Who’s Afraid of the Cloud?…. Are Your Cloud Fears Justified?

More businesses are moving more critical applications to the cloud but fears about the security of the cloud are still regularly aired.

What are the common cloud security fears and questions, and assumptions, where do they come from and could you be worrying unnecessarily?

Fear Itself.

Fear of the unknown and the untried and even irrational fear, coupled with the weight of responsibility and the need to avoid unnecessary risk can often obscure the benefits and opportunities that other companies are already enjoying with the Cloud.

If you have fears and doubts you’re not alone. A 2015 BT survey of IT decision makers showed that 49% said they are very or extremely anxious about the security of Cloud services.

I’ll Have No Control.

Many organisations fear that information stored in the Cloud and the security of the Cloud itself are out of their control and are therefore at risk.

There is an argument however that if your organisation already has the right policies and data access controls in place then it is more likely to retain a good level of control and keep things secure in the cloud. If your organisation follows the right security protocols then it should follow that your chosen Cloud Service Provider (CSP) will comply with the agreed security standards and policies.

In-house: More or Less Secure?

The 2015 BT survey illustrated one of the key (mistaken) beliefs that is held by IT decision makers i.e. 41% said that they believed that all Cloud-based services are inherently insecure. What’s more, many IT decision makers still believe therefore that keeping everything in-house is a much safer bet.

The fact is however that over 90% of security issues originate with the enterprise, and not in the cloud. Almost all of the recent big data breaches were from the traditional on-premises IT model. As well as the fact that cyber criminals find it very difficult to target the data resources of an individual company in a multi-tenant cloud environment, IT leaders put much of the risk and the causes of cloud problems down the behaviour and culture of employees. It is also worth noting that despite a general acceptance among IT professionals that cloud is safer than in-house, many IT commentators predict a hybrid of cloud and on-premise environments in the near future.

While the mistaken belief that in-house is always best persists things are unlikely to improve. Gartner for example predicts that that, through 2020, 95% of cloud security failures will be the customer’s fault.

It is also worth remembering that CSPs spend a lot of their significant budgets focusing on the latest security measures, whereas the security aspects of many in-house and legacy systems are often ignored or not kept up to date. CSPs also have a vested interest in maintaining the very highest level of security to protect themselves from reputational and business damage. CSPs also have to meet tougher security standards than in-house operations, and this of course can only make them more secure for you the customer.

Security is the Cloud Services Provider’s Responsibility.

In reality, however reputable the CSP, the security of an organisation’s data is not solely the responsibility of that CSP but is shared one. Organisations need to make sure that their employees are using eternal applications responsibly and aren’t sharing lots of inappropriate data with other employees and external parties. Staff training in data and cyber security, and clearly communicated IT and data policies and procedures can therefore all help as part of a shared security responsibility between the organisation and CSPs, thus giving the best possible chance of protection against evolving threats.

Once Anything is in the Cloud It’s More Secure, Right?

Not necessarily. The cloud should really be thought of as 2 parts, the infrastructure and the applications running in the cloud. Attacks on web applications are now a huge risk to organisations, and simply moving an application with security vulnerabilities into the cloud doesn’t guarantee its security. 50% of application vulnerabilities for example start at architecture level. It is therefore important that as well as enjoying the security benefits of the cloud, organisations make sure that any known security vulnerabilities in applications have been addressed before moving them to the cloud.
Not Knowing Were My Data is Being Stored in the World is a Problem.

The layered nature of CSPs means that most organisations using the cloud don’t actually know where in the world their data is physically being stored. In reality this hasn’t affected the good security record or CSPs and most UK companies using the cloud are using it somewhere other than in the UK. It could be the case however that with more EU regulations coming into force there could be more cloud storage in the EU and the UK in future. The introduction of the new EU data protection regulation GDPR and the need for compliance with it is likely to mean a strengthening in the protection of the data in the cloud anyway.

More Secure, Easier and Cheaper.

A move to the cloud can therefore be a leap of faith of sorts but it is now a road that is quite well trodden by many organisations, the vast majority of which have found the experience a positive one. Data should be considered to be much more secure now in the cloud than on expensive on-premise infrastructures. Many organisations have found that as well as cost savings, the cloud really does offer greater security as well as the convenience of paying an expert vendor to handle things for them.