Cloud Security: Plenty of Worry to Go Around

Along with the security trends from 2012 you’d expect to see (mobility of data, access from anywhere, malware attacks on new platforms, Web as the leading malware distribution medium), Gerhard Eschelbeck, the CTO of Sophos, points to cloud security as a key IT concern.

In its Security Threat Report 2013, Sophos acknowledges how attacks followed the hundreds of millions of users participating in social networks -- moving beyond Facebook to attack mature platforms such as Twitter and up-and-comers such as Pinterest (where an account takeover in September drew special notice). The report is available free for download here; no registration is required.

What struck me, however, was mention of risks posed by cloud services. As services such as Dropbox gain ground, “companies have also begun investing more heavily in private clouds build with virtualization technology. This move raises more questions about what cloud users can and should do to keep the organization secure and compliant.” The article includes a set of 3 suggestions for protecting your data in the cloud.

Concern about cloud security isn’t new, but I found most interesting a report sponsored by Symplified written by Forrester Research and released in mid-November. The study was conducted in July, and although six months may seem like an eternity in IT time, the information is just as relevant today as it was “back then.”

Access Management for the Extended Enterprise: A Timely Challenge” discusses at some length IT’s use of (and concern about) security in the cloud. IT would prefer security be someone else’s responsibility. For example, 23 percent of 703 U.S. enterprise IT security managers said they would prefer security to be embedded into the cloud vendor’s solution, and 20 percent would prefer solutions from a third-party security vendor as an on-premises solution.

Like the Sophos study, Forrester says the “BYOD phenomenon” is problematic when IT opens access “to people who are using unmanaged networks and devices.”

It was also interesting to note that IT doesn’t like to put sensitive data in the cloud, but they’re doing it anyway. “Business functions involving high-risk data of all types -- such as intellectual property, financial data, and even regulated healthcare data -- are participating at relatively high levels in the SaaS app marketplace.” Enterprises either using or planning to expand their use of cloud for such data ranges between 29 and 34 percent (depending on type of data and industry).

A recent report from Symantec, 2012 State of Information Report: Digital Information Index, found that “combined with smartphones, tables, and laptops, 46 percent of business information is being stored outside the firewall.” For U.S. enterprises, the figure is just 32 percent, for India it is 83 percent, for China, Indonesia, and Singapore, the figure is 60 percent. The report is most useful for its breakdown of cloud use by 31 countries or geographic regions; it examines smartphone and tablet storage, smartphone and tablet access to corporate data, and percent of businesses using the cloud to store information (combining public, private, and hybrid deployments). The report is available here at no cost; no registration is required.

I see trouble ahead from some of the Forrester findings. For example, 38 percent expressed “a little concern” that “my existing IAM structure is incompatible with the cloud IAM solution,” and nearly a third (32 percent) were similarly a bit concerned that “my attestation and access request processes won’t fit with the cloud IAM solution.”

Forrester concludes: “The data collected shows that IT managers are living with a gap between cloud usage and corresponding cloud security.”

-- James E. Powell
Editorial Director, ESJ

Posted on 12/04/2012