Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:20 AM
Connect Directly

5 Reasons Enterprises Still Worry About Cloud Security

Cloud spending and adoption has been on the rise for years, but the gap in cloud security confidence still causes pause with enterprises.

The notion that the cloud is less secure than traditional networks and infrastructure is still a fear for many despite a recent survey that found that 55% of respondents had not experienced a cloud-related security incident in the last 12 months (survey was conducted from March – April 2016). 

The survey, which gathered responses from 2,200 professionals from the Information Security Community on LinkedIn, also found that over half (52%) of respondents believe that cloud apps are as secure or more secure than on-premises applications. 

That still leaves a big gap in cloud security confidence and the issue couldn't be more top of mind in today’s enterprise IT environment. According to the study, one of the major barriers to cloud adoption is the fear of data loss and leakage (49%). It’s not surprising that this is a deterrent; the news is littered with data breaches and those are just the ones being reported, says Holger Schulze, founder of the LinkedIn community and author of the Cloud Security 2016 Spotlight Report 

The cloud has been around since the late nineties (some would argue before), so why isn’t security there yet? Here are five reasons why enterprises still stresses about cloud security. 

1. Cloud computing has progressed so fast that it’s hard for the security industry to keep up 

Cloud computing has seen Moore’s Law-style exponential growth over the last ten years or so and there seems to be no plateau in sight. World-wide spending on public cloud infrastructure -- hardware and software -- is expected to reach $38B this year and $173B by 2026, with Amazon holding the largest infrastructure as a service (IaaS) market share. Schulze believes we’re only seeing the tip of the iceberg and that Amazon as a cloud provider will be more dominant and influential than the likes of Microsoft, Apple, or any of the major tech giants. 

“Most [security] vendors were not surprised but overwhelmed by the rapid adoption of cloud and they may not have ramped up enough,” says Schulze. He also notes that cloud computing is just a whole lot more complex than traditional environments. The dynamic nature of clouds environments -- workloads moving from one data center to the next and sometimes in different time zones -- is difficult to secure. 

Schulze also believes that the government should play a role in helping the security industry along. “[The government should] mandate encryption and enforce penalties for companies that suffer data breaches,” he says. “I’d like to be optimistic, but this year we don’t see that trend [of security catching up to cloud innovation] shifting. Maybe next year,” he chuckles. 

2. IT still feels like they don’t have the proper tools to secure the cloud 

The survey found that 59% of respondents believe that traditional network security tools/appliances worked only somewhat or not at all. “Most of the security platforms and tools today…have not been built for the cloud,” says Schulze.  “They were designed for traditional IT environments, traditional data centers and networks hosted in a physical data center, in your data center” [and] security tools were designed around that static environment. 

“It turns out, not surprisingly, that these security tools do not work at all in the cloud,” says Schulze, which, unlike traditional environments are not static but highly virtualized and dynamic. “It’s completely putting on its head the traditional network model.” he says. 

3. Storing and accessing data in the cloud could be a lawsuit waiting to happen 

The benefits of the cloud abound, but companies are realizing that it can be a liability to host data there and it causes pause for those that haven’t taken the migration plunge. According to the survey, legal and regulatory compliance fears moved from the No. 7 concern in 2015 to No. 4 in 2016 (42%, up from 29%). 

Schulze attributes the rise to organizations’ decisions to store and access more types of data in the cloud. “Cloud computing has been a pilot project…companies dipped their toes in the water” with non-strategic data, he says. But as companies have seen the benefits of cloud: cost, speed, agility… "they’re moving more business critical apps and data into the cloud and that whole notion of compliance is kicking in."

Healthcare providers, for example, Schulze says, are putting patient data in the cloud and enterprise customer data is also increasingy moving to the cloud. As a result, he says, companies need to lock down compliance loopholes -- even in environments where they don’t have control and trust the cloud partner to be the “custodian of their data.” 

4. Lack of visibility and the fear of letting go 

The natural fear of losing control over the data center and the feeling that IT lacks visibility into their cloud security is also a top concern for current and prospective cloud adopters, survey respondents said.  Nineteen percent of respondents cited a lack of data visibility and transparency as a top cloud security concern. Visibility into the security infrastructure ranked the second highest (49%) after verifying security policies (51%). 

Schulze also pointed to respondents' fear of not having control over data if it’s hosted in a public cloud. “If they’ve been breached they might not see it,” he explains, noting that over half of respondents indicated that they do not believe their cloud environment has been breached and over half also believe that the cloud is more secure.

5. Security is still an afterthought, or not a thought at all 

It turns out enterprises might have reason to fear cloud security since a frightening 15% of respondents said that security is completely ignored in their organization's continuous development methods like DevOps and 46% said that security slowed down DevOps. The good news is that 31% of respondents said that security is fully integrated in with DevOps.

In order to fully realize the benefits of the cloud, Schulze warns that built-for-cloud-security products must adhere to the DevOps process. At the end of the day, he says, it’s about employing the right people who understand the technology and know how to protect the company’s data. 

Related Content: 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly.
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment term...
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the opt...
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its ...