Survey: Security Threats Aren't Inhibiting Most Cloud Use
Many organizations in a recent poll said that many cloud services have been deployed without having the proper security protocol in place.
As more organizations use public cloud infrastructure for functions ranging from setting up a server farm for development and testing, to running e-mail or, in a growing number of cases, a database-driven app in production, security is still the largest inhibitor to a greater number of cloud deployments.
Yet whether IT embraces cloud computing, it appears it's here to stay. A survey by Symantec Corp. found 90 percent of organizations are at least considering cloud deployments, up from 75 percent a year earlier, according to a company report released in January. The survey found 77 percent of organizations were aware of rogue cloud deployments and, of those, 40 percent learned of confidential information leaking and 25 percent saw cloud accounts taken over.
Perhaps the biggest risk to effective cloud security is the Bring Your Own Device (BYOD) trend, which is pushing IT to support user-owned PCs, tablets and smartphones. A survey conducted by AccelOps Inc. during the RSA Conference in San Francisco found BYOD is the most significant roadblock to ensuring effective security when using cloud services.
Of 176 IT security professionals surveyed, 78 cited BYOD as the most significant cloud security problem, with data control coming in second and potential data loss a distant third. Many users can easily access cloud services such as Dropbox, SkyDrive, Google Drive and iCloud, all of which are accessible from Windows-, iOS-, and Android-based phones, tablets and PCs.
Those services have user-controlled security -- it's not in the purview of IT (unless they're using SkyDrive Pro, which comes with Microsoft's recently released Office 365 and SharePoint Online offerings).
Yet, ironically, the same survey found that only 18 percent of respondents were dissatisfied with the security and access control service-level agreements (SLAs), though a large percentage (41 percent) had no opinion. A slight majority, 51 percent, were satisfied -- and 11 percent of those respondents were extremely comfortable with it.
Flint Brenton, AccelOps president and CEO, admits to being somewhat surprised that the survey showed less fear of cloud services among security professionals. He believes that mindset will change as more organizations use public cloud services.
"I think as the adoption rate of cloud services goes up, people will come to learn what they don't know. As the market evolves the bar will keep rising," Brenton says. "What makes them satisfied today may not be adequate six months from now."
Only 35 percent said they weren't using any cloud infrastructure, while 29 percent use hybrid clouds, 17 percent use public cloud services and 19 percent use private clouds.
A vast majority of those using cloud services, 78 percent, manage security themselves, while 13 percent have a managed services provider handle it. The remaining 9 percent use an ISP or consultant. Only 29 percent rated the existing Security Information and Event Management (SIEM) systems they use as excellent or good, with 32 percent finding them acceptable, 21 percent saying they're fair and 18 percent giving them the thumbs-down.
Just as enterprises are weathering distributed denial of service (DDoS) attacks and a variety of breaches, cloud providers are not immune. A survey by Alert Logic Inc., a provider that captures security events through an intrusion detection system, tracked 1 billion security incidents and 45,000 "confirmed" security events between April 1 and Sept. 30 of last year among its customers, which include primarily hosting and cloud providers but also large enterprises.
Among cloud providers, 52 percent were victims of Web application attacks, 30 percent were victims of brute-force attacks and 27 percent were victims of vulnerability scans. Among enterprises, 49 percent of incidents sustained malware and botnet attacks, with the same number as victims of brute-force incidents and 39 percent victims of Web application strikes.
More on this topic:
Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.