Analysis: Businesses are risking huge fines if they don’t get cloud security right.
It’s safe to say that moving to the cloud is now a well trodden path that many businesses have undertaken. The benefits of agility, speed and often reduced costs are well reported and so are the barriers to adoption.
Despite its benefits, cloud remains burdened by the need to prove its security credentials at every corner. When the latest updates are released by vendors there is almost always a paragraph or two saved to talk about how security is being tackled.
Security remains the number one problem for cloud and it isn’t going away.
A recently report from Intel Security outlined the issues surrounding public and private cloud. The global report found that only 15% of UK respondents believe senior management in their organisation totally understands the risks of storing data in the public cloud. A statistic that ranks the UK as having the lowest awareness levels for any of the countries involved in the report.
This is just one of the issues related to cloud security, and while 77% now have more trust in the cloud than they did a year ago, many (72%) still have concerns about compliance and only 13% completely trust public cloud to secure sensitive data.
Even though more than one in five has concerns around using SaaS when it comes to data security, it hasn’t stopped investment. The report found that 60% are planning to invest in the area, suggesting that the benefits far outweigh the concerns.
Despite this finding, there are blind spots, for example only 23% of enterprises are unaware of data breaches with their cloud service provider, while a lack of visibility into cloud usage due to shadow IT is a concern for 58% of IT departments surveyed in Intel’s Orchestrating Security in the Cloud report.
Jim Reavis, CEO of the Cloud Security Alliance said: "Security vendors and cloud providers must arm customers with education and tools, and cultivate strong relationships built on trust, in order to continue the adoption of cloud computing platforms. Only then can we completely benefit from the advantages of the cloud."
Generally speaking, cloud vendors are tackling this problem head on, as much as they innovate with new services to enable businesses to do more, they are also placing a heavy emphasis on security and meeting regulations.
Take Box for example, the company recently revealed Box Zones which are designed to help businesses to centralise their content and address local data storage requirements.
Basically the company is helping businesses to meet the requirements of data storage regulations by leveraging Amazon Web Services and IBM Cloud data centres.
The issue of data location is particularly common in Europe where a patchwork of regulations has been difficult to overcome.
These problems are part of an ever evolving landscape that will include Privacy Shield, should it ever be fully agree upon, and the EU General Data Protection Regulation when it comes into force in 2018.
Regulations like these won’t stop the concerns related to cloud security, if anything they may add to the complexity. The GDPR document is 204 pages and it covers any organisation that collects, stores, and processes data on individuals of the EU.
Major aspects of the regulation include fines of up to 4% of global turnover or 20 million Euros, whichever is higher, and the local supervisory authority must be informed within 72 hours of any data loss, with users informed as soon as possible.
The reason for mentioning this is because many organisations simply don’t know where their data is and cloud has been part of that problem. Due to problems with poorly executed data management policies, this has resulted in data being replicated and moved to numerous different locations.
Intel Security’s research mentioned earlier highlighted that shadow IT is a major concern, which raises the question that if IT doesn’t know what is even running in their premise then how can they control the data and the security of it?
Nigel Hawthorn, director, EMEA marketing, Skyhigh Networks told CBR: "One of the biggest problems with this and any other privacy law is where all your data is today, If you’re a big organisation you have databases all over the place that are not linked that have information on your customers in multiple places."
With GDPR just around the corner and data security and location a big issue due to cloud and shadow IT, this is likely to be something that hinders adoption until the problem can be solved.
Cloud providers such as Amazon Web Services are going after big US banks as potential customers as they look to expand into an area which has been slow in comparison to adopt cloud technology.
The problem is the extremely high demands for meeting security and regulation requirements, which is one of the reasons why banks in the past have chosen to build their own infrastructure.
Although AWS has been making in-roads into this area, it is clear that security remains a big concern.
The on-premise cloud deployment or private cloud model is one solution that may help to increase adoption. A technology such as OpenStack has for example been looked at increasingly by businesses in highly regulated sectors as a path to cloud. In the past year OpenStack has been deployed by the likes of HMRC and the European Commission.
The deal with HMRC for example will see DataCentred provide an OpenStack public cloud that will support the multi-channel digital tax platform.
A driving force behind these kinds of deployments has to be attributed to the need to meet regulatory demands.
As security remains a concern for all industries, the necessity for vendors to continuously improve their cloud security image will be vitally important.
The strategies of both vendors and businesses will, for a long time, remain heavily impacted by the need to meet security and regulatory requirements.