Almost every organization in Canada uses a private or public cloud service in some way — everything from email to cloud storage to content management to platform or infrastructure as a service.
An Intel Security study released last week shows how fast cloud is growing: The vast majority of 1,200 IT decision makers in eight countries — including Canada — surveyed last summer believe 80 per cent of their organization’s IT budget will be dedicated to some sort of cloud computing services in 16 months’ time.
The 100 Canadian respondents suggest organizations here may be moving faster, with many thinking their organization will be spending 80 per cent of their IT budget on cloud services within 14 months.
Enterprise IT is at an “inflection point where cloud computing will become a dominant technology focus” says the report.
However, there’s no shortage of security-related issues respondents had with cloud services. Consider that
–27 per cent of respondents said they had difficulty migrating services or data;
–25 per cent complained of high costs and fees or poor value;
–25 per cent complained of lack of visibility into cloud provider operations;
–23 per cent said they suffered data losses or breaches;
–20 per cent suffered unauthorized access to data or services;
–19 per cent said they had difficulty obtaining security event log files;
–18 per cent had problems with co-ordinated incident response;
–13 per cent mentioned account takeovers
–13 per cent listed adversary transversal from cloud to internal systems.
Only 13 per cent said they had no issues from their cloud service providers.
Significantly, only 13 per cent of respondents said they completely trust public cloud providers to secure sensitive data (17 per cent of the Canadian respondents).
The study tries downplay these results, noting that while less than a quarter (23 per cent) of respondents said they actually experienced data loss or breaches with their cloud service providers, and only one in five had someone gain unauthorized access to data or services, only 9 per cent of respondents to a survey by the SANS Institute said they suffered cloud data breaches.
The most common incidents and issues that respondents had with cloud services weren’t security related, says Intel, but migrating services and data, high costs, and poor value or lack of visibility into the cloud provider’s operations.
“The survey suggests that investment and planning around mitigating high-profile breach risks needs to be balanced with some of the more common day-to-day threats for enterprise systems and data in the cloud,” says the report, such as migration problems, contractual issues, denial-of-service, malware, and hacking of accounts.
Among other findings, only 28 per cent of surveyed Canadian IT pros in Canada believe C-level executives and senior management understand security risks of the cloud (compared to 34 per cent globally).
According to the survey, private cloud is currently the most dominant cloud model in the enterprise, with 51 per cent of their cloud deployment comprised of private cloud. Public cloud makes up 30 per cent, and hybrid cloud accounts for 19 per cent of enterprise cloud deployments.
Organizations are using an average of 43 cloud services now, depending on their size.
A majority of organizations are planning on investing in all cloud service models, says the survey, but the highest percentage (81 per cent) will be for infrastructure as a service (IaaS), such as Amazon Web Services (AWS), Windows Azure, Google Compute Engine, Rackspace Open Cloud, and IBM SmartCloud Enterprise.
Second is security-as-a-service (79 per cent), platform as a service (PaaS, 69 per cent), often used for software development; and software as a service (SaaS offerings, 60 per cent) such as Salesforce and WordPress.
Among the report’s recommendations
■ Security controls and compliance are shared responsibilities between enterprises and cloud service providers. Ask your service provider about their security controls, and make sure reporting is included in your service level agreement (SLA). However, it is essential for the enterprise to secure what is under their control in the cloud—be it data, applications, or workloads—and to build this into their cloud architecture plans;
■ Key areas for cloud security investment include data encryption, identity and access management, data loss prevention, and email protection. One option is security-as-a-service and in other services that help orchestrate security across multiple providers and environments;
■ While shadow IT cloud deployments remain a challenge, as they can potentially expose company data to greater risk, IT organizations should be working with business units to find a more secure way to enable users to implement their own cloud deployments. IT can regain control and visibility by being the broker and redirecting business users to more secure cloud service alternatives.
■ While many boards are increasingly involved in cloud security decision-making, there is evidence of a worrisome gap in their awareness and understanding of those risks. More education is needed, as is more involvement of CIOs and CISOs in boardroom discussions with other C-suite executives. The financial fallout and reputational damage suffered by organizations in some recent high-profile data breaches should be an incentive for top executives to make data security—whether internal or in the cloud—a priority.