Conflicted Feelings: Concerns About Cloud Security Growing, But So Is Trust
Organizations are racing to the cloud at an accelerating pace – with growing anxiety. Concerns about cloud security are the core finding of a new study from Intel Security that reveals a variety of conflicting cloud adoption perceptions. Even as most IT managers point to compliance as the biggest concern with cloud adoption (some admit they don’t know if sensitive data is stored with a public cloud provider), an even larger number said they have more trust in the cloud than a year ago.
One of the more eye opening findings of the survey (“Blue Skies Ahead? The State of Cloud Adoption”): in the next 16 months, 80 percent of respondent IT budgets will be dedicated to cloud computing.
The survey found that private cloud is the dominant model in the enterprise, with 51 percent of cloud deployments. Hybrid cloud accounts for 19 percent, public cloud makes up 30 percent. When the researchers examined the timeframe for cloud to absorb 80 percent of organizations’ IT budgets, it drops to 15 months for private cloud.
“Even if that outlook overestimates cloud spend it still shows a dramatic shift in mindset,” said Rolf Haas, enterprise technology specialist, Intel Security, in a blog post accompanying the survey, “ and it's often the business, rather than the IT department, that is driving that shift. In today's digital world the pull of the cloud and its benefits of flexibility, speed, innovation, cost, and scalability are now too great to be dismissed by the usual fears.”
Not surprisingly, public clouds garner the least trust:
The survey, conducted by market research firm Vanson Bourne, interviewed 1,200 IT decision makers with influence over their organization’s cloud security in the United States (350 interviews), UK and Spain (150 interviews) and Australia, Brazil, Canada, France, Germany (100 interviews). Respondents were at organizations ranging from 251-500 employees to more than 5,000 employees.
Survey results include:
Security and Compliance: A majority of respondents (72 percent) list compliance as the primary concern across all types of cloud deployments, and only 13 percent of respondents noted knowing whether their organizations stored sensitive data in the cloud.
- Cloud Investment: A majority of organizations plan to invest in infrastructure-as-a-service (IaaS) (81 percent), closely followed by security-as-a-service (79 percent), platform-as-a-service (PaaS) (69 percent), and software-as-a-service (SaaS) (60 percent).
- Security Risks – Perception and Reality: More than 20 percent said their main SaaS concern is having a data security incident, and correspondingly, data breaches were a top concern for IaaS and private clouds. But the survey found that less than a quarter (23 percent) of enterprises are aware of data breaches with their cloud service providers.
- C-Suite Blind Spot: High-profile data breaches make data security a top concern for C-level executives, but many respondents feel there is still a need for more education and increased understanding of risks associated with storing sensitive data in the cloud. Only one-third of respondents feel senior management fully understand the security implications of the cloud.
- Shadow IT, Risk and Opportunity: Despite IT departments’ efforts to prevent shadow IT activity, 52 percent of the lines of business still expect IT to secure their unauthorized department-sourced cloud services. This lack of visibility into cloud usage raises security concerns, confirmed by a majority of respondents is another survey conducted last year (Orchestrating Security in the Cloud).
At least one observer, from a cloud monitoring and management provider (Cloudyn), suggested that security concerns are no longer the paramount issue.
“I do not feel any more that customers perceive that the cloud lacks security,” Cloudyn Co-founder and Vice President Product Vittaly Tavor, told EnterpriseTech. “In fact, over the past six months, I have not heard a single customer complaint that the public cloud is insufficiently secure.”
Echoing a broadening industry perception, Tavor said it has dawned “on the IT community that no private datacenter can afford the level of security specialists of the cloud providers (where security is of such importance). The IT community has started to understand that actually security in the cloud may be as high (if not higher) than that of the private datacenter, and that it’s up to them to establish adequate security policies of cloud deployment. Today cloud providers hold just about any security certification required by the most demanding businesses.”
But Tavor also said a public cloud security challenge remains: geographic compliance, the requirement that data be kept at a particular location. “Cloud providers made a giant leap in this direction, but still not all countries have public cloud datacenters, and some countries have the requirements for particular data to stay within the country borders.”
The overriding cloud adoption issue, Tavor said, is improved oversight. “The adoption of hybrid cloud will not be linear: there will be a very sharp rise when the integrated management tools and all type of compliance controls will reach a sufficient level of maturity.”
Another key cloud issue: latency.
"Data might travel at the speed of light, but it doesn’t feel that way to users when that data is moving across long distances and complicated networks,” said Ellen Rubin, CEO of ClearSky Data, an enterprise storage and data lifecycle management company based in Boston. “This gets to be a serious problem when companies use the public cloud to store data while also maintaining compute workloads in their data centers.
“Enterprises need to improve their network infrastructures, rebuild applications or establish more efficient traffic routes enabled by cloud exchanges or network hubs in major colocation sites. These options are certainly more achievable than digging hundreds of miles of direct routes, but they are still expensive in terms of capital and personnel power.”