Back in 2011, while reporting at the annual information security RSA Conference held in San Francisco, I asked attendees, \u201cWhat\u2019s the most over-hyped issue in security?\u201d\nUniversally everyone responded,\u00a0\u201cThe cloud.\u201d\nThe cloud might have been hype four years ago, though today it\u2019s a necessary business driver. Unfortunately, confusion on its effective use has given rise to a series of industry myths, often imbuing fear in many CIOs.\nWhat are the cloud security myths that keep circulating and what are their realities? Here\u2019s what industry experts had to say:\n1: The cloud is inherently insecure\n\u201cThe biggest myth, which refuses to die, is that your data is not safe in the cloud,\u201d argued Orlando Scott-Cowley (@orlando_sc), cyber-security specialist,\u00a0Mimecast. \u201cWe\u2019re still dealing with the legions of server huggers who claim their data is safer on their own networks, where they can feel the cold embrace of the tin of their servers and watch the small blinking lights in their server rooms.\u201d\n\u201cThere is a natural perception to believe that things outside of my control are innately less secure,\u201d said Tim McKellips (@Mckellip), manager of technical services,\u00a0Softchoice. \u201cI think cloud providers like Microsoft are taking Herculean efforts to secure their environments in a way the average client could never do.\u201d\nDozens of experts brought up this persistent myth, arguing that compared to your organization, cloud providers have greater expertise and more technical staff.\n\u201cCloud companies are beginning to spend at a scale of great magnitude that cannot be matched by a single organization,\u201d said Brennan Burkhart (@LiquidHub), partner, global salesforce practice lead,\u00a0LiquidHub.\n\u201cCloud providers live, eat, and breathe network security while most other organizations don't usually list it as one of their core competencies,\u201d continued Leo Reiter (@virtualleo), CTO,\u00a0Nimbix.\n\u201cCloud computing boosts your security in a way that you will never be able to afford. This is because of the economies of scale,\u201d continued Ian Apperley (@ianapperley), writer and IT consultant,\u00a0whatisitwellington.\n2: The cloud security debate is simple\n\u201cThe biggest myth is that the [cloud security] question is even that simple,\u201d argued Scott Feuless (@ISG_News), principal consultant,\u00a0ISG.\n\u201cThe cloud is less secure\u201d argument discounts the many variables that go into making the cloud deployment decision, such as your organization\u2019s size, existing in-house expertise, who your adversaries are, whether you need to do penetration testing for each deployment, and your organization\u2019s need to scale.\nThe cloud doesn\u2019t need to be seen as a binary decision. \u201cIt\u2019s not a \u2018yes or no\u2019 or \u2018allow or block\u2019world,\u201d said Sanjay Beri (@netskope), CEO and founder,\u00a0Netskope. \u201cThere are now tools and capabilities that allow IT to enable cloud securely in any number of environments specific to unique requirements\u2019 needs thanks to the ubiquitous nature of APIs.\u201d\n3: There are more breaches in the cloud\nOnce again, this myth simplifies a very complicated issue. According to the\u00a0Spring 2014 Alert Logic Cloud Security Report, both on-premise and cloud hosting providers (CHP) saw a dramatic increase in vulnerability scans from 2012 to 2013, with CHP having a slightly greater increase. But depending on the type of attack, such as malware and botnets, on-premise was far more susceptible.\n\u201cInternet threats are just as much of a risk for private cloud infrastructures and service provider networks,\u201d said Jason Dover (@jaysdover), director of product line management,\u00a0KEMP Technologies.\n\u201cWhen the correct security policies for preventing attacks and detecting them are implemented, attacks are no more threatening to the cloud than any other piece of infrastructure,\u201d said Alastair Mitchell (@alimitchell), president and co-founder,\u00a0Huddle.\n\u201cPublic cloud vendors typically employ a strong team of security specialists and they also have the economies of scale to acquire cutting edge security appliances,\u201d noted Torsten Volk (@TorstenVolk), vice president of product management, cloud,\u00a0ASG Software Solutions. \u201cTheir reputation rides on it.\u201d\n4: Physical control of data implies security\n\u201cThe biggest myth about cloud security is that control is the foundation of security, or lack of security,\u201d said Praveen Rangnath (@splunk), director of Splunk Cloud,\u00a0Splunk. \u201cThe foundation is visibility.\u201d\n\u201cThe various high profile security breaches over the past few months have served to highlight that the physical location of the data matters less than the access and associated controls,\u201d added\u00a0NaviSite\u2019s\u00a0general manager, Sumeet Sabharwal (@sabhas).