Cloud computing and cyber security always seem to be at loggerheads. Since security is closely associated with tight control of applications and data (e.g., through local security software or a deep discovery platform for network traffic monitoring), the cloud comes off as a natural adversary, one that transfers some degree of control over infrastructure, computing platforms and software to a cloud service provider. Accordingly, the integrity of cloud-based applications and services comes to depend upon not only the buying choices and vigilance of their users, but also the practices of their providers.
The risks of treating cloud security as an add-on or part of the fine print
A few years ago, research firm Gartner found that many cloud service level agreements left much to be desired in terms of their language on cyber security responsibilities. The problem was particularly evident in contracts for software-as-a-service solutions. Gartner's researchers predicted that more than 80 percent of IT procurement professionals at SaaS customers would remain dissatisfied with their cloud service providers' SLA security provisions through 2015.
Relegating cloud security to the fine print and treating it as a secondary matter is no longer acceptable, in light of the growing dependence of enterprise upon cloud services as well as the risk of data breaches. However, the Gartner analysts' 2013 prediction seems to have largely come true, as many enterprises still do not trust their CSPs to resolve security issues or be transparent about what they are doing to mitigate common risks.
A study from FireHost and Ovum underscored the ongoing issues with cloud security relationships. The report revealed that:
- More than 90 percent of enterprises around the world have security concerns with how their CSPs manage shared cloud infrastructure.
- Roughly the same number worried about where data was stored, an increasingly important issue in light of the scope of worldwide government surveillance and applicable laws in individual countries.
- Ninety-one percent of companies have reservations about the level of visibility that their CSPs provide into what security controls, such as cloud data encryption, they are employing.
"For too long, businesses have made assumptions about the security of their cloud service providers," stated Eleri Gibbon, FireHost vice president for Europe, the Middle East and Africa. "In the instance of a data breach, the client suffers the consequences. That doesn't sit right with me – after all, if your house falls down unexpectedly, you'd expect people to ask questions about how it was built in the first place."
Another cause for concern over these findings is the relative cyber security abilities of CSPs and their customers. CSPs theoretically have the financial and technical wherewithal to tightly enforce security policies, rollout automatic updates and patches and monitor their networks 24/7. In fact, these capabilities are often the foundation for arguments that the cloud is, if anything, more secure than having to manage all infrastructure, platforms and software entirely in-house.
However, let's say that the respondents to the FireHost and Ovum survey are correct to doubt their CSPs' cyber security chops. What recourse do cloud customers then have if their providers cannot fully protect them from cyber attacks or the resulting liability?
Enterprises need help in addressing cloud-based threats
A separate 2015 study from Informatica and the Ponemon Institute, "The State of Data Security Intelligence in 2015," provided some clues. Sixty percent of the survey's 1,663 respondents reported that they did not feel confident in their abilities to proactively respond to cloud-based threats affecting sensitive data. Similarly, only one-fifth of them thought that they could detect a data breach in time.
It is increasingly apparent that many of the organizations now dependent on the cloud are concerned about their new security positions, as well as what they, and especially their CSPs, can do to prevent breaches of cloud-stored data. According to the Informatica and Ponemon study, half of IT security professionals do not know the extent of their risk exposure, while 55 percent of organizations reported that they had suffered a data breach within the past 12 months.
For a sizable chunk of corporate data in the cloud and on-premises, companies cannot even determine if it is in danger. The study found that up to 80 percent of cloud-stored assets and 54 percent of locally stored ones may be at risk. Moreover, the number one response to the survey question "What still keeps you up at night?" was "Not knowing where sensitive data resides."
Some of these anxieties are certainly attributable to vague SLAs and immature relationships with CSPs. At the same time, migrating to a private, hybrid or public cloud is a significant undertaking, before even factoring in security requirements. Many enterprises need help in making adjustments to their infrastructure, applications and overall company cultures as they transform their IT operations, meaning that security can potentially get lost in the shuffle.
These issues, from SLAs to cloud transitions, deserve deep attention in the years ahead, considering how quickly the cloud market is growing. IDC has projected that worldwide spending on public cloud alone will reach $21 billion this year, with private cloud topping $12 billion. Both figures are up significantly from 2014.
To stay safe as the cloud becomes a fixture of IT, enterprises will need layered protection from advanced persistent threats and other sophisticated attack vectors. Beyond that, they will need to perform due diligence on any cloud service provider they work with to ensure that security responsibilities and precautions are clearly spelled out.