informa
/
News

Cloud Stampede Is On, But Who's Watching Security?

A survey by Intel and the Cloud Security Alliance finds that the use of cloud services is increasing, but more in-depth security measures are needed.
10 Cloud Jobs In Highest Demand Now
10 Cloud Jobs In Highest Demand Now
(Click image for larger view and slideshow.)

France, Spain, and Canada are among the world's leaders in the average number of cloud services companies are using. That number is 48 in Spain and Germany, and 46 in Canada. But by far the world leader is Brazil, where the average number of cloud services adopted is 55.

The United States, where the cloud was invented, lags with an average of 44 services. The countries where companies had implemented the fewest cloud services were Germany, 38; Australia, 37; and Great Britain, 29.

This data is according to a worldwide survey sponsored by Intel Security and its subsidiary McAfee. The survey was conducted by Vanson Bourne, an independent technology market researcher, which conducted 1,200 interviews with IT leaders in June 2015 to compile the report, "Blue Skies Ahead? The State Of Cloud Adoption."

The Cloud Security Alliance was an adviser on the survey's formulation.

The cloud services allowed in the study include different forms of private cloud, hybrid cloud, and the various forms of public cloud: software-as-a-service (SaaS), such as Salesforce and Workday; infrastructure-as-a-service (IaaS), such as Microsoft Azure and Amazon Web Services; platform-as-a-service (PaaS), such as Google App Engine and IBM Bluemix; and security-as-a-service, such as HyTrust and Verizon.

[Want to see how the federal government is moving toward more cloud computing? Read 'Cloud-First' To Close 5,000 Federal Data Centers.]

The growing number of services used reflects another fundamental trend: Enterprise IT managers still don't fully trust the cloud, but they trust it more than they used to. Asked if their organization trusts the cloud more now than it did a year ago, 3% said no, 20% said they didn't know, and 77% said yes.

And there's still plenty of skepticism: 37% said they trust their own private cloud, while just 13% trust the public cloud. "The public cloud is the least trusted model," the report noted.

A Matter Of Trust

The shortage of trust in the cloud appears to be on a collision course with adoption of cloud use. The survey revealed a high expectation for cloud adoption by companies all over the world over the 12 to 18 months.

Asked how soon they'll hit a level of 80% reliance on cloud operations, companies in the US, Canada, and Spain said within 14 months. In France, the average expectation was 16 months; in Germany, 18 months. Again, the country to show up on the slow adoption end of the scale was Great Britain, at 28 months. The shortest time period expected was Brazil's 12 months, followed by Australia's 11 months.

All of the time periods were so short that two contributors to the report, Intel's EMEA CTO for Intel Security, Raj Samani, and Jim Reavis, CEO of the Cloud Security Alliance, said of the 12-to-18-month time period "some people refer to this as a tipping point in IT."

In fact, many of the respondents meant "private" cloud when answering the time period question, and that sometimes covers everything from having a section of virtualized servers to using a Microsoft, Google, or IBM development platform. Fifty-one percent said their cloud deployment would consist of private cloud; 30% said public cloud; and 19% said hybrid cloud operations.

Focus On Security

The survey suggests it's time "for a re-evaluation of what the real cloud threats are," the report said. Twenty-three percent said they had experienced a data loss or breach; 23% also said they had difficulty getting visibility into security incidents; 20% claimed an unauthorized access to their data or services; 19% cited difficulty in obtaining security event log files; and 18% reported difficulty in a coordinated incident response.

Among the most serious incidents were account takeovers and an intruder's traversal from cloud to internal systems, both reported by 13%.

At the same time, the survey indicated that organizations were using three types of security to protect their SaaS, including file encryption and email security.

Learn to integrate the cloud into legacy systems and new initiatives. Attend the Cloud Connect Track at Interop Las Vegas, May 2-6. Register now!

Organizations surveyed are using an average of four security measures to protect their IaaS, whether public cloud or private cloud, including firewalls and encryption.

Security-as-a-service can be used for some of the same purposes as the measures enterprises already have in place to protect infrastructure and private clouds: email protection, Web server protection, anti-malware, and application firewall.

The report cited a second SANS Institute survey, "Orchestrating Security in the Cloud," as a source for additional information. The SANS Institute provides training for cybersecurity professionals.

Over the next 18 months, organizations should consider boosting their security features, according to the SANS Institute report. Recommended additions include vulnerability scanning, multifactor authentication, data loss prevention, log management, intrusion detection and intrusion prevention systems, and security information and event management systems.

The Intel/Cloud Security Alliance report also cited a Gartner report as predicting that cloud access security brokers, a service now in use by five percent of large enterprises, will be in use at 85% of them by 2020. Such systems can ensure only authorized users are tapping into SaaS applications and track "shadow IT" users as they create new external user accounts and start unauthorized cloud activity.

Even with rapid movement into cloud services, responsibility for protection of corporate data will largely remain on premises, even if the data moves off. Keeping control of the data and regaining visibility into activities using it will go a long way toward enabling a further transition to cloud computing, the report concluded.

But responsibility for getting there still rests on CIOs and CISOs, sometimes with help from top management and sometimes despite a gap in understanding within the C-suite that puts the burden on IT pros to educate them.

</a