The days of paranoia over the security of enterprise cloud deployments may be over, but are cloud customers now becoming too complacent? Nearly half (47%) of security personnel ‘simply trust’ their cloud providers will meet security agreements without further verification, according to a new study.
Conducted by cloud hosting provider iland, the study found that companies now consider cloud security to be superior to on-premises environments, but often expose themselves to risk by blindly relying on a glut of technology they are unable to actively manage.
Business and IT finally agree on the priority of cloud security. While business teams have often used cloud to bypass IT, the two teams are now more aligned on security priorities than ever before.
For example, respondents indicated IT would rather delay a new application deployment due to security concerns than deploy it in a potentially insecure environment, and business agrees in a nearly 3 to 1 margin.
This represents a fundamental shift in organisational dynamics, where business should no longer view security personnel as naysayers, but allies who are committed to fighting threats.
As IT recognises cloud as an imperative, teams focus on fortifying environments with significantly more tools than are used on-premises. In fact, 48% more security technologies are deployed in the cloud than on-premises.
Further, 'security features' now tops the list of priorities companies consider when selecting a cloud provider, ahead of performance, reliability, management tools and cost.
But despite this, 47% of security personnel reported they 'simply trust' their cloud providers are delivering on security agreements, rather than verify it independently or through a third party.
And there's a significant gap in IT’s understanding of compliance requirements and related workloads. While 96% of security professionals acknowledge that their organisations have compliance related workloads in the cloud, only 69% of IT teams identified the same.
This gap could lead to exposures for the organisation if IT were to place a compliance-related workload into a non-compliant cloud provider.
'As is often the case in technology, the crux of the problem when it comes to cloud security has shifted from the technology of securing the cloud to the operations and management – the people side – of securing the cloud,' said Justin Giardina, CTO at iland.
Analyst firm Gartner echoed this sentiment when Gartner vice president David Mitchell Smith said although the use of cloud is inevitable and can no longer be avoided, 'failure to put the people and processes in place to consistently leverage the security advantages of cloud computing can easily create workloads that are less secure than those created by traditional computing practices.'
His firm makes several recommendations for organisations to follow, including developing and following an enterprise strategy that includes guidance on security and regulatory compliance; documenting and enforcing policies regarding who owns cloud applications and the risk that they are willing to accept; following a life cycle governance approach to the use of all cloud services and the processes performed within them; and developing in-house expertise on the security and control of each of the cloud models that you plan to use.