Cloud security can be difficult to get right. On top of the basic risk associated with relinquishing control over computing, storage and network resources – not to mention the information that they process, enterprises must deal with providers that make insufficient provisions for data integrity, confidentiality and backup. Service-level agreements have become infamous for their lack of transparency, which may lead to confusion about who bears responsibility for what.
Cloud providers under pressure to step up their security practices
Last year, Gartner projected that 80 percent of IT professionals would be dissatisfied with software-as-a-service contract language through 2015. The sticking point? Minimal commitment to security services from SaaS vendors, resulting in high risk for customers in the event of a data breach. In the past, infrastructure-as-a-service SLAs from companies such as HP and Amazon have also left much to be desired in terms of compensating customers for outages and other disruptions.
While there are signs that public cloud is gradually becoming safer to use – via measures such as tight integration with internal systems via APIs and open source software, a trend best seen in the vast ecosystem surrounding Amazon Web Services – its providers are first and foremost businesses that deal in convenience. Similarly, uptake has been driven by desire to reduce costs and simplify IT infrastructure management, rather than any belief that moving IT off-premises will somehow facilitate better security posture.
Against this backdrop, cloud security services from third-parties are set to thrive. Gartner estimated that they would bring in $4 billion in revenue by 2016, nearly double the total for 2013. In its Blurring Boundaries report for 2014, Trend Micro analysts predicted that rising pressure on cloud providers would facilitate partnerships with security companies.
"[C]loud service providers will have to continue showing security controls and data privacy protection," the authors wrote. "We will see more of them team up with third-party security companies to ensure data protection and privacy. This will give rise to the bring-your-own-controls trend, which will allow customers to make sure data is segmented, protected and unreadable to unauthorized parties."
Still, securing sensitive data is easier said than done, especially when it lives within someone else's infrastructure. The emergence of hybrid cloud – a mix of on-premises and remotely hosted resources – as the dominant deployment model further complicates the task for enterprises, since their clouds span different environments. Stakeholders have to know the responsibilities of each party, as well as the applications and limitations of specific endpoint security tools in cloud computing contexts.
Concerns about data protection fuel market for cloud security startups and services
Security has long been an inhibitor to cloud adoption. Recent incidents have borne these concerns and illustrated some of the specific pitfalls of storing data in an infrastructure that is relatively easy to attack:
- In 2013, a breach of database and cloud provider MongoHQ exposed the social media and AWS accounts of its customers. Companies like MongoHQ are enticing targets because they have so much data under their control.
- Adobe recently rebranded its Creative Suite as Creative Cloud and shifted from perpetual licensing to a cloud-based delivery model. The increasing centralization of customer data culminated in a breach that may have leaked Photoshop source code and affected 38 million users.
- While not usually discussed in conversations about cloud security, the landmark Target breach in winter 2013 involved the compromise of cloud-stored data via theft and exploitation of an HVAC vendor's remote access credentials.
With businesses often scrambling to shore up defenses only after the fact, both third-party firms and cloud providers, as Trend Micro's report predicted, are looking to improve cloud security practices. Companies such as Rackspace and Datapipe have been part of the RSA Alert Logic pavilion, while startups are emerging to provide strong authentication and end-to-end data encryption. An October 2013 Infonetics research report pegged the total cloud security services market at $3.2 billion and estimated that it could triple in size by 2017.
Cutting-edge cloud security solutions are critical as companies venture into new territory with their cloud implementations. Endpoint security tools that were a perfect fit for legacy systems may not scale for cloud architectures that continually introduce fresh policies and rely on automated machine-to-machine communication.
The persistence of on-premises IT – IDC has found that more than 60 percent of enterprise data may never reside in the cloud – as well as its role in hybrid cloud necessitate a blend of traditional and new age tools. Ultimately, it is key for enterprises to know what solution is right for each environment and to collaborate with proven cloud and security organizations to ensure comprehensive data protection.
Evaluating potential security partners and setting expectations for specific cloud service models
How can enterprises determine whether security vendors and cloud providers are up to this task? Certainly, attentiveness during the SLA review is important, but they also have to dig deeper and look for:
- Scalable security solutions that span physical, virtual and cloud environments: Enterprises aren't ripping up all old systems as they move to the cloud. Today's IT setups are more complex than ever and require vendor security tools capable of centralized policy management, integration with leading cloud ecosystems and automated enforcement. Strictly on-premises measures no longer scale well enough to meet these requirements.
- Transparency in security track records and methodologies: Does the cloud provider offer amenities such as sample audit reports, details about its security practices and test accounts, which enable enterprises to kick the tires before purchasing?
- Dedicated security staff: A growing number of providers have employees solely committed to cybersecurity, but buyers may need to take additional steps, depending on the particular details of their cloud implementations. For example, enlisting a security services vendor can help manage a complex hybrid cloud.
Moreover, the responsibilities of enterprises vary by context and service model. With SaaS, the provider is usually assumed to have security on its plate, while with IaaS and platform-as-a-service, the customer plays a larger role. Each organization's situation will dictate what sort of due diligence it will need to perform.