Cloud security has been perceived as the main issue of Cloud ever since the cloud first became a reality for enterprises. And despite many efforts to protect cloud services against data breaches and other attacks, recent research shows that much uncertainty, concern and turbulence remain when it comes to ensuring that data in the cloud is secure.
For instance, an April 2016 survey of 1,200 IT decision makers worldwide conducted by Vanson Bourne for Intel Security showed that, while 77% of those surveyed said their organizations trust cloud computing more than a year ago, just 13% completely trust public cloud providers to secure sensitive data.
The findings highlight that improved trust and security are critical to encouraging continued adoption of the cloud, the researchers note. The survey also showed that most organizations plan to invest in cloud services such as infrastructure-as-a-service, security-as-a-service, platform-as-a-service and software-as-a-service.
Some 72% of respondents cite compliance as the primary concern across all types of cloud deployments, and only 13% said they know whether their organizations stored sensitive data in the cloud.
More than one in five respondents said their main concern around using software-as-a-service is having a data security incident, and data breaches were a top concern for infrastructure-as-a-service and private clouds.
High-profile data breaches with major financial and reputational consequences have made data security a top-of-mind concern for C-level executives, the report notes. But many respondents feel there is still a need for more education and increased awareness and understanding of risks associated with storing sensitive data in the cloud. Only 34% think senior management in their organization fully understands the security implications of the cloud.
Investment in cloud security varies in priorities across the different types of cloud deployment, the study says, with the top security technologies leveraged by respondents being email protection (43%), Web protection (41%), anti-malware (38%), firewall (37%), encryption and key management (34%) and data loss prevention (31%).
“The cloud is the future for businesses, governments and consumers,” noted Jim Reavis, CEO of the Cloud Security Alliance, an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. “Security vendors and cloud providers must arm customers with education and tools, and cultivate strong relationships built on trust, in order to continue the adoption of cloud computing platforms. Only then can we completely benefit from the advantages of the cloud.”
Cloud providers can reach critical mass to allow them to invest in cloud security and stay at the top of threats developing at high pace lately, and they can do it fast and better than many small and medium companies can do it. This is valid not only in terms of acquiring and deploying the latest technologies and solutions, but also in terms of hiring the right security experts on a market where there is a shortage of personnel.
A May 2016 report from analysis firm Enterprise Management Associates (EMA) commissioned by enterprise cloud hosting provider iland showed companies now consider cloud security to be superior to on-premises environments, “but often expose themselves to risk by blindly relying on a glut of technology they are unable to actively manage.”
Based on insights from 100 IT decision makers and security experts who leverage cloud infrastructure and/or disaster-recovery-as-a-service in North America, 48% more security technologies are deployed in the cloud than on premises. But 47% of security personnel “simply trust” their cloud providers meet security agreements, without further verification.
A huge majority (91%) of respondents reported they need cloud providers to help with security integration, reporting and/or leveraging analytics.
Efforts to help ensure cloud security sometimes face big challenges.
According to a recent report by MeriTalk, a public-private partnership focused on improving the outcomes of government IT, 79% of federal cloud decision makers are frustrated with the Federal Risk and Authorization Management Program (FedRAMP), a risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services.
The report, FedRAMP Fault Lines,” based on an online survey of 150 federal IT cloud decision makers in April 2016, also finds that the cloud decision makers are frustrated with the lack of transparency into the FedRAMP process and unsatisfied with its efforts to increase security. Some 55% think FedRAMP has not increased security and 59% would consider implementing a non-FedRAMP-compliant cloud. Nearly one in five surveyed (17%) report FedRAMP compliance does not factor into their cloud decisions.
With “cracks in the FedRAMP foundation,” decision makers remain uncertain about the process, the study says, with some ignoring the program entirely even though it is mandatory for federal agency cloud deployments and service models at the low and moderate risk impact levels.
Despite the General Service Administration’s (GSA) push to fix the process, 41% of the decision makers are unfamiliar with the agency’s plans to remedy FedRAMP.
For government to capitalize on the promise of cloud, agencies need to embrace FedRAMP, the report says. It makes several recommendations to improve the process: Eliminate confusion by improving guidance and expanding training; encourage sharing by simplifying the process and eliminating duplicate efforts with a clearing house; and promote progress by increasing transparency around security improvements, timeline accelerations, and actions taken to restore the program.
In addition to local and federal agencies, small and medium companies can also benefit from the development of security-as-a-service offering by cloud providers. As the market develops, more and more organizations will understand better the standards that are implemented and relay more on their cloud providers for security services – this is a market opportunity which providers of security technologies and solutions should not underestimate.