The Cloud Computing Security Challenge

Cloud computing's virtual, mobile, and on-demand nature is antithetical to existing security processes, skills, and technologies.

A few years ago, cloud computing faced an infosec hurdle. Many CIOs appreciated the benefits of cloud computing, but their concerns about cloud security outweighed all of its potential benefits. General cloud security trepidation thus precluded broader use of cloud computing. 

Fast forward to 2015 and the situation has changed. Yes, CIOs and security folks remain worried about cloud security, but business and IT benefits are so appealing that they tend to trump confidentiality, integrity, and security apprehensions. ESG research indicates that a growing number of organizations are jumping on the cloud computing bandwagon (note: I am an ESG employee):

  • 68% of mid-market (i.e. 500-999 employees) and enterprise (i.e. more than 1,000 employees) organizations use SaaS today.
  • 41% of mid-market (i.e. 500-999 employees) and enterprise (i.e. more than 1,000 employees) organizations use IaaS today.
  • 35% of mid-market (i.e. 500-999 employees) and enterprise (i.e. more than 1,000 employees) organizations use PaaS today.

So the cloud train has clearly left the station and it's only gaining momentum and speed. 

Now, remember those cloud security concerns I mentioned earlier? Well these concerns have morphed a bit. A few years ago, CISOs were concerned about the conceptual security of the cloud. Now they are anxious about the practical realities around how they can extend their existing cybersecurity skills, processes, and controls to enforce security policies and monitor activities in the cloud.

These issues are illustrated in some recent ESG research. In this project, 150 enterprise infosec professionals were asked to identify challenges associated with enforcing security policies in public and private clouds. The results are as follows:

  • 32% of cybersecurity professionals say that their organizations use several different public/private cloud offerings and it is difficult to coordinate security operations consistently across all areas.
  • 31% of cybersecurity professionals say that cloud computing exacerbates communications and collaboration problems between the cybersecurity operations team and other IT groups.
  • 24% of cybersecurity professionals claim that the security controls applied to physical assets don't align well with cloud infrastructure.
  • 22% of cybersecurity professionals state that it is difficult to troubleshoot problems related to security controls in cloud-based infrastructure.
  • 21% of cybersecurity professionals admit that their organizations struggle with the migration of workloads and associated security controls from physical to cloud-based infrastructure.

So the research points to people, process, and technology problems with cloud computing. 

The cybersecurity industry recognizes these issues and there is certainly a lot of innovation around physical/virtual/cloud-based network security operations (FireMon, RedSeal, Tufin), cloud security visibility (Evident io, Netskope, ThreatStack), and security control (CloudPassage, Illumio, vArmour). Traditional security vendors like IBM, Intel Security, RSA, Symantec, and Trend Micro have also introduced tools in this area.

What's the winning formula? I'm about to launch some research to find out more on this soon.

Copyright © 2015 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.