65% Say Cloud As Secure As On-Premises - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Software as a Service
12:06 PM
Connect Directly

65% Say Cloud As Secure As On-Premises

Nearly two-thirds of IT security professionals think cloud software security equals what they can provide in enterprise data centers, according to Cloud Security Alliance survey.

8 Ways Cloud Storage Delivers Business Value
8 Ways Cloud Storage Delivers Business Value
(Click image for larger view and slideshow.)

The perception that computing in the cloud is less secure than the enterprise data center is gradually reversing.

One sign was when Capital One Financial CIO Robert Alexander spoke at Amazon Web Services' Re-Invent last October in Las Vegas to say the EC2 cloud would host his firm's next mobile banking application. The EC2 cloud was more secure for that purpose than most enterprise data centers, he said on stage Oct. 7.

Another is a just-released report from the Cloud Security Alliance (CSA), "The Cloud Balancing Act for IT: Between Promise and Peril," which says 64.9% of security officers and IT managers think the cloud is at least as secure as their on-premises software. Security of data in the cloud is still a major concern, though: Some 67.8% said that they were concerned they couldn't enforce their own security policies in the cloud, and 61.2% said that they remained concerned about meeting compliance requirements.

Of the 64.9% who say the cloud is at least as secure as on-premises software, 47.1% say cloud security is equal to and 17.8% say it's better than what they have on premises.

The report explained where the respondents' confidence comes from: "One potential reason for this is that cloud providers like Salesforce and Workday have invested heavily in security, extending even beyond what some of their customers do to secure on-premises applications." CSA spokesmen weren't immediately available to explain whether the survey contacted primarily software-as-a-service users as opposed to infrastructure-as-a-service users.

(Image: nikauforest/iStockphoto)

(Image: nikauforest/iStockphoto)

The survey sample size was small, with 209 security officers, risk managers, audit managers, compliance supervisors, and IT managers polled.

The survey also had a corporate sponsor, Skyhigh Networks, which offers a cloud access security broker product for enforcing security and compliance with cloud use. The CSA is a nonprofit organization whose executive board includes SAP, HP, Comcast, Microsoft, EMC, TrendMicro, and Gapertise. In addition, its membership includes Amazon, Google, Intel, Huawei, Cisco, Deloitte, Booz Allen Hamilton, Ericsson, and Batelle.

Perhaps the most surprising conclusion to come out of it was the revelation that 24.6% of respondents said they'd rather pay a ransom to hackers than face the consequences of a successful attack on their systems. Fourteen percent said they would pay as much as $1 million to get an intruder threat or data-ransom problem to go away.

That finding is less surprising when one considers the advice given out by the FBI in an Oct. 22 article in The Security Ledger. When a hacker succeeds in capturing sensitive corporate data via Cryptolocker, Cryptowall, or other forms of ransomware, "To be honest, we often advise people just to pay the ransom ... The ransomware is that good," said Joseph Bonavolonta, the assistant special agent in charge of the FBI's Cyber and Counterintelligence Program in its Boston office.

In 2014, Sony suffered a data breach and faced demands from hackers threatening to dump its sensitive customer data. It's not known what the company said or did in response, but it faced immediate costs of $35 million to handle the immediate aftermath of the breach and $83 million to rebuild its damaged IT infrastructure.

[Want to learn more about how security professionals view the likelihood of warding off malware? See 83% of Infosec Pros Think Another Successful Cyberattack on Critical Infrastructure Likely in 2016.]

The willingness to pay a ransom correlates somewhat to whether a company holds cyber-security insurance. Target had the insurance when it suffered its credit card breach, and the coverage provided $90 million toward its $264 million cost to recover from the incident.

The CSA survey found that 22.6% of companies without cyber-security insurance and 28.6% with the insurance were willing to pay a ransom demand.

Security, whether in the cloud or on premises, is more likely to be enforced if the company has hired a chief information security officer, the survey concluded. Two-thirds of organizations concerned about data security have a CISO, while only 50% of those less concerned about security have one.

"It's not clear if a culture of security makes it more likely that a company will invest in hiring a CISO, or if a CISO instills a stronger culture of security, or if both reinforce each other," the report said.

According to the report, the largest barriers to detecting data loss in the cloud included: lack of skilled security professionals to maximize full value of new technologies (surveyed at 30.7%), lack of internal strategy to operationalize threat intelligence data (at 26.5%), lack of budget to acquire new technologies that detect cloud breaches (at 22.9%), and lack of actionable analytics around threat intelligence data (at 19.9%).

A total of 82.2% of companies reported that they have some sort of incident response plan; 44.5% said it was a complete plan; 41.7% said it was a partial plan; and 17.8% said they didn't have a plan.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
1/25/2016 | 5:39:39 PM
Cyber-security insurance, just like Calif. earthquake insurance?
Cyber-security insurance? I suspect that's cheap and covers everything -- just like California earthquake insurance. Actually, earthquake insurance is expensive, has massive deductibles and doesn't cover many losses.
User Rank: Author
1/25/2016 | 1:45:50 PM
From what I've seen, the cloud data centers themselves can be more secure than what one company can set up on premises. The security vulnerabilities tend to come in during the transfer of data from one to the other. 
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll