Security is always listed as one of the major sticking points when companies consider moving to the cloud, but many c-suite executives are light on the detail when asked to explain specific concerns. CIO, in association with Microsoft, interviewed a range of cloud security experts to get a view from the market of the security issues that are top of mind, and how they affect their business’s transition to the cloud.
“Cloud is a topic that still divides opinion, with the fear factors of security, data control, privacy and contractual exit strategies continuing to be tempered by the virtues of cost savings, availability, speed to market and innovation,” said Christian McMahon, CIO at three25 and Technology advisor to the European Commission.
“Even with the cloud market rapidly maturing, costs falling, security and services improving, the nagging doubt of security still lingers for many as a barrier to adoption.”
Paul Miller, from business consultancy Cloud of Data, says that while the issue should rightly be top of mind for organizations embarking on a cloud strategy, too often focusing on broad security fears becomes the default position and can become a destructive force.
“Asked 'are you concerned about the security of your cloud-based workloads’, almost everyone will answer 'yes', and so they should,” said Miller. “But that gets misinterpreted to suggest that we think the cloud is inherently insecure. It isn't.”
Dale Vile, Research Director at IT analyst firm Freeform Dynamics, said that many executives’ fears stem from uncertainty or emotion. “They worry about their data being stored together with everyone else’s, and fret over what they see as a loss of control over their information assets. Mixed up in all this are issues of trust - they are often concerned that the provider will abuse their data, especially when it comes to public cloud. When you press them, however, people with less experience often struggle to articulate their concerns in a meaningful way. What often comes across is a general fear of the unknown.”
TOP CLOUD SECURITY MYTHS
So what are the cloud security myths that are keeping CIOs up at night?
“One argument to avoid using cloud services is that there’s better security in their own data centre – or to say that the cloud is not secure enough,” said Rene Buest, Senior Analyst and Cloud Practice Lead at Crisp Research.
“This is basically the biggest myth in cloud. Public cloud providers offer better security than a small business or even a big enterprise is able to achieve. This is due to the investments that cloud providers are making to build and maintain their cloud infrastructure. In addition, they employ staff with the right mix of skills and have created appropriate organizational structures. For this reason, they are annually investing billions of US dollars. There are only few companies outside of the IT industry that are able to achieve the same level of IT security.”
McMahon asked whether certain vendors could do a better job at educating customers, and asked whether the cloud security “myth” could be the result of cloud vendors “not addressing security properly in their marketing and pre-sales”. He added that it’s just as likely related to an inherent doubt by organizations of relinquishing control.
However, McMahon said security may just been too easy a target to shoot at. “Are your internally hosted systems as secure as those hosted in the cloud?” he asked.
“A lot of the ongoing cloud security concerns are to a large extent unmerited – data leakage, internal fraud and so on are just as bad if not worse in on-premises environments. Traditional enterprises are just as likely to leave a laptop on a train with a million customer details on them as any cloud company.”
THE REAL CLOUD SECURITY RISKS
So, setting commonly held cloud security myths aside, what risks should organisations be aware of?
“The real question - and the one that most respondents are answering in their heads - is 'do you need to be constantly vigilant, to ensure that your IT is as secure as it can be?” said Cloud of Data’s Miller. ”That's true, whether you're in the cloud, in a co-location facility, or in your own data centre. Security is - and should be - a 'concern’.”
However, he added that security “shouldn't be an excuse not to try something. And it's very rarely a valid reason not to use the cloud”.
Greg Ferro, a UK-based freelance Network Architect and Engineer, said the first concern is the lack of security visibility into cloud infrastructures.
“It is not possible or practical to validate cloud vendors and claims of increased security,” said Ferro. “While the very large cloud providers may be able to secure their own services, the claims of mid-tier providers are far more dubious.
“At a technology level, operational security in the cloud represents a disruptive transition in focus. Cloud providers should be securing infrastructure such as servers, hypervisors and basic networking and removing these costs from security compliance,” he added. “But services hosted with a cloud provider are a honeypot for attackers and at greater threat in these shared environments. Therefore, security must develop process around threat analytics & detection, data exfiltration and loss and dramatically improve their approach to application security.”
CONTROLLING DATA IN THE CLOUD
Dave Whitelegg, a UK-based Information Security Expert, believes data confidentiality and trust are the primary business concerns.
“Most cloud service providers literally hold the encryption keys to cloud-stored business data, even if we trust them to not abuse their privileged access to the our data, we can never be certain that US-owned cloud service providers companies are not providing covert access to US agencies thanks the Patriot Act, no matter where our data is located in the physical world.”
“It is all about data,” agreed Tarry Singh, Managing Consultant at PA Consulting Group. “For instance, in banking institutions we had security documents that had to be totally re-written when an on-premise data centre changed from physical to virtual
“Now with public and hybrid cloud solutions being offered in the market, customers are increasingly looking at where their data is going and what happens to it when it crosses borders. For instance, in Europe, the Data Protection Directive (EUDPD) is constantly being reviewed. When your data passes from The Netherlands to Germany to Brussels and back to Netherlands, it would have essentially changed.”
Singh said most customers aren't aware of this when they move their applications and infrastructure to the cloud.
Buest agreed that keeping on top of data regulations had become a clear priority for executives. “CIOs typically have to follow company driven governance policies as well as to fulfil several compliance and legal regulations. Since they are moving this out of their direct control level by using one or more cloud providers the concerns are raising.”
Singh said that while there is no easy solution to this regulatory environment, CIOs must work to understand the quality of data by doing rigorous hunting and validation. “This can give tremendous insights to clients about the value of their data and they could then potentially classify data in categories depending on level of sensitivity that comes with it,” he said. “Customers must develop capabilities to look beyond applications and infrastructures and get more scientific about understanding their data.”
Whitelegg added that there is simple yet overlooked answer to cloud confidentially. “The business holds the key to the data, by encrypting the data ‘business side’ before placing it in the cloud, we don’t need to worry about trusting any cloud service provider and their ‘third parties’ to maintain our data confidentiality.”
Taking the technology and data out of the equation, could the weak point in cloud security be a factor that’s sometimes the most difficult to control… the end user?
Jonny Bentwood, Chief Innovation Officer at market research firm Edelman Berland, said one of his biggest security fears was “the addition of multiple additional cloud services brought in my users and applications to help service our needs”.
“Many new cloud applications are insecure and are used by individuals without it being part of regulated IT system,” he added.
Dale Vile agreed. “This leads us onto probably one of the biggest security concerns across the board, which is unilateral cloud adoption by users who don’t know what they don’t know. Our research tells us that IT is not always involved in the cloud adoption cycle, which is sometimes driven by business units or even individual users.
“The specific concerns here are twofold: firstly whether the services adopted are inherently fit with your enterprise requirements, and secondly whether non-technical staff driving adoption are actually using the security features in the service appropriately.”
MAKING THE TRANSITION
So how does the market tackle these fears and make the move to the cloud?
“At a technology level, operational security in the cloud represents a disruptive transition in focus,” said Ferro. “Cloud providers should be securing infrastructure such as servers, hypervisors and basic networking and removing these costs from security compliance. But services hosted with a cloud provider are a honeypot for attackers and at greater threat in these shared environments. Therefore, security must develop process around threat analytics and detection, data exfiltration and loss and dramatically improve their approach to application security.”
“The bottom line is that we need to improve security on premise, and off, moving forward,” said Governor. “That means better information management, and more management centralisation; with the cloud you can roll out a patch to 100 per cent of customers pretty much immediately. With traditional downloaded software it’s very difficult to retrofit security patches.”