[BreachExchange] CIOs Coming To Terms With Fear Of Cloud Security

Audrey McNeil audrey at riskbasedsecurity.com
Thu Apr 20 19:09:54 EDT 2017


http://www.cxotoday.com/story/cios-coming-to-terms-with-
fear-of-cloud-security/

IT security is always listed as the number one barrier to adoption when it
comes to cloud computing. But despite those concerns adoption of cloud
security services continues to grow at unprecedented rates. In fact, while
there have been some major breaches virtually none of them have involved a
provider of a cloud service being used to deliver application services.

That doesn’t mean IT security professionals don’t have legitimate concerns.
But it can be argued that in the absence of any compelling example many of
those concerns remain theoretical. This week Crowd Research partners
published a survey of 1,900 cyber security professionals that participate
in a Security Community hosted on LinkedIn that goes a long way towards
detailing what the potential issues with cloud security really are.

Top concerns include protection against data loss (57%), threats to data
privacy (49%), and breaches of confidentiality (47%). Organizations are
also realizing that legacy security tools are not designed for the cloud
(78%) and that lack of visibility into cloud infrastructure is the single
biggest security management headache they have (37%).

Just over half also acknowledge that a lack of qualified security staff is
the second biggest barrier to cloud adoption. In fact, more than half of
organizations (53%) are looking to train and certify their current IT staff
to address the shortage, followed by partnering with a managed service
provider (MSP) (30%), leveraging software solutions (27%), and hiring
dedicated staff (26%). In most cases, the right solution will involve any
combination of all four approaches.

While legitimate concerns, all these issues concern either something that
might happen one day or a shortcoming of the IT security staff. After 10
years of cloud computing, there have been no major breaches on cloud
platforms such as Amazon Web Services, Microsoft Azure, Google Cloud
Platform (GCP) or any number of software-as-a-service (SaaS) application
providers. There might very well be a major security breach one day. But by
and large, the providers of cloud security services have shown by the test
of time that their security is as good or better than what most internal IT
organizations could do on their own.

Obviously, there’s still room for improvement when it comes to the tools
being provided to IT security professionals that are ultimately held
accountable for IT security. But the truth is that many IT professionals
that view those cloud services as a threat to their continued employment
like to cite vague security concerns as a reason to not make use of cloud
services. The fact of that matter is that usage of cloud computing services
is here to stay. It’s the job of the IT security community to figure out to
better secure application workloads running in those environments.

Barring some specific regulation that prevents an organization from
deploying workloads outside their own data centers, IT security
professionals are simply not in a position where they can tell an
organization they can’t use an external cloud service. They may not
understandably like it. But until there’s concrete evidence to the
contrary, IT security professionals need to think a lot more about enabling
organizations to securely do what makes the most economic sense for any
given application workload.

Over time IT security professionals should expect to see roughly half of
those workloads running in a cloud service, while the other half of the
workloads continue to run on premise. The challenge and responsibility they
now have are to make sure all those workloads are as secure as possible
regardless of where they happen to be physically located.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170420/3a2802e7/attachment.html>


More information about the BreachExchange mailing list