Cloud technologies are now becoming accepted and widely adopted. According to the Cloud Industry Forum, 80% of UK companies are adopting cloud technology as a key part of their overall IT and business strategy. However, one of the perceived barriers to cloud adoption continues to be concerns around security and compliance, which was the key topic of discussion at a recent techUK panel in which iland took part. During this discussion, we talked about the fact that nine out of ten security professionals worry about cloud security.
One of the key aspects that we’ve certainly found here at iland and which was borne out in a survey around cloud security that we conducted earlier in the year with independent analyst firm Enterprise Management Associates (EMA), is that companies actually now consider cloud security to be superior to on-premise environments, but often expose themselves to risk by blindly relying on a glut of technology they are unable to actively manage.
Our survey found that nearly half (47 percent) of security personnel admitted to simply trusting their cloud providers to meet security agreements without further verification. This highlighted that transparency continues to be a key issue, as many providers do not offer detailed insights into the cloud environment. Or, if they do, this is certainly not up to the same levels customers are accustomed to in their own data centre operations.At the same time, we also found thatteams tend to throw technology at the problem, however tech alone will not solve the problem. Again, the survey showed that 48 percent more security technologies are deployed in the cloud than on-premise. Further, security features now top the list of priorities companies consider when selecting a cloud provider ahead of performance, reliability, management tools and cost. Therefore, our advice to companies is that it is really important firstly to verify your cloud provider’s claims and, secondly, to ensure that you can properly leverage the technology that you are deploying.
Interestingly, our survey showed that there appears to be much more alignment between IT and the business. Asrespondents indicated IT would rather delay a new application deployment due to security concerns than deploy it in a potentially insecure environment, and the business agreed in an almost 3 to 1 margin. To my mind, this represents a fundamental shift in organisational dynamics, where business should no longer view security personnel as naysayers, but allies who are committed to fighting threats alongside the business.
One of the key problems that accentuate security issues appears to be around skills and staffing shortages. In fact over two thirds (68 percent) of organisations EMA admitted that they have staffing shortages and 34 percent have skills shortages, which directly correlate to flaws and opposing perceptions uncovered in our study. While IT has made monumental progress in identifying and adopting necessary security technologies, cloud providers must do more to ensure teams can easily validate claims, manage disparate tools, anticipate threats and take action when needed.
Further, we can see there is a lack of understanding of compliance among IT personnel.While 96 percent of security professionals acknowledge that their organisations have compliance related workloads in the cloud, only 69 percent of IT teams identified the same. This gap could lead to exposures for the organisation if IT were to place a compliance-related workload into a non-compliant cloud provider.
And, finally, clearly defined responsibilities are needed both with your cloud service provider and within your own company, as clearly in the end, where security is concerned, the buck stops with you. There is no point claiming that you thought someone else had it covered. This is where DevSecOps comes in as the next evolution of DevOps whereby you make security the responsibility of every member of the team, at every step of the way, right from dev through to ops.
Right now and for the forecastable future cloud adoption sees no sign of abating. Therefore, it is critical that we get security and compliance right. Otherwise it will continue to be a blocker for organisations and could hinder innovation and competitive advantage.