Despite the numerous benefits of cloud computing, only 33% of companies have a “full steam ahead” attitude toward adopting the cloud. That’s according to a survey of over 200 IT and IT security leaders by the Cloud Security Alliance (CSA), which identified 6 issues holding back cloud projects. Chief among them, companies are worried about how secure their data is once it leaves the company’s firewall. These days, there are news headlines about data breaches and software vulnerabilities every day.
These regular headlines, especially mega breaches like those at Target and Sony that led to executives at both companies resigning, have made the security of data in the cloud an executive-level and board-level concern at 61% of companies. Against a backdrop of increasingly sophisticated attacks aimed at stealing corporate data, many IT leaders feel uncomfortable with a perceived loss of control over corporate data. The Cloud Security Alliance survey identified 6 primary issues holding back cloud adoption, summarized below, starting with the most common issues:
1. Security of data – It’s no surprise that data security tops the list of concerns that hold companies back from cloud adoption. 73% of survey respondents indicated this is a big red flag for them. Cloud service providers are targets data breaches (e.g. email service SendGrid and online note-taking service Evernote), which makes it critical for companies to use risk mitigation strategies and tactics, such as encrypting or tokenizing data before it ever goes to a cloud service.
2. Non-compliance with regulatory mandates – PCI DSS, HIPAA/HITECH, GLBA, FISMA, FERPA, EU data protection, et. al. Whatever the regulatory acronym, you will find that 38% of companies are concerned with how they can assure compliance with regulations if their data is in the cloud. A security breach that leads to non-compliance with a regulatory mandate can result in expensive fines, loss of business, lawsuits, and potentially even criminal penalties (as in the case of ITAR non-compliance).
3. Loss of control over IT services – 38% of the CSA survey respondents say their fear over loss of control keeps them from moving data into cloud-based applications. This loss of control cam be manifested in numerous ways. The cloud service provider may choose how and where data is stored; how often it is backed up; which encryption scheme is used, if one is used at all; which of its employees have physical or virtual access to the data; and more. But even if the cloud service provider invokes feelings of total trust, the fact remains that the data owner is still liable for any data breach that might occur, and this leaves more than a third of all companies hesitant to use cloud services
4. Expertise of IT and business managers – 34% of companies aren’t jumping on the cloud bandwagon because they believe the knowledge and experience of their IT and business managers is not aligned with the skillsets that cloud computing demands. For example, in addition to the technical knowledge a manager is expected to have, the person also needs financial literacy for a new computing model where services are rented, not owned, plus negotiation skills to drive a cloud provider’s SLA to the company’s benefit.
5. Compromised accounts or insider threats – 30% of the CSA survey respondents are concerned about what would happen if their accounts held by a SaaS provider were to be compromised in some way, or if an insider with that provider did a little “extra-curricular activity” and poked around in private accounts. Their concerns are not misplaced. Skyhigh’s own analysis has found that 92% of companies have employees with compromised credentials for sales on the darknet. And the incidence of insider threats is much higher than otherwise known by the IT department.
6. Business continuity and disaster recovery – What happens to a company if it loses all access to its IT infrastructure because its cloud provider has suddenly gone out of business? It’s a rare scenario, thank goodness, but it happens, and this makes 28% of the CSA survey respondents too nervous to embace cloud computing. A company doesn’t abdicate its obligation to do proper business continuity and disaster recovery planning just because it no longer operates the physical aspects of its IT infrastructure, but recovering data from a defunct cloud service – and finding an alternative home for that data – can be a huge challenge.
Cloud computing certainly has its benefits, but as the CSA survey points out, many businesses face issues that need to be resolved before they trust their data to cloud apps.