There’s a new cloud security survey out this week, and it shows what I’ve been arguing for some time: Security, while still named a top concern of cloud adoption, is not the No. 1 issue.
Most industry leaders agree that the security provided by top-tier cloud providers is equal, if not superior, to what many organizations can do in-house when it comes to keeping their systems and data secure. When you look behind the numbers — and you speak with dozens of CIOs and CISOs in charge of enterprise security — you see it’s more about having transparency and audit capabilities of cloud service providers. To keep stubbornly attaching “security” as the primary objection makes it too easy to gloss over this critical difference.
The new survey is the 2016 Cloud Security Spotlight Report, conducted by CloudPassage. It’s based on more than 2,200 information security professionals who are members of the Information Security Community on LinkedIn. This is the second year for the survey.
In this year’s report, 91% say that they are either very (44%) or moderately (47%) concerned about public cloud security. And, according to respondents, the top three headaches to adopting cloud infrastructure are: verifying security policies (51%), visibility (49%) and compliance (37%).
Fortunately the cloud tools that provide visibility and more granular controls into cloud systems are available and getting better every month. This wasn’t the case just a couple of years ago.
Other key findings include:
- The vast majority (84%) of information security professionals who responded to the report are dissatisfied with traditional security tools when applied to cloud infrastructure. They responded that traditional network security tools are somewhat ineffective (48%); are completely ineffective (11%); or can’t be measured for effectiveness (25%) in cloud environments.
- Faster time to deployment (47%) is the No. 1 driver of cloud-based security solutions. Also making the Top 10 list are: reduced effort around upgrades (2), automation (4), easy policy management (5), better performance (6) and protection focused on the workload/instance (8).
- Almost two-thirds (61%) stated that security slowed down (46%) or was ignored completely (15%) in continuous development methods like DevOps.
- 53% of organizations see unauthorized access through misuse of employee credentials and improper access controls as the single biggest threat to cloud security. This is followed by hijacking of accounts (44%) and insecure interfaces/APIs (39%). One in three organizations says external sharing of sensitive information is the biggest security threat.
- Organizations moving to the cloud have a variety of choices available to strengthen cloud security. 61% plan to train and certify existing IT staff; 45% partner with a managed security services provider, and 42% deploy additional security software to protect data and applications in the cloud.
- Encryption of data at rest (65%) and in motion on networks (57%) top the list of most effective security technologies to protect data in the cloud. This is followed by intrusion detection and prevention (48%) and access control technologies such as Cloud Access Security Brokers (45%).
In next year’s survey, I’d love to see a comparison between how organizations (by size) believe they can secure their systems compared to that of reputable cloud providers.