\nBelieving in the data location myth diverts focus from the more common attack vectors, such as exploiting human social weaknesses and malware, said David Cope (@DavidJamesCope), executive VP of corporate developer,\u00a0CliQr, who cited\u00a0Verizon\u2019s 2014 Data Breach Investigations Report\u00a0as evidence of this trending security threat.\n5: Cloud security is far too difficult to maintain\n\u201cThe top myth we come across about security is that security in the cloud is more difficult to maintain than on-premise,\u201d said Aater Suleman (@FutureChips), CEO,\u00a0Flux7.\n\u201cUltimately, a \u2018cloud\u2019 is just someone else\u2019s network,\u201d noted Corey Nachreiner (@watchguardtech), director of security strategy and research,\u00a0WatchGuard.\n\u201cBelieving in this myth leads to companies either compromising security in the name of business requirements or refraining from using the cloud for mission critical applications,\u201d continued Suleman.\nThe security issues are similar, noted Denny Cherry (@mrdenny), owner & principal consultant,\u00a0Denny Cherry & Associates Consulting, \u201cSQL injection (the biggest security risk to systems) is still a problem in the cloud and is addressed in exactly the same way as on premise. Firewall configurations, penetration testing, VPNs, etc. are all just as important when working with a cloud provider as they are when working on premise.\u201d\n6: You can build a perimeter around cloud applications\n\u201cWith apps strewn across the internet, if a corporation thinks they can build one perimeter around all their apps, then they are nuts,\u201d said Patrick Kerpan (@pjktech), CEO and co-founder,\u00a0Cohesive Networks.\n\u201cPeople still think in terms network-based security, even when it comes to the cloud,\u201d added Asaf Cidon (@asafcidon), CEO and co-founder,\u00a0Sookasa. \u201cThey're still trying to protect their network from the cloud with reverse proxies and firewalls.\u201d\n\u201cSecurity should extend down to each individual enterprise application,\u201d Kerpan continued.\n\u201cMultiple layers are needed to combat hackers. There isn\u2019t a single silver bullet,\u201d agreed Greg Rayburn (@FlukeNetENT), security analyst,\u00a0Fluke Networks.\n\u201cBoundaries that are extended with cloud and boundaries are already broken with mobile and IoT,\u201d said Tim Cuny (@OptimizewithCMI), VP of solutions,\u00a0CMI. \u201cRemove the old thinking of protecting perimeter boundaries and concentrate on a comprehensive risk management program that focuses on protecting assets from a people, process, and technology perspective.\u201d\n7: I\u2019m not using the cloud so I\u2019ve got better protection\nEven though many might try to fool themselves into believing they\u2019re not using the cloud, we\u2019re all online and susceptible to many of the same threats.\n\u201cIf your systems are connected to the Internet, then you are already on the cloud,\u201d argued Peter Landau (@harmony_notes), president,\u00a0Harmony Technologies.\n\u201cThe biggest security threat is connecting anything (laptops, etc.) to the public internet or deploying any software to the public internet,\u201d added Dave Nielsen (@davenielsen), co-founder,\u00a0CloudCamp.\n8: Shadow IT can be stopped\n\u201cThe security implications of employees procuring their own cloud services cannot be avoided,\u201d said Sarah Lahav (@sysaid), CEO,\u00a0SysAid Technologies.\nStill, while IT can\u2019t control the consumerization of IT, they are still the ones to blame for any technical issues.\n\u201cWhen business users suffer from poor application performance, including those with SaaS applications, IT is on the hook to resolve problems even though IT may not have anything to do with the infrastructure being used,\u201d said Bruce Kosbab (@BruceKosbab), CTO, Fluke Networks. \u201cTo avoid this situation IT and the business must work together.\u201d\n\u201cA fully representative cross-section of management, including the CEO, must be responsible for the design, deployment, and maintenance of cloud security policy and implementation,\u201d added Steve Prentice (@stevenprentice), senior writer,\u00a0CloudTweaks.\n9: Cloud security is solely the cloud provider\u2019s responsibility\n\u201cA common misconception is that the cloud provider automatically looks after all the security needs of the customer\u2019s data and process while in the cloud,\u201d said Jeff M. Spivey (@spiveyjms), VP of strategy,\u00a0RiskIQ.\n\u201cJust being provided the tools to create, implement, and enforce security measures for cloud workflows does not inherently defer the business risk associated with an increased level of attack or compromise,\u201d said Scott Maurice (@scottjmaurice), managing partner,\u00a0Avail Partners.\n\u201cPassword policies, release management for software patches, management of user roles, security training of staff, and data management policies are all responsibilities of the customers and at least as critical as the security being done by the public cloud provider,\u201d added ASG\u2019s Volk.