Security continues to rain on cloud's parade
PRESENTED BY GEMALTO: Data security and privacy concerns remains major barriers to adoption even as cloud computing goes mainstream
For all its plaudits, cloud computing has failed to shake off the tag of being a risk when it comes to security and privacy.
Analyst Synergy Research recently declared 2015 the year cloud "went mainstream", while IDC claims cloud accounted for over a third of the global IT infrastructure market for the first time last year.
But -rightly or wrongly - the cloud still has an image problem, with figures from the Cloud Industry Forum (CIF) suggesting privacy and security worries remain as big a barrier to adoption as they were five years ago.
According to CIF, over the course of the last five years, data security and data privacy have remained constant as the two primary concerns cited by end users when migrating to cloud. What's more, while CIF said one might expect these to lessen as the industry matures, they have actually heightened.
The number of UK organisations who see data security as an inhibitor to cloud adoption rose from 61 to 70 per cent between 2014 and 2015. Data privacy was found to be the second biggest inhibitor. It was cited by 61 per cent of respondents, compared with 54 per cent in 2014.
And these figures have remained roughly constant for half a decade, since CIF began conducting the survey in 2011, said CIF board member Ian Moyse.
"Over five years you would think we as an industry would all have got better at this, but the figures have remained pretty static," he said. "Data security and privacy remains a major concern in adopting cloud technology."
He added: "The threat here is the noise they see in the press and the industry. Look at the last 12 months, with Ashley Madison and TalkTalk and Marks & Spencer. Cloud gets tainted along with it and customers are thinking ‘if I'm making the decision to go to the cloud, am I putting myself at risk?'"
2015 saw cloud "go mainstream", according to analyst Synergy Research, which said that global cloud revenue grew 28 per cent to $110bn in the 12 months ending 30 September 2015.
And adoption is certainly growing in the UK, with 84 per cent of UK organisations using cloud as of last year, according to CIF, up from 78 per cent the previous year, 69 per cent in 2013, 61 per cent in 2012 and 53 per cent in 2011. Some 78 per cent use more than one cloud service, with web hosting, collaboration, e-commerce platforms, advertising, online marketing services and email found to be among the technologies with the highest cloud penetration.
But CIF said that security will remain the top cloud inhibitor for the foreseeable future, adding that the role of the industry must be to educate users on their responsibilities for data protection and to enforce policy management as necessary.
Another problem businesses face in the cloud is a lack of awareness of what data they need to protect, where it resides and what the risks are. Data is now stored and accessed in multiple places and from multiple devices, which means businesses need to bring security controls closer to the data. This means using access control to protect identities and ensure only authorised users and services have access to the sensitive data, as well as encryption and centralised key management for data both at rest and in transit. using both authentication and encryption, for data both at rest and in transit.
Success in the cloud requires a focus on security, including addressing baseline security controls, such as identity and access management, anti-virus, and encryption. A secure and centralised key management solution is also vital for demonstrating adherence to many different compliance mandates in cloud environments.
Ameneh Zaher, pre-sales manager NW EMEA at security vendor Gemalto, agreed that security and privacy concerns are often still a barrier for customers looking to migrate to the cloud. A common pain point is the customer's desire to retain full control of their encryption keys, particularly if they need to do so for compliance purposes, she said.
"They want to have full control of the assets they are placing into the cloud from a single place," Zaher said.
"Quite often, customers feel they have to decide whether they want to move to the cloud or to stay secure. Decoupling the keys from the encrypted data is quite important. We can enable them to go to the cloud and stay secure and compliant and have full control of their keys and hence their entire assets; in our hardware security modules and key management platform."
A recent study commissioned by Gemalto and conducted by Ponemon Institute found that just 38 per cent of organisations have clearly defined roles and accountability for safeguarding confidential or sensitive data in the cloud.
Moyse agreed that it is not cloud per se that is scaring customers, but the fear of losing data, which he said makes encryption a hot topic.
"If someone broke into my office but all the data was secure and locked away, there's minimal impact," he said. "With the cloud world, it's the same thing. If in the worst-case scenario someone gets access to something, if they can't see anything that is private to the customer, it doesn't matter."
Mark Evans, UK country manager at security VAR Integrity 360, said he viewed cloud security as an opportunity rather than a threat for channel partners that have traditionally focused on locking down on-premise environments.
"It's an area we are looking heavily into," he said. "We are seeing a lot of live systems going into hosted environments such as AWS and Azure. That could be a threat but also an opportunity for us and we are looking at our cloud strategy and how we assist customers looking to move into the cloud - there are a lot of questions about where the data goes and how well it is being managed."