• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cloud Computing   »   Do enterprises have right priorities for cloud security?

Do enterprises have right priorities for cloud security?

  • Posted on:June 26, 2014
  • Posted in:Cloud Computing, Current News, Industry News, Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
0

Taking up cloud computing undoubtedly introduces new risks into the enterprise. Systems that were once under the complete control of the IT department are supplemented or replaced by infrastructure under the management of a third-party service provider.

Enterprises are still concerned about cloud security, especially data storage location
As such is it unsurprising that concern about cloud security persists as a foremost obstacle to remaking IT. When an enterprise is wary of public cloud computing services, security is typically a big reason why:

  • A 2014 Internap survey of organizations in healthcare, software, media and other industries found that, among the ones not exploring public cloud at the time, 40 percent cited security as an issue. Among actual users, though, security significantly trailed performance, compliance and scale.
  • A SecureData study from 2013 discovered widespread lack of trust in cloud security among IT managers. Seventy-eight percent of respondents stated that perceived security inadequacies were the top impediment to cloud adoption, leading 59 percent of them to be receptive to fully outsourced, managed cybersecurity solution services.
  • According to Lieberman Software's 2014 Cloud Security Survey, 80 percent of IT professionals keep some sensitive data on-premises due to worries about its safety were it stashed in the cloudthe safety of its location. A similar portion feared that applications in use among employees could jeopardize network security, and more than one-third cited surveillance as a deterrent to cloud uptake.

Ensuring cloud security is multifaceted. Stakeholders have to pay attention to whether data is encrypted or not, where it is stored (each nation may have its own applicable regulations), who takes responsibility for implementing the mechanisms that protect it and what happens if it is compromised in a breach.

Following last summer's revelations of the extent of the U.S. National Security Agency's surveillance programs, the cloud security conversation shifted to location. Enterprises became newly aware of the dangers of sending data to cloud infrastructure that could be under the watch of intelligence agencies.

Countries such as Brazil went so far as to propose siloed national Internet infrastructure that would bypass U.S. servers and theoretically block spying. But how well-grounded are such actions? Could organizations be focusing their energies on more pressing aspects of cloud security?

Fixation on where cloud data is stored may be counterproductive
One of the chief benefits of the cloud is the ability to obtain compute, storage and networking resources, or even fully-featured software solutions, via virtually any machine with an Internet connection. Naturally, enterprises have taken advantage of this perk by setting up remote teams or sharing materials with teams in other countries. Large companies such as The Weather Channel have at times turned to outsourced contractors that can provide experience and expertise at lower expense than in-house personnel.

However, such arrangements reveal possible inconsistencies in prevailing enterprise attitudes about cloud security. While organizations are concerned about where data is stored, they seem OK with making critical assets available to workers all over the world.

"The irony is that most of these organizations will be using outsourced development teams in India, who probably have access to live production instances and have access to all the data anyway," stated Don Smith, technical lead for Dell's EMEA information security outfit, according to ZDNet. "They're very happy for their data to be flowing to the US. They're mature about it … They are far more comfortable with being secure and getting good services than they are with a fallacious argument about where their data flows to."

In this way, focusing too intently on where data resides could take enterprises' eyes off the ball, causing them to overlook specific security features as they worry generally about surveillance. That's not to say that being concerned about data security and privacy is wrong, only that protecting information in the cloud requires more than just sending it to a server in Finland or Germany rather than one in the U.S. Enterprises also must look at:

  • Who owns the encryption keys, and where are they? This is the real location issue. Encryption is one of the most powerful security tools at companies' disposal, but key management is still a major operational hurdle. Ponemon Institute's 2013 Global Encryption Trends Study found that 30 percent of organizations rated the handling of keys and certificates as a nine or 10 on a scale of 1-10, with 10 being the most difficult.
  • While it's easy to be wary of government agencies, enterprises also have to be mindful of cloud service providers. Service-level agreements aren't always well-designed and may leave the provider too much wiggle room when it comes to security obligations and stewardship of data.
  • Software-as-service still accounts for the bulk of all cloud spending, with IDC projecting that the majority of all IT spending on cloud services in 2013 went toward SaaS. Going forward, the mix of SaaS, IaaS and PaaS is expected to remain mostly the same, and SaaS applications are also a big part of shadow IT (the use of cloud services not approved by the IT department). Companies have to consider mechanisms such as application gateways to keep tabs on traffic levels and risk profiles.

Are security concerns an excuse for not overhauling IT?
The cloud is no longer the exclusive domain of small startups that are looking to grow without having to manage their own infrastructure. Many of the world's largest banks, airlines and retailers are all heavily invested in the cloud, and in a way cloud computing is not that far a leap from the hosted services and colocation facilities that they have been utilizing for years.

Speaking at Light Reading's Big Telecom Event, Verizon Terremark CTO John Considine argued that cloud security concerns, while often legitimate, are nevertheless overused as excuses not to update and replace legacy IT systems. Enterprises may think that they have to take an all or nothing approach to cloud – which can seem risky – when in fact hybrid infrastructure is becoming increasingly common as a means of balancing on-premises and remotely hosted resources.

Security will always be a key consideration for anything that IT doesn't directly control. Still, the evolution of cloud computing gives enterprises more options than ever for ensuring that everything is in the right place and protected by the proper measures.

Related posts:

  1. Despite trepidation, cloud computing carries on within enterprises
  2. Report: Cloud computing security an advantage of SaaS
  3. Enterprises still lack confidence in cloud service providers’ security practices
  4. Report: SMB security spending priorities shifting toward cloud

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.