Security Professionals Identify IT Risks Associated with Cloud Computing

It’s highly likely that cloud security will be one of the hot topics at this year’s RSA Security Conference coming up in February. Yes, there will surely be a lot of rhetoric and hype, but this is a very important topic for our industry to discuss as cloud computing continues to gain momentum with enterprise organizations.

While information security is still the primary concern around cloud computing, enterprise organizations aren’t holding back on deployment, albeit with non-sensitive workloads for the most part.

So what are the IT risks associated with using cloud-based infrastructure? ESG recently surveyed 211 security professionals working at enterprise organizations (i.e. more than 1,000 employees) and asked them to identify the biggest risks associated with cloud infrastructure services. Here’s what they said:

• 33% of security professionals say that the biggest risk associated with cloud infrastructure services is a, “lack of control with security operations directly related to cloud-based IT resources used for internal purposes.” In other words, there is still an IT operations gap between cloud-based infrastructure and internal activities.

• 31% of security professionals say that the biggest risk associated with cloud infrastructure services is, “privacy concerns associated with sensitive and/or regulated data stored and/or processed by a cloud infrastructure provider.” The name Edward Snowden comes to mind – no surprise here.

• 29% of security professionals say that the biggest risk associated with cloud infrastructure services is a, “lack of security visibility into cloud services infrastructure.” As the old saying goes, “you can’t manage (or in this case secure) what you can’t measure.”

• 28% of security professionals say that the biggest risk associated with cloud infrastructure services is a, “security breach that compromises the cloud infrastructure service provider’s infrastructure.” If Coca-Cola, the New York Times, and Target can be breached, why not Amazon?
• 27% of security professionals say that the biggest risk associated with cloud infrastructure services is, “poor security practices by a cloud service provider.” Cloud providers are not immune to the global security skills shortage.

• 26% of security professionals say that the biggest risk associated with cloud infrastructure services is the, “risk of a network breach between internal networks and cloud service providers.” Network security risks are always top of mind with enterprise security folks.

Here are my take-aways from this list:

1. Security professionals see risks in all areas: people, processes, and technologies. This means that cloud infrastructure providers have some work ahead to educate the market as to how they plan to mitigate these risks.

2. Visibility and control are critical. This means that internal security tools must be extensible to the cloud and some vendors like McAfee and Trend Micro are providing this bridge. Alternatively, new vendors like CloudPassage, HyTrust, Octa, and Ping Identity have an opportunity to link the internal and cloud worlds.

3. Security professionals remain suspicious about cloud provider skills. Enterprises are having difficulty recruiting security professionals and the most security organizations in the world are experiencing embarrassing security breaches. Consequently, security professionals believe that cloud providers must be experiencing the same problems. Since this is a fair conclusion, cloud providers need to fess up to these issues and tell users how they plan to address them.

The Cloud Security Alliance (CSA) understands these risks and is working with the industry to acknowledge and address them. Good thing as the cloud train isn’t slowing down. Stay tuned to my blog, ESG cloud computing guru Wayne Pauley and I will monitor and report on cloud security developments as things progress.