The perception that computing in the cloud is less secure than the enterprise data center is gradually reversing.
One sign was when Capital One Financial CIO Robert Alexander spoke at Amazon Web Services' Re-Invent last October in Las Vegas to say the EC2 cloud would host his firm's next mobile banking application. The EC2 cloud was more secure for that purpose than most enterprise data centers, he said on stage Oct. 7.
Another is a just-released report from the Cloud Security Alliance (CSA), "The Cloud Balancing Act for IT: Between Promise and Peril," which says 64.9% of security officers and IT managers think the cloud is at least as secure as their on-premises software. Security of data in the cloud is still a major concern, though: Some 67.8% said that they were concerned they couldn't enforce their own security policies in the cloud, and 61.2% said that they remained concerned about meeting compliance requirements.
Of the 64.9% who say the cloud is at least as secure as on-premises software, 47.1% say cloud security is equal to and 17.8% say it's better than what they have on premises.
The report explained where the respondents' confidence comes from: "One potential reason for this is that cloud providers like Salesforce and Workday have invested heavily in security, extending even beyond what some of their customers do to secure on-premises applications." CSA spokesmen weren't immediately available to explain whether the survey contacted primarily software-as-a-service users as opposed to infrastructure-as-a-service users.
The survey sample size was small, with 209 security officers, risk managers, audit managers, compliance supervisors, and IT managers polled.
The survey also had a corporate sponsor, Skyhigh Networks, which offers a cloud access security broker product for enforcing security and compliance with cloud use. The CSA is a nonprofit organization whose executive board includes SAP, HP, Comcast, Microsoft, EMC, TrendMicro, and Gapertise. In addition, its membership includes Amazon, Google, Intel, Huawei, Cisco, Deloitte, Booz Allen Hamilton, Ericsson, and Batelle.
Perhaps the most surprising conclusion to come out of it was the revelation that 24.6% of respondents said they'd rather pay a ransom to hackers than face the consequences of a successful attack on their systems. Fourteen percent said they would pay as much as $1 million to get an intruder threat or data-ransom problem to go away.
That finding is less surprising when one considers the advice given out by the FBI in an Oct. 22 article in The Security Ledger. When a hacker succeeds in capturing sensitive corporate data via Cryptolocker, Cryptowall, or other forms of ransomware, "To be honest, we often advise people just to pay the ransom ... The ransomware is that good," said Joseph Bonavolonta, the assistant special agent in charge of the FBI's Cyber and Counterintelligence Program in its Boston office.
In 2014, Sony suffered a data breach and faced demands from hackers threatening to dump its sensitive customer data. It's not known what the company said or did in response, but it faced immediate costs of $35 million to handle the immediate aftermath of the breach and $83 million to rebuild its damaged IT infrastructure.
[Want to learn more about how security professionals view the likelihood of warding off malware? See 83% of Infosec Pros Think Another Successful Cyberattack on Critical Infrastructure Likely in 2016.]
The willingness to pay a ransom correlates somewhat to whether a company holds cyber-security insurance. Target had the insurance when it suffered its credit card breach, and the coverage provided $90 million toward its $264 million cost to recover from the incident.
The CSA survey found that 22.6% of companies without cyber-security insurance and 28.6% with the insurance were willing to pay a ransom demand.
Security, whether in the cloud or on premises, is more likely to be enforced if the company has hired a chief information security officer, the survey concluded. Two-thirds of organizations concerned about data security have a CISO, while only 50% of those less concerned about security have one.
"It's not clear if a culture of security makes it more likely that a company will invest in hiring a CISO, or if a CISO instills a stronger culture of security, or if both reinforce each other," the report said.
According to the report, the largest barriers to detecting data loss in the cloud included: lack of skilled security professionals to maximize full value of new technologies (surveyed at 30.7%), lack of internal strategy to operationalize threat intelligence data (at 26.5%), lack of budget to acquire new technologies that detect cloud breaches (at 22.9%), and lack of actionable analytics around threat intelligence data (at 19.9%).
A total of 82.2% of companies reported that they have some sort of incident response plan; 44.5% said it was a complete plan; 41.7% said it was a partial plan; and 17.8% said they didn't have a plan.