Cloud computing can generate mixed feelings. Corporate leaders generally welcome technologies that produce efficiency, agility and speed. Cloud services deliver those benefits, yet many are concerned about security, even while being often uninformed about how widely the cloud is used within their own businesses.\nExecutives of large companies, for instance, tell us that they are holding back on the cloud because of security concerns. But when our professional services teams engage with them, we generate log files and find evidence of large numbers of cloud services the company\u2019s employees are using every day.\nIt is easy to understand the disconnect. Consider a simple example: a director of HR, tasked with filling several critical positions as quickly and confidentially as possible, turns to a low-cost SaaS recruiting tool. Job descriptions, resumes, cover letters, job offers and other documents are shared and possibly uploaded to a third-party server. Soon enough, candidates arrive for interviews. Mission accomplished, thanks to an efficient cloud-based business tool, with the C-suite never needing to know all the details.\nYet sensitive corporate and personal information was involved. How would a data breach have impacted the prospective hires, the confidentiality of the work, or the company\u2019s reputation?\u00a0\nCloud vs. on-premises security\nThat is a fairly simplistic example, involving small amounts of data and limited risk. As we have discovered at many customer sites, however, these kinds of cases are replicated many times, and at large scale. Use of these cloud-based systems and platforms without explicit organizational approval, also known as shadow IT, is widespread. While it can help employees and departments solve pressing problems, it poses real risks of its own.\nEven with cloud services and infrastructure that have been fully vetted, the question remains: Are cloud solutions as secure as solutions hosted on an organization\u2019s own premises? The industry appears to be split on an answer.\nEach side has proof points. Cloud skeptics can point back to the hack of a high-profile online storage firm or the fatal DDoS attack on a hosting company. Cloud proponents may recall the attack on the point-of-sale (POS) network of a large retailer and the hack of one of the largest U.S. health insurance providers. There is no definitive score on the total number of compromised accounts in cloud vs. on-premises networks.\nAdvantage: Cloud\nThat said, we believe the cloud is winning. According to our latest Global Threat Intelligence Report, recent large data breaches have overwhelmingly involved local or on-premises systems. It is not surprising why. The investments pouring into cloud security are massive, giving most cloud vendors more advanced security processes than those found at non-cloud based enterprises. After all, security is core to their business case.\nThe issue, in practice, may come down less to technology than issues of human instinct and trust. Several years ago, NTT Com commissioned the technology market research firm Vanson Bourne to conduct a global study into the attitudes toward cloud and decision-making criteria when making infrastructure deployment choices. As a result of 700 interviews across five world regions, the researchers found that organizations fall into one of five cloud persona groups: Controllers, Accepters, Experimenters, Believers and Embracers.\nOne key conclusion of the study is that those with a longer-term history of working with the cloud are happier with the idea. Likewise, those who have only just begun using the cloud are skeptical but likely to become more confident over time. The Embracers, for instance, have worked through issues and seen how vendors have addressed concerns by embedding security and compliance services within their products and services.\nMomentum is a powerful advantage. Whether through shadow IT or a more deliberate strategy, or both, companies across the board are yielding to the idea of logging onto a portal and using a dynamic cloud service.\nStrategy and policy\nWhatever one\u2019s attitude, security still requires active engagement. Moreover, when thinking about implementing cloud security, organizations are not typically starting from scratch, but rather building upon policies and practices already in place.\nAs a first step to any strategy, companies should understand their own data and any associated risks. For instance, a retailer that needs to be Payment Card Industry (PCI)-compliant must encrypt credit card information. Then it should determine which parts of the organization will be collecting that information and which parts will not. Every company has its own data profile, security objectives and workflows.\nIf businesses already have guidelines or service definitions in place, it is a good idea to maintain them for the cloud to avoid frustrating internal users. Integrating a cloud-based policy into an existing IT security framework, however, may involve retraining and possibly enhancing the risk management process. Higher risk tends to be associated with larger volumes of data, and security requirements, such as encryption, should be based on the risk level.\nThe high stakes\nApart from policy, a company needs the controls that actually implement cloud security. The knowledge is commonly available, if not universally applied. In an NTT webinar last year, Director of Consulting Patrick Schraut offered a useful overview of available options. \nSchraut\u2019s mix of recommended controls included assessing the vendor, generating keys in-house, encrypting browser inputs and other communication, managing user access and securing hypervisors, to name a few. In the end, by implementing a full suite of multi-layered controls, an organization can execute a comprehensive security strategy and operate in the cloud with confidence.\nThe stakes, however, remain high. It is for good reason that these measures and countermeasures are often described in terms of cyberwarfare. In that context, where scale and resources matter, being allied with NTT is a decided strategic advantage. Staffed by more than 1,500 security specialists, architects and engineers, NTT\u2019s security division has 10 security operations centers (SOCs), and 40 percent of global Internet traffic uses its Global Threat Intelligence Platform (GTIP), which detects and defends against 6.2 billion attacks and analyzes more than 3.5 trillion logs annually.\nCybersecurity is also characterized by a kind of arms-race or spy-versus-spy dynamic. One battle on the horizon that has experts concerned will involve the fate of existing encryption techniques when quantum computing becomes commonly available.\nWhether defending against exploit kits, malware, brute forcing, DDoS or other attacks of today, or anticipating the post-quantum cryptographic fights of tomorrow, organizations promoting trust, transparency and security do well to align with the top brains in the security industry. Among those is NTT Fellow Dr. Tatsuaki Okamoto, recognized at the RSA Conference 2017 annual awards program for Excellence in the Field of Mathematics.\nAmong Dr. Okamoto\u2019s contributions to the security field is path-breaking research into third-generation cryptography. Unlike symmetric, public-key or identity-based cryptography, this latest form is designed to provide highly functional cryptosystems and is applicable to cloud networks.\nConstant vigilance\nSecurity calls for vigilance and dedicated professionals. Whether seeking cloud security certifications for internal employees, hiring new professionals or working with a managed security services partner, IT security teams are engaged in the critical task of protecting high-value assets: information that keeps them relevant to and trusted by customers, and competitive in the global marketplace.\n \u201cThe Five Cloud Personas \u2013 Are you an Embracer or a Controller?\u201d Vanson Bourne, 2013.\n \u201cPrivate Cloud, Public Cloud, No Cloud \u2013 No Matter of Security,\u201d webinar sponsored by NTT Data\u2019s ITelligence unit and SAP, 2016.\n.