By Amit Chatterjee, EVP, Enterprise Solutions and Technology Group, CA Technologies
With Cloud adoption rates increasing steadily across both official and shadow IT, there's no question we are in the middle of a revolution around how software and services are delivered. This is great news for enterprises seeking the traditional benefits of the cloud, such as faster deployment of applications, flexibility to react to fluctuating demands and lower cost. But has cloud security kept pace with adoption? Comparing recent and past cloud security studies give us a conclusive "maybe."
Cloud Adoption is Real
There's plenty of proof of cloud adoption whether IT sanctioned or not. The Cloud Security Alliance (CSA) study, "Cloud Adoption, Practices and Priorities Survey Report,"shows that 74 percent of executives and IT managers say they are moving "full steam ahead" or "forward with caution" with cloud use, despite security of data being the top barrier to cloud adoption.
That's good news on the adoption front, however that data becomes "clouded" a bite specially from a security view when you see that 72 percent of respondents in the CSA survey said they didn't know the number of cloud shadow IT apps within their organization, but would like to know. That's a 27 percent increase over the 45 percent of U.S. IT respondents who said they were "unaware" of all cloud services used in their organization when polled five years ago in a study CA Technologies did with the Ponemon Institute; it's a 22 percent increase from the follow-on study released by CA and Ponemon in 2013, "Security of Cloud Computing Users.
The Great Cloud Paradox
Despite the adoption, we still see lingering remnants of the great cloud paradox: while many IT leaders are eager to leverage the cloud, there are still those who are uneasy information. Five years ago in the CA/Ponemon study just 41 percent of U.S. respondents believed that cloud services were evaluated for security prior to deployment. In the 2013 study, that number increased to 51 percent. The recent CSA study highlighted that decisions concerning the security of data in the cloud has shifted from the IT room to the boardroom, with 61 percent indicating that executives are now involved in such decisions. That's improvement for sure, but is 61 percent a passing grade? And who's accounting for the security of the shadow cloud services in operation?
Another twist on the paradox is that the economics of cloud computing dictate that its value increases with the number of users. And yet, it's been said that trust doesn't scale the way technology can. Without delving into the psychology of why we are so eager to use a technology we don't fully trust, it remains that security has never been one of those things we should "work out as we go along."
There is, of course, a lot of progress being made in securing the cloud. In fact, cases have been made that certain cloud services and apps are more secure than if delivered on premise. If we look at where companies securing the cloud are focused, we see that email and web security and identity and access management continue to be at the center. Encryption and cloud-based tokenization solutions are gaining momentum as well, although they are more complex.
Starting With the Basics
How can an organization deal with this paradox of cloud adoption and security and trust? Starting with a few of the basics makes good sense.
1. Demand high transparency of the provider's security and compliance model.
This is essential. Use a third-party to audit security certifications and understand the full extent of your provider's security processes to determine if they are operating effectively.
2. Get legal.
Working effectively in the cloud environment will require expertise that is different from your regular vendor contracts. And make sure all your legal and regulatory requirements are outlined clearly at the outset
3. Don't move to the cloud unless your processes can support it.
Make sure that your data classification and privacy requirements are clearly stated.
4. If you must meet specific metrics or standards, make sure that your provider can also meet them.
Pointing the finger of guilt at your provider won't help if you fail to satisfy your external auditors.
5. Implement compensating controls.
Don't go "all in" without backup controls in place and operating effectively. These can be gradually phased out as needed.
6. Build an environment of collaboration internally.
Establish guidance around cloud service adoption and collaborate with the business to meet its needs and requests.
The cloud is an important software and service delivery model driving the Application Economy. Following fundamental security best practices and sharing information should be the starting point for seizing one of the greatest market opportunities business has seen in a long time. Business is being rewritten by software, and securing the cloud is part of that paradigm.