The notion that the cloud is less secure than traditional networks and infrastructure is still a fear for many despite a recent survey that found that 55% of respondents had not experienced a cloud-related security incident in the last 12 months (survey was conducted from March – April 2016).
The survey, which gathered responses from 2,200 professionals from the Information Security Community on LinkedIn, also found that over half (52%) of respondents believe that cloud apps are as secure or more secure than on-premises applications.
That still leaves a big gap in cloud security confidence and the issue couldn't be more top of mind in today’s enterprise IT environment. According to the study, one of the major barriers to cloud adoption is the fear of data loss and leakage (49%). It’s not surprising that this is a deterrent; the news is littered with data breaches and those are just the ones being reported, says Holger Schulze, founder of the LinkedIn community and author of the Cloud Security 2016 Spotlight Report
The cloud has been around since the late nineties (some would argue before), so why isn’t security there yet? Here are five reasons why enterprises still stresses about cloud security.
1. Cloud computing has progressed so fast that it’s hard for the security industry to keep up
Cloud computing has seen Moore’s Law-style exponential growth over the last ten years or so and there seems to be no plateau in sight. World-wide spending on public cloud infrastructure -- hardware and software -- is expected to reach $38B this year and $173B by 2026, with Amazon holding the largest infrastructure as a service (IaaS) market share. Schulze believes we’re only seeing the tip of the iceberg and that Amazon as a cloud provider will be more dominant and influential than the likes of Microsoft, Apple, or any of the major tech giants.
“Most [security] vendors were not surprised but overwhelmed by the rapid adoption of cloud and they may not have ramped up enough,” says Schulze. He also notes that cloud computing is just a whole lot more complex than traditional environments. The dynamic nature of clouds environments -- workloads moving from one data center to the next and sometimes in different time zones -- is difficult to secure.
Schulze also believes that the government should play a role in helping the security industry along. “[The government should] mandate encryption and enforce penalties for companies that suffer data breaches,” he says. “I’d like to be optimistic, but this year we don’t see that trend [of security catching up to cloud innovation] shifting. Maybe next year,” he chuckles.
2. IT still feels like they don’t have the proper tools to secure the cloud
The survey found that 59% of respondents believe that traditional network security tools/appliances worked only somewhat or not at all. “Most of the security platforms and tools today…have not been built for the cloud,” says Schulze. “They were designed for traditional IT environments, traditional data centers and networks hosted in a physical data center, in your data center” [and] security tools were designed around that static environment.
“It turns out, not surprisingly, that these security tools do not work at all in the cloud,” says Schulze, which, unlike traditional environments are not static but highly virtualized and dynamic. “It’s completely putting on its head the traditional network model.” he says.
3. Storing and accessing data in the cloud could be a lawsuit waiting to happen
The benefits of the cloud abound, but companies are realizing that it can be a liability to host data there and it causes pause for those that haven’t taken the migration plunge. According to the survey, legal and regulatory compliance fears moved from the No. 7 concern in 2015 to No. 4 in 2016 (42%, up from 29%).
Schulze attributes the rise to organizations’ decisions to store and access more types of data in the cloud. “Cloud computing has been a pilot project…companies dipped their toes in the water” with non-strategic data, he says. But as companies have seen the benefits of cloud: cost, speed, agility… "they’re moving more business critical apps and data into the cloud and that whole notion of compliance is kicking in."
Healthcare providers, for example, Schulze says, are putting patient data in the cloud and enterprise customer data is also increasingy moving to the cloud. As a result, he says, companies need to lock down compliance loopholes -- even in environments where they don’t have control and trust the cloud partner to be the “custodian of their data.”
4. Lack of visibility and the fear of letting go
The natural fear of losing control over the data center and the feeling that IT lacks visibility into their cloud security is also a top concern for current and prospective cloud adopters, survey respondents said. Nineteen percent of respondents cited a lack of data visibility and transparency as a top cloud security concern. Visibility into the security infrastructure ranked the second highest (49%) after verifying security policies (51%).
Schulze also pointed to respondents' fear of not having control over data if it’s hosted in a public cloud. “If they’ve been breached they might not see it,” he explains, noting that over half of respondents indicated that they do not believe their cloud environment has been breached and over half also believe that the cloud is more secure.
5. Security is still an afterthought, or not a thought at all
It turns out enterprises might have reason to fear cloud security since a frightening 15% of respondents said that security is completely ignored in their organization's continuous development methods like DevOps and 46% said that security slowed down DevOps. The good news is that 31% of respondents said that security is fully integrated in with DevOps.
In order to fully realize the benefits of the cloud, Schulze warns that built-for-cloud-security products must adhere to the DevOps process. At the end of the day, he says, it’s about employing the right people who understand the technology and know how to protect the company’s data.