The explosion of high-profile ransomware attacks has been dominating the news in the IT sector of late, but most of the time – and for years, not weeks or months – the subject of cloud computing has been front and center. Everywhere you turn in the IT world, people are buzzing about the cloud this and the cloud that.
And no wonder. According to Gartner, by next year up to 60 percent of organizations will rely on a cloud-managed service offering – double the number as recently as 2018. And the growth is showing zero signs of slowing. According to ResarchandMarkets.com, the global cloud computing market is predicted to grow from $371 billion last year to $832 billion by 2025. That’s a sizzling compound annual growth rate of 17.5 percent.
This isn’t really surprising. Time and again, we hear that cloud computing offers enterprises more reliability, scalability and flexibility, removing the hassle of maintaining and updating systems and thus giving companies more time to focus on core business strategies.
It’s also commonly said that security in the cloud is better. On this point, however, a rethink is in order because this premise is at best questionable. Consider, for instance, a survey by Clutch, a Washington-based enterprise computing research firm, which found that nearly two-thirds of IT pros say that the cloud is more secure than legacy systems.
This makes the other third skeptics, and there are hints that even cloud security boosters are cautious about how bullish they really are. Specifically, 28 percent of survey respondents feel cloud computing is “somewhat more secure” as opposed to “much more secure.”
More telling, perhaps, is that the majority of the 300 Clutch survey respondents don’t entirely trust their chosen vendor. Three quarters of them said they add in their own security on top of the vendor’s solution.
Fact is, security in the cloud needs improvement. The problem is that cloud service providers treat cloud security as a shared responsibility with their customers. And while cloud purveyors typically hold up their end of the bargain, many customers do not. Human error among cloud customers is rampant. Gartner has said that at least 95 percent of cloud security failures will be the fault of customers starting next year.
“Migrating IT infrastructure to the cloud means enterprises must evolve their approach to cybersecurity,” says Tim Eades, CEO of vArmour, a Silicon Valley-based cloud security company. “They must adopt a zero trust mindset. This assumes the likelihood of multiple points of failure and helps confront it.”
Cloud customers clearly need help, and the onus is on cloud purveyors to provide it. Says a Gartner report: “CIOs (and other IT pros) must change their line of questioning from “Is the cloud secure?” to “Am I using the cloud securely?’
Misconfigured cloud settings have caused multiple incidents of data exposures at Amazon Web Services, the biggest cloud purveyor. In addition, a misconfiguration error in Microsoft’s Azure cloud relatively last year exposed 250 million technical support accounts.
What can be done to fix such problems?
One answer is the adoption of more cryptography. Some public cloud purveyors offer some encryption as an option, sometimes by default, and hopefully others will decide to do the same thing. Also likely to be helpful is new, cutting-edge encryption technology.
I’ll discuss the latter momentarily. First, however, let’s address the miscommunications issue. While Amazon, Microsoft and other cloud companies handle security for their data centers, it is customers who must actually implement the required defenses. There is insufficient sharing of responsibility. If cloud customers don’t protect their own networks and applications – too often the case -- cloud security is undermined.
Exacerbating the problem is the fact that enterprises are increasingly adopting multi-cloud environments and too often lack awareness of all the cloud services at their disposal, according to a study by McAfee. In short, they’re setting themselves up for accidents waiting to happen.
This is a management issue, and should be fixable. The adoption of more cryptography, meanwhile, is a technology issue, and one that can’t be addressed as quickly. Inroads, however, are being made.
One young company, born out of research done at MIT, is developing end-to-end encryption that could redefine cloud-based cybersecurity in a way that doesn’t interfere with workflows while still enabling popular cloud-based machine learning applications. Another startup has developed a secure web gateway in the cloud as a software-as-a-service. Cybersecurity protection is decentralized, enabling data to flow back and forth from a public cloud rather than redirecting it to clients’ own physical data centers, where problems can crop up.
Yet another form of encryption making progress is homomorphic encryption (HE), which makes it possible to analyze or manipulate encrypted data without revealing the data to anyone, offering huge potential in areas with sensitive personal data, such as financial services or healthcare. The adoption of this technology is attracting more attention and generating progress at huge technology companies.
For now, here are some security tips for companies moving to public and even multi-cloud environments:
- Make sure none of the components of security fall through the cracks. Overseeing the performance of the respective responsibilities of both cloud purveyors and their customers is essential.
- Ensure that only authorized users can access data. This is critical to prevent tampering by anyone inside or outside the organization.
- Insist that your cloud service provider conducts thorough background checks on employees. This is especially important if they have physical access to data center servers.
- Lastly, bear in mind that you’re tied tightly to any particular cloud provider, for better or worse. Switching is difficult. Do everything possible to choose the right one in the first place.
It’s important to recognize that many, if not most, of the security issues in cloud computing are a byproduct of the unchecked growth of the cloud. Providers, not customers, are liable for any breaches. If necessary, they should slow their growth for a while to prioritize the repair of festering problems. If security gets further out of control, there is no question that cloud growth will slow anyway.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.