Business Security

Cloudy with a chance of malware

Business IT Research, 9 March 2017

The Cloud - private, public and/or hybrid - has many benefits, but security will continue to be an ongoing challenge.

While overall IT budgets are experiencing minimal growth - a compound annual growth rate of 0.9 percent in 2016 (to $3.4 trillion) - the sky is the limit when it comes to cloud: Cloud infrastructure spending will increase 16.2 percent in 2016 to $37.4 billion, with a 5-year CAGR of 13.6 percent to $60.8 billion in 2020. That’s just the hardware; public cloud services are expected to reach $208 billion in 2016, up from $178 billion in 2015. Gartner attributes the growth to the fact that organizations are saving 14 percent of their budgets as an outcome of public cloud adoption.

Cloud adoption is already huge, and accelerating because it offers a number of potential benefits, but especially better cost controls, savings - up to 14 percent lower costs than on-premise - more agility and improved security. Cloud, especially one hosted by a third-party provider, which accounts for the bulk of cloud spending, is supposed to provide a safer environment than an internal IT department, with access to better and more resources. Cloud service providers can focus on providing secure offerings, allowing their clients to focus on their businesses.

Bad weather in store for The Cloud

As with every other aspect of the digital universe, threats to, and concerns about cloud security are growing. Cloud computing turns the traditional IT paradigm - keeping the bad guys out and information in with on-prem - to putting information into a third-party’s hands and (potentially) accessible by everyone, at any time, from any place.

According to a survey of more than 2,200 cybersecurity professionals, security concerns top the list of barriers to cloud adoption:

  • General security concerns (53 percent, up from 45 percent in last year’s survey),
  • Legal and regulatory compliance concerns (42 percent, up from 29 percent), and
  • Data loss and leakage risks (40 percent),

The biggest cloud security threats were:

  • Unauthorized access through misuse of employee credentials and improper access controls (53 percent)
  • Hijacking of accounts (44 percent)
  • Insecure interfaces/APIs (39 percent)

One in three organizations say external sharing of sensitive information is the biggest security threat. The top three security headaches moving to the cloud include:

  1. Verifying security policies (51 percent)
  2. Visibility (49 percent)
  3. Compliance (37 percent)

While cybersecurity budgets are outgrowing IT spending in general, they’re not keeping pace, and this is a source of growing concern. A recent survey found that many businesses simply aren’t adopting appropriate governance and security measures to protect sensitive data in the cloud.

“Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations,” said Larry Ponemon, chairman and founder, Ponemon Institute.

Challenges include:

  • Difficulty in controlling or restricting end-user access increased from 48 percent in 2014 to 53 percent of respondents in 2016
  • The inability to apply conventional information security in cloud environments (70 percent of respondents)
  • Inability to directly inspect cloud providers for security compliance (69 percent of respondents)
  • Nearly half (49 percent) of cloud services are deployed by departments other than corporate IT
  • An average of 47 percent of corporate data stored in cloud environments is not managed or controlled by the IT department

Cloud - and cloud service providers - offer the potential for great benefits, including tighter security, with more resources and expertise than are available with on-prem. However, those benefits also come with great risks, including bigger threat surfaces and loss of control. For a safer and more secure journey to the cloud, organizations must balance the benefits with the risks and ensure that their digital assets are protected regardless of where they may be found.

10 steps to ensure cloud computing security

The following are the ten steps that cloud service customers should take to evaluate and manage the security of their cloud environment with the goal of mitigating risk and delivering an appropriate level of support, as recommended by the Cloud Standards Customer Council:

  1. Ensure effective governance, risk and compliance processes exist
  2. Audit operational and business processes
  3. Manage people, roles and identities
  4. Ensure proper protection of data and information
  5. Enforce privacy policies
  6. Assess the security provisions for cloud applications
  7. Ensure cloud networks and connections are secure
  8. Evaluate security controls on physical infrastructure and facilities
  9. Manage security terms in the cloud service agreement
  10. Understand the security requirements of the exit process