\nWhile you\u2019re hardening internal security, don\u2019t assume that your cloud provider backs up your data and will be able to restore it in case of a security breach.\n\u201cIt is instrumental and critical that you implement a backup solution that backs up your data that is hosted on the cloud to an onsite backup or to another cloud provider,\u201d said Bruno Scap (@MaseratiGTSport), president,\u00a0Galeas Consulting. \u201cIn addition, in case of a security breach, you may need to restore your data from backups that you know are clean.\u201d\n10: You don\u2019t need to manage the cloud\n\u201cMany believe that since the cloud infrastructure is often basically just a managed service, that the security of the services is also managed,\u201d said Michael Weiss (@Oildex), VP, software engineering,\u00a0Oildex. \u201cMany cloud based systems are left inadvertently unsecured because the customer does not know that they need to do something to secure them, as they assume that the provider has done what an in-house security staff would traditionally have done by default.\u201d\n\u201cCloud security requires the same discipline for security of any data center,\u201d said David Eichorn (@Zensar), associate VP and cloud expert with\u00a0Zensar Technologies. \u201cCloud data centers are as resilient as any, but the weakness comes if the policies, processes and tools aren\u2019t regularly monitored by the IT operations staff responsible.\u201d\n\u201cUnderstand where that line is drawn. Who is responsible for what,\u201d said Adrian Sanabria (@sawaba), senior analyst, enterprise security practice,\u00a0451 Research. \u201cGenerally, everything on the cloud provider\u2019s network and in their data centers is covered at a low level. However, everything above the hardware layer and lower network layers is the customer\u2019s responsibility.\u201d\n11: You can ignore BYOD and be more secure\n\u201cNot supporting and implementing a BYOD policy does not mean an enterprise will be less at risk of a data breach,\u201d noted John Zanni (@jzanni_hosting), SVP of cloud and hosting sales,\u00a0Acronis. \u201cThe BYOD movement is here to stay.\u201d\nZanni recommends deploying a mobile content management (MCM) solution, as protecting the data will be what ultimately defines your business\u2019 security and compliance requirements.\n12: Cloud data isn\u2019t saved on mobile devices\n\u201cI still hear people speaking about cloud deployment as if using this service means you are not saving any enterprise data on mobile devices, and that this might make device data protection a moot point,\u201d said Israel Lifshitz (@nubosoftware), CEO,\u00a0Nubo. \u201cApps that are connecting to devices are always caching data, and that cached data is stored on your employees' mobile devices. This data can be breached and hacked and therefore must be protected.\u201d\n13: Single tenant systems are more secure than multi-tenant\n\u201cMultitenant systems offer two security benefits over single-tenant systems,\u201d said Eric Burns (@panopto), CEO and co-founder,\u00a0Panopto. \u201cThey provide an additional layer of content protection, and they ensure that security patches are always up-to-date.\u201d\nWhile cloud hosted systems provide hardware-based and perimeter security, those who choose a multi-tenant solution, noted Burns, get a third layer of protection called logical content isolation, designed to help prevent inside-perimeter attacks.\n\u201cLike tenants in an apartment building who use one key to enter the building and another to enter their individual apartment, multitenant systems uniquely require both perimeter and \u2018apartment-level\u2019 security,\u201d explained Burns.\nIt\u2019s a necessary protection layer for the existence of multi-tenant systems.\n\u201cMultitenant services secure all assets at all times, since those within the main perimeter are all different clients,\u201d said John Rymer (@johnrrymer), VP, principal analyst,\u00a0Forrester Research.\nIn addition, \u201cmultitenant systems ensure that software updates, including security patches, are applied to all customers simultaneously,\u201d said Burns. \u201cWith single-tenant systems, software vendors are required to update individual customers\u2019 virtual machines.\u201d\n14: Multi-tenant systems are more secure than single tenant\nThere are no absolutes in cloud security. The complete opposite statement regarding cloud tenancy can also be viewed as a myth.\nFor some organizations, forced upgrades and maintenance windows, which happen in a multi-tenancy environment, could be a detriment.\n\u201cMake sure your change management requirements can be accommodated and that you will have time to plan for upgrades, which can often be an issue with multi-tenancy systems,\u201d said Boatner Blankenstein (@Bomgar), senior director, solutions engineering,\u00a0Bomgar. \u201cSingle tenancy adds flexibility for scheduling downtime without affecting others.