Most of the security platforms and tools today…have not been built for the cloud,” says Schulze.  “They were designed for traditional IT environments, traditional data centers and networks hosted in a physical data center, in your data center” [and] security tools were designed around that static environment. 

“It turns out, not surprisingly, that these security tools do not work at all in the cloud,” says Schulze, which, unlike traditional environments are not static but highly virtualized and dynamic. “It’s completely putting on its head the traditional network model.” he says. 

3. Storing and accessing data in the cloud could be a lawsuit waiting to happen 

The benefits of the cloud abound, but companies are realizing that it can be a liability to host data there and it causes pause for those that haven’t taken the migration plunge. According to the survey, legal and regulatory compliance fears moved from the No. 7 concern in 2015 to No. 4 in 2016 (42%, up from 29%). 

Schulze attributes the rise to organizations’ decisions to store and access more types of data in the cloud. “Cloud computing has been a pilot project…companies dipped their toes in the water” with non-strategic data, he says. But as companies have seen the benefits of cloud: cost, speed, agility… "they’re moving more business critical apps and data into the cloud and that whole notion of compliance is kicking in."

Healthcare providers, for example, Schulze says, are putting patient data in the cloud and enterprise customer data is also increasingy moving to the cloud. As a result, he says, companies need to lock down compliance loopholes -- even in environments where they don’t have control and trust the cloud partner to be the “custodian of their data.” 

4. Lack of visibility and the fear of letting go 

The natural fear of losing control over the data center and the feeling that IT lacks visibility into their cloud security is also a top concern for current and prospective cloud adopters, survey respondents said.  Nineteen percent of respondents cited a lack of data visibility and transparency as a top cloud security concern. Visibility into the security infrastructure ranked the second highest (49%) after verifying security policies (51%). 

Schulze also pointed to respondents' fear of not having control over data if it’s hosted in a public cloud. “If they’ve been breached they might not see it,” he explains, noting that over half of respondents indicated that they do not believe their cloud environment has been breached and over half also believe that the cloud is more secure.

5. Security is still an afterthought, or not a thought at all 

It turns out enterprises might have reason to fear cloud security since a frightening 15% of respondents said that security is completely ignored in their organization's continuous development methods like DevOps and 46% said that security slowed down DevOps. The good news is that 31% of respondents said that security is fully integrated in with DevOps.

In order to fully realize the benefits of the cloud, Schulze warns that built-for-cloud-security products must adhere to the DevOps process. At the end of the day, he says, it’s about employing the right people who understand the technology and know how to protect the company’s data. 

Related Content: 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.