Cloud Security Strategies Rest Too Heavily on Blind Trust
According to the results of a survey commissioned by iland.
Join the DZone community and get the full member experience.Join For Free
As business and IT finally align on security priorities, companies throw technology at issues, fail to validate claims and struggle to manage resources:
Forty-seven percent (47%) of security personnel “simply trust” their cloud providers meet security agreements without further verification.
Forty-eight percent (48%) more security technologies are deployed in the cloud than on-premises, and security now tops the list of cloud priorities.
Business and IT agree they would rather delay a product launch or application deployment than risk security vulnerabilities.
Ninety-one percent (91%) of respondents reported they need cloud providers to help with security integration, reporting and/or leveraging analytics.
iland announced findings of a new cloud security survey it commissioned independent analyst firm Enterprise Management Associates (EMA) to conduct. The study reveals that companies now consider cloud security to be superior to on-premises environments, but often expose themselves to risk by blindly relying on a glut of technology they are unable to actively manage.
Analyzing insights from 100 IT decision makers and security experts who leverage cloud infrastructure and/or Disaster-Recovery-as-a-Service in North America, the findings are published in a study entitled, “Blind Trust Is Not a Security Strategy: Lessons from Cloud Adopters.”
“Companies can no longer combat security threats by simply throwing technology at perceived vulnerabilities,” said David Monahan, research director, security and risk management at Enterprise Management Associates. “Though teams are using more security tools in the cloud than on-premises, they still face major risks as they struggle with staffing and skills shortages that make it extremely difficult to adequately evaluate, integrate and manage solutions.”
Key survey findings put spotlight on evolving security perceptions and practices:
As IT recognizes cloud as an imperative, teams focus on fortifying environments with significantly more tools than are used on-premises. In fact, 48 percent more security technologies are deployed in the cloud than on-premises.
IT now sees cloud adoption as an opportunity to improve security with previously unused technology. When asked why they had not deployed specific security features in the cloud, respondents indicated they were currently in the evaluation phase twice as often as any other reason for non-deployment, including cost, complexity, availability or that the technology was unnecessary.
Business and IT finally agree on the priority of cloud security. While business teams have often used cloud to bypass IT, the two teams are now more aligned on security priorities than ever before. For example, respondents indicated IT would rather delay a new application deployment due to security concerns than deploy it in a potentially insecure environment, and business agrees in a nearly three-to-one margin. This represents a fundamental shift in organizational dynamics, where business should no longer view security personnel as naysayers, but allies who are committed to fighting threats.
However, the survey also points to important underlying flaws and opposing perceptions that must be addressed:
Cloud customers do not validate security claims. Forty-seven percent of security personnel reported they “simply trust” their cloud providers are delivering on security agreements, rather than verify it independently or through a third party.
While organizations cite advantages of cloud security over on-premises, they also report it is lacking in key ways. Fifty-five percent of respondents said cloud uses superior technology to on-premises, and 56 percent indicated that security technology is more consistently applied in cloud. However, cloud customers admit they need more help from their cloud providers when it comes to integrating security technology (52 percent), improving security reporting (49 percent) and improving security analytics (44 percent).
There is a significant gap in IT’s understanding of compliance requirements and related workloads. While 96 percent of security professionals acknowledge that their organizations have compliance related workloads in the cloud, only 69 percent of IT teams identified the same. This gap could lead to exposures for the organization if IT were to place a compliance-related workload into a non-compliant cloud provider.
“EMA research also identified that 68 percent of organizations have staffing shortages and 34 percent have skills shortages, which directly correlates to flaws and opposing perceptions uncovered in this study,” said Monahan. “While IT has made monumental progress in identifying and adopting necessary security technologies, cloud providers must do more to ensure teams can easily validate claims, manage disparate tools, anticipate threats and take action when needed.”
“As is often the case in technology, the crux of the problem when it comes to cloud security has shifted from the technology of securing the cloud to the operations and management – the people side – of securing the cloud,” said Justin Giardina, CTO at iland. “At iland, we’ve designed our offerings with the mindset that technology, alone, does not solve a problem. Not only are we committed to supporting customers with our expert compliance team, we will also continue to evolve our platform to integrate more turnkey, automated security functionality that enables teams of all sizes and expertise levels to protect themselves against increasing cyber threats.”
Opinions expressed by DZone contributors are their own.