\u201d\n15: You own all your data in the cloud\n\u201cYour data may not always be yours after you\u2019ve uploaded it. And if it is hosted in another country, you could be looking at cross border jurisdictional headaches,\u201d warned Joe Kelly (@legalworkspace), CEO,\u00a0Legal Workspace. \u201cMany sites retain the right to determine whether data is offensive or violates copyright or IP laws. Other sites will sell ads based on your content \u2013 which means your information may not be as private as you think it is.\u201d\n16: Cloud provider will continuously manage certifications and compliance\n\u201cMany cloud providers oversimplify the security posture of their platform and steer the conversation toward compliance and certifications awarded by third parties,\u201d explained Sean Jennings (@VCDX17), co-founder and SVP of solutions architecture,\u00a0Virtustream. \u201cSecurity certifications are point-in-time snapshots of the cloud platform and supporting processes\u2026 It is entirely possible for results to be outdated before the ink is dry on a certificate.\u201d\n\u201cFocus should not necessarily be in implementation [of compliance policies] but rather auditing and reporting to satisfy compliance,\u201d said Dan Chow (@ExpertIncluded), COO,\u00a0Silicon Mechanics. \u201cIf regulations change knowing where the gaps are will be important to stay up-to-date and assure that a business is compliant and conforms to the latest standards.\u201d\n17: Cloud security is a product or service\n\u201cSecurity is not a product or a service, it is a process,\u201d said Galeas Consulting\u2019s Scap. \u201cSegment your networks based on the purpose of a particular application or service, deploy firewalls, monitor logs, system and network activity, create and follow security procedures and policies, decide who has access to data, and have a plan to follow in case of a security breach.\u201d\n18: A cloud server has unlimited resources\nIt may appear that your cloud server has unlimited memory and processing power, but consuming more than you need can lead to performance issues and dramatic price increases.\n\u201cCloud servers have processor, memory and I\/O limitations, normally defined when the request is made. These resources are shared with the rest of the cloud environment and are moved between the cloud servers as needed,\u201d explained Abdul Jaludi (@tagmcllc), president,\u00a0TAG-MC. \u201cA cloud server will use whatever it needs, up to the configured amount and nothing more. In many shops, users are allowed to exceed their allotted resources at a much higher cost, much like the way mobile phone plans work.\u201d\n19: There\u2019s no way to check what third party providers are really doing with your data\n\u201c\u2018Malicious insiders\u2019 is one of the most interesting and under-represented issues when people discuss public cloud security,\u201d said Yuri Sagalov (@yuris), CEO and co-founder,\u00a0AeroFS. \u201cBy outsourcing your storage and compute to third party vendors, you now need to trust not only your own employees, but also the employees of the vendor you're using to store and process the data.\u201d\n\u201cSome cloud providers mine enterprise data in ways that one might not want or that might invade the privacy of employees in ways that can or should not be allowed,\u201d added Nicko van Someren (@good_technology), CTO,\u00a0Good Technology. \u201cEnsure that the cloud provider will be able to furnish the customer with audit logs to identify everyone who might ever have access to corporate data and possibly show that they have had suitable background checks and clearance.\u201d\n20: No need to verify big cloud providers\nIt may seem logical to go with a large provider with huge networks, dispersed worldwide data centers, and enormous industry recognition. It\u2019s easy to trust them right. They\u2019re too big to collapse.\nDon\u2019t fall into the \u201ctrust-but-don\u2019t-bother-to-verify\u201d situation, advised Adam Stern (@iv_cloudhosting), CEO and founder,\u00a0Infinitely Virtual, \u201cWhile their businesses may not fail, yours might. An ill-timed outage or glitch could do some serious damage.\u201d\nStern advises you to fully understand your support relationship with your provider: \u201cWhen a supposedly secure environment suddenly springs a leak who\u2019s going to listen and who will actually help?\u201d\nCONCLUSION: Overcoming the cloud myths will allow you to reduce risk\n\u201cWhen the CIA and the NASDAQ begin deploying workloads to the cloud, the debate about whether the cloud can be secured is over,\u201d argued Avail Partners\u2019 Maurice.\nGetting hung up on the myths surrounding the cloud will only prevent your organization from realizing the benefits.\nLauren Nelson (@lauren_e_nelson), senior analyst, Forrester Research, explained, \u201cPublic cloud is actually an opportunity to minimize financial risk for a net-new project or investment.\u201d\nPart of overcoming your fears of the cloud is knowing what not to do when you make that move. For expert advice on a successful cloud migration read 20 Cloud Deployment Mistakes to Avoid.