Cloud computing can generate mixed feelings. Corporate leaders generally welcome technologies that produce efficiency, agility and speed. Cloud services deliver those benefits, yet many are concerned about security, even while being often uninformed about how widely the cloud is used within their own businesses.
Executives of large companies, for instance, tell us that they are holding back on the cloud because of security concerns. But when our professional services teams engage with them, we generate log files and find evidence of large numbers of cloud services the company’s employees are using every day.
It is easy to understand the disconnect. Consider a simple example: a director of HR, tasked with filling several critical positions as quickly and confidentially as possible, turns to a low-cost SaaS recruiting tool. Job descriptions, resumes, cover letters, job offers and other documents are shared and possibly uploaded to a third-party server. Soon enough, candidates arrive for interviews. Mission accomplished, thanks to an efficient cloud-based business tool, with the C-suite never needing to know all the details.
Yet sensitive corporate and personal information was involved. How would a data breach have impacted the prospective hires, the confidentiality of the work, or the company’s reputation?
Cloud vs. on-premises security
That is a fairly simplistic example, involving small amounts of data and limited risk. As we have discovered at many customer sites, however, these kinds of cases are replicated many times, and at large scale. Use of these cloud-based systems and platforms without explicit organizational approval, also known as shadow IT, is widespread. While it can help employees and departments solve pressing problems, it poses real risks of its own.
Even with cloud services and infrastructure that have been fully vetted, the question remains: Are cloud solutions as secure as solutions hosted on an organization’s own premises? The industry appears to be split on an answer.
Each side has proof points. Cloud skeptics can point back to the hack of a high-profile online storage firm or the fatal DDoS attack on a hosting company. Cloud proponents may recall the attack on the point-of-sale (POS) network of a large retailer and the hack of one of the largest U.S. health insurance providers. There is no definitive score on the total number of compromised accounts in cloud vs. on-premises networks.
That said, we believe the cloud is winning. According to our latest Global Threat Intelligence Report, recent large data breaches have overwhelmingly involved local or on-premises systems. It is not surprising why. The investments pouring into cloud security are massive, giving most cloud vendors more advanced security processes than those found at non-cloud based enterprises. After all, security is core to their business case.
The issue, in practice, may come down less to technology than issues of human instinct and trust. Several years ago, NTT Com commissioned the technology market research firm Vanson Bourne to conduct a global study into the attitudes toward cloud and decision-making criteria when making infrastructure deployment choices. As a result of 700 interviews across five world regions, the researchers found that organizations fall into one of five cloud persona groups: Controllers, Accepters, Experimenters, Believers and Embracers.
One key conclusion of the study is that those with a longer-term history of working with the cloud are happier with the idea. Likewise, those who have only just begun using the cloud are skeptical but likely to become more confident over time. The Embracers, for instance, have worked through issues and seen how vendors have addressed concerns by embedding security and compliance services within their products and services.
Momentum is a powerful advantage. Whether through shadow IT or a more deliberate strategy, or both, companies across the board are yielding to the idea of logging onto a portal and using a dynamic cloud service.
Strategy and policy
Whatever one’s attitude, security still requires active engagement. Moreover, when thinking about implementing cloud security, organizations are not typically starting from scratch, but rather building upon policies and practices already in place.
As a first step to any strategy, companies should understand their own data and any associated risks. For instance, a retailer that needs to be Payment Card Industry (PCI)-compliant must encrypt credit card information. Then it should determine which parts of the organization will be collecting that information and which parts will not. Every company has its own data profile, security objectives and workflows.
If businesses already have guidelines or service definitions in place, it is a good idea to maintain them for the cloud to avoid frustrating internal users. Integrating a cloud-based policy into an existing IT security framework, however, may involve retraining and possibly enhancing the risk management process. Higher risk tends to be associated with larger volumes of data, and security requirements, such as encryption, should be based on the risk level.
The high stakes
Apart from policy, a company needs the controls that actually implement cloud security. The knowledge is commonly available, if not universally applied. In an NTT webinar last year, Director of Consulting Patrick Schraut offered a useful overview of available options. 
Schraut’s mix of recommended controls included assessing the vendor, generating keys in-house, encrypting browser inputs and other communication, managing user access and securing hypervisors, to name a few. In the end, by implementing a full suite of multi-layered controls, an organization can execute a comprehensive security strategy and operate in the cloud with confidence.
The stakes, however, remain high. It is for good reason that these measures and countermeasures are often described in terms of cyberwarfare. In that context, where scale and resources matter, being allied with NTT is a decided strategic advantage. Staffed by more than 1,500 security specialists, architects and engineers, NTT’s security division has 10 security operations centers (SOCs), and 40 percent of global Internet traffic uses its Global Threat Intelligence Platform (GTIP), which detects and defends against 6.2 billion attacks and analyzes more than 3.5 trillion logs annually.
Cybersecurity is also characterized by a kind of arms-race or spy-versus-spy dynamic. One battle on the horizon that has experts concerned will involve the fate of existing encryption techniques when quantum computing becomes commonly available.
Whether defending against exploit kits, malware, brute forcing, DDoS or other attacks of today, or anticipating the post-quantum cryptographic fights of tomorrow, organizations promoting trust, transparency and security do well to align with the top brains in the security industry. Among those is NTT Fellow Dr. Tatsuaki Okamoto, recognized at the RSA Conference 2017 annual awards program for Excellence in the Field of Mathematics.
Among Dr. Okamoto’s contributions to the security field is path-breaking research into third-generation cryptography. Unlike symmetric, public-key or identity-based cryptography, this latest form is designed to provide highly functional cryptosystems and is applicable to cloud networks.
Security calls for vigilance and dedicated professionals. Whether seeking cloud security certifications for internal employees, hiring new professionals or working with a managed security services partner, IT security teams are engaged in the critical task of protecting high-value assets: information that keeps them relevant to and trusted by customers, and competitive in the global marketplace.
 “The Five Cloud Personas – Are you an Embracer or a Controller?” Vanson Bourne, 2013.
 “Private Cloud, Public Cloud, No Cloud – No Matter of Security,” webinar sponsored by NTT Data’s ITelligence unit and SAP, 2016.