Cloud computing has become a ubiquitous part of today’s business operations. From storage to applications, development to file sharing, the average organization uses 1,427 cloud services as part of daily activity, according to a survey on “the transformative impact of cloud adoption” published by Skyhigh Networks.
Looking back several years, security teams were quick to say “no” to cloud, only to learn later that other lines of business were using cloud services aplenty. Realizing their new reality, coupled with pressure from the business to move faster less expensively while providing easy-to-use, always-accessible tools for employees, security teams reluctantly got behind cloud and began inserting security requirements into contracts and processes. Then a funny thing happened: Cloud providers started to realize that security controls were a competitive advantage customers would pay for—and they helped the provider close deals faster—so the providers moved towards placing a greater focus on security. Today, many of the top cloud providers’ security controls, processes, and policies are far superior to what the average company could affect with their own with on-premises systems. Yet security teams continue to proceed very cautiously when presented with a potential implementation.
So you sailed away
Building one’s own data centers, software, or applications is complicated, time consuming, and costly, but security teams are hesitant still to hand over organizational data. The reasons for this are many and varied, says Jason Wood, Founder of Paladin Security, but at the heart of the matter, he continues, security teams are “afraid of the cloud vendor screwing up their systems or losing their data.”
True enough (depending on which industry survey you read), up to 85% of organizations are storing up to 50% of their sensitive data in cloud. This alone is cause for concern—security’s job is to protect the confidentiality, integrity, and availability of the organization’s data. When that data is handled by another entity, internal security loses the ability to directly control “availability” altogether, and elements of ensuring “confidentiality” and “integrity” are decreased as well.
Some of the worry, though, says Wood, is an overreaction: “While I don't believe everything is rainbows and unicorns in cloud providers’ systems, I do think cloud providers have the potential to manage the infrastructure and environment better than your average company.” The real issue, he adds, is that potential consumers must have confidence in the provider’s ability to keep data secure. The fear of what may be “lurking in the dark corners of the cloud provider’s network,” coupled with a healthy dose of risk awareness, says Wood, is at the root of security teams’ apprehension. Per a recently published survey by Schneider Electric, only 57% of security managers feel the cloud is a secure environment for their company’s data. This is likely based on their knowledge of the growing threat landscape and the fallibility of tools, techniques, and processes. Combine this knowledge with the fact that cloud providers tend not to be totally transparent about exact architectures and controls in use, plus their propensity to encourage customers to trust them without offering the ability to verify that security pros crave, and it’s no wonder reluctance reigns. Cloud providers might be quick to offer a letter of attestation or compliance, says Wood, but how many companies that have been victims of mega breaches have been compliant? Exactly.
Into a grey sky morning
Contributing to security teams’ anxiousness over cloud, CEOs and boards are pushing for faster, better, cheaper tools while demanding that security teams keep the company’s data secure. This quagmire feels like a double-edged sword to many so they push back on any adoption made known to them unless a full and thorough analysis of the provider is completed. Not to mention, the “cheaper” part of the cloud equation is mythical; while security teams understand that the initial contract price is often just the tip of the iceberg of ongoing operations and upgraded security costs, warning executives about the potential for an ever-expanding invoice is another hurdle that needs to be cleared. Cautionary advice slows down the process of implementation and makes security pros feel like they’re wearing their “department of ‘no’” hat once again, even though the idea of proceeding with caution differs significantly from a full-stop refusal.
Further, Wood feels that some companies shy away from cloud because they simply don’t understand it yet. Getting cloud security right—especially when you’re the data owner and have limited control over what happens inside the hardware—is complicated. It’s not responsible to hand over piles of data to a third party without considering what and how it’s being handed over. A lot of companies lag on encryption practices, don’t segment data, and never think about who is going to have access to their data (and how) once it’s sitting with the cloud provider. These things require policies, processes, and management before migration begins. In addition, the ability to claw back data, if needed, and how to audit data resting in the cloud must be carefully considered and put into a formal contract, preferably before any data is migrated.
Now I’m here to stay
Though the cloud is not security practitioners’ favorite tool in the toolbox, it is here to stay. Instead of feeling helpless or angry about the inevitability of data moving toward a cloud (especially public instead of private or hybrid), security teams should get down to the nitty gritty work of encryption, segmentation, insisting on the right-to-audit, learning as much as possible about providers’ architectures and policies, putting requirements into contracts, and talking with cloud providers about specific security needs. Not only can security push cloud providers towards enhanced controls (as we’ve already seen), but security practitioners’ level of comfort with providers’ services will increase alongside familiarity.
Cloud providers are no more likely than any other company to be attacked or have a breach. Arguably, due to the work that has already been done on the security front and the ability of the big providers to hire and maintain robust security teams, cloud is a safer bet than on-premises. The only thing scary about moving your data to the cloud is loss of control. With that free time, though, think of all the security basics you can cover to make sure the data, itself, is secure.