65% Say Cloud As Secure As On-Premises - InformationWeek
IoT
IoT
Cloud // Software as a Service
News
1/25/2016
12:06 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

65% Say Cloud As Secure As On-Premises

Nearly two-thirds of IT security professionals think cloud software security equals what they can provide in enterprise data centers, according to Cloud Security Alliance survey.

8 Ways Cloud Storage Delivers Business Value
8 Ways Cloud Storage Delivers Business Value
(Click image for larger view and slideshow.)

The perception that computing in the cloud is less secure than the enterprise data center is gradually reversing.

One sign was when Capital One Financial CIO Robert Alexander spoke at Amazon Web Services' Re-Invent last October in Las Vegas to say the EC2 cloud would host his firm's next mobile banking application. The EC2 cloud was more secure for that purpose than most enterprise data centers, he said on stage Oct. 7.

Another is a just-released report from the Cloud Security Alliance (CSA), "The Cloud Balancing Act for IT: Between Promise and Peril," which says 64.9% of security officers and IT managers think the cloud is at least as secure as their on-premises software. Security of data in the cloud is still a major concern, though: Some 67.8% said that they were concerned they couldn't enforce their own security policies in the cloud, and 61.2% said that they remained concerned about meeting compliance requirements.

Of the 64.9% who say the cloud is at least as secure as on-premises software, 47.1% say cloud security is equal to and 17.8% say it's better than what they have on premises.

The report explained where the respondents' confidence comes from: "One potential reason for this is that cloud providers like Salesforce and Workday have invested heavily in security, extending even beyond what some of their customers do to secure on-premises applications." CSA spokesmen weren't immediately available to explain whether the survey contacted primarily software-as-a-service users as opposed to infrastructure-as-a-service users.

(Image: nikauforest/iStockphoto)

(Image: nikauforest/iStockphoto)

The survey sample size was small, with 209 security officers, risk managers, audit managers, compliance supervisors, and IT managers polled.

The survey also had a corporate sponsor, Skyhigh Networks, which offers a cloud access security broker product for enforcing security and compliance with cloud use. The CSA is a nonprofit organization whose executive board includes SAP, HP, Comcast, Microsoft, EMC, TrendMicro, and Gapertise. In addition, its membership includes Amazon, Google, Intel, Huawei, Cisco, Deloitte, Booz Allen Hamilton, Ericsson, and Batelle.

Perhaps the most surprising conclusion to come out of it was the revelation that 24.6% of respondents said they'd rather pay a ransom to hackers than face the consequences of a successful attack on their systems. Fourteen percent said they would pay as much as $1 million to get an intruder threat or data-ransom problem to go away.

That finding is less surprising when one considers the advice given out by the FBI in an Oct. 22 article in The Security Ledger. When a hacker succeeds in capturing sensitive corporate data via Cryptolocker, Cryptowall, or other forms of ransomware, "To be honest, we often advise people just to pay the ransom ... The ransomware is that good," said Joseph Bonavolonta, the assistant special agent in charge of the FBI's Cyber and Counterintelligence Program in its Boston office.

In 2014, Sony suffered a data breach and faced demands from hackers threatening to dump its sensitive customer data. It's not known what the company said or did in response, but it faced immediate costs of $35 million to handle the immediate aftermath of the breach and $83 million to rebuild its damaged IT infrastructure.

[Want to learn more about how security professionals view the likelihood of warding off malware? See 83% of Infosec Pros Think Another Successful Cyberattack on Critical Infrastructure Likely in 2016.]

The willingness to pay a ransom correlates somewhat to whether a company holds cyber-security insurance. Target had the insurance when it suffered its credit card breach, and the coverage provided $90 million toward its $264 million cost to recover from the incident.

The CSA survey found that 22.6% of companies without cyber-security insurance and 28.6% with the insurance were willing to pay a ransom demand.

Security, whether in the cloud or on premises, is more likely to be enforced if the company has hired a chief information security officer, the survey concluded. Two-thirds of organizations concerned about data security have a CISO, while only 50% of those less concerned about security have one.

"It's not clear if a culture of security makes it more likely that a company will invest in hiring a CISO, or if a CISO instills a stronger culture of security, or if both reinforce each other," the report said.

According to the report, the largest barriers to detecting data loss in the cloud included: lack of skilled security professionals to maximize full value of new technologies (surveyed at 30.7%), lack of internal strategy to operationalize threat intelligence data (at 26.5%), lack of budget to acquire new technologies that detect cloud breaches (at 22.9%), and lack of actionable analytics around threat intelligence data (at 19.9%).

A total of 82.2% of companies reported that they have some sort of incident response plan; 44.5% said it was a complete plan; 41.7% said it was a partial plan; and 17.8% said they didn't have a plan.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tzubair
50%
50%
tzubair,
User Rank: Ninja
1/27/2016 | 2:31:42 PM
Re: cloud
"The security vulnerabilities tend to come in during the transfer of data from one to the other. 

@Ariella: Normally, the data transmission is also the responsibility of the cloud vendor. The data is transmitted in the form of encrypted data and decrypted at the client's end. The cloud vendor has to ensure that besides the security on the servers, the data is also secure during the transmission until it reaches the client.
tzubair
50%
50%
tzubair,
User Rank: Ninja
1/27/2016 | 2:27:43 PM
Re: Cyber-security insurance, just like Calif. earthquake insurance?
"I suspect that's cheap and covers everything -- just like California earthquake insurance. Actually, earthquake insurance is expensive, has massive deductibles and doesn't cover many losses."

@Charlie: I think cyber-security insurance is highly doubtful at this point in time because there's not enough data available at the disposal of insurance companies to accurately assess the risk. The incidents are rare and few and not many get reported. Once there's enough data, the insurance companies can probably cover the risk better.
tzubair
50%
50%
tzubair,
User Rank: Ninja
1/27/2016 | 2:21:39 PM
Security and Culture
"It's not clear if a culture of security makes it more likely that a company will invest in hiring a CISO, or if a CISO instills a stronger culture of security, or if both reinforce each other,"

I think culture comes at the very bottom and everything stems from it - even security. It's rare to find organizations changing their culture and focussing on educating people and creating awareness when there's a security breach. Instead, they start becoming more strict on the policies and isolate people from the security process itself. Hence, a strong culture results in better security and not the other way round.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
1/26/2016 | 9:31:56 AM
Re: cloud
For me, i think for many companies, yes it often better to leverage cloud hosted services that provide security controls built in if your organization struggles with keeping minimum security requirements.  That being said, just because your data and applications are hosted in a "more secure" environment that you might be able to achieve as on-premise, there is still a huge risk derived from how that data is accessed and interacted with on premise, especially when it comes to the security of users themselves.  These hosted services pose a great opportunity for malicious activity, and unless the right security practices are employed when it comes to security awareness training and ensuring users are following best practices, there is still a risk to data.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
1/25/2016 | 5:39:39 PM
Cyber-security insurance, just like Calif. earthquake insurance?
Cyber-security insurance? I suspect that's cheap and covers everything -- just like California earthquake insurance. Actually, earthquake insurance is expensive, has massive deductibles and doesn't cover many losses.
Ariella
50%
50%
Ariella,
User Rank: Author
1/25/2016 | 1:45:50 PM
cloud
From what I've seen, the cloud data centers themselves can be more secure than what one company can set up on premises. The security vulnerabilities tend to come in during the transfer of data from one to the other. 
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll