IT (finally) has more faith in the cloud than on-premises software. Now that security capabilities have caught up, however, lack of expertise has become one of companies’ primary obstacles to moving to the cloud.
A new survey from the Cloud Security Alliance and Skyhigh found that the majority of IT professionals (64.9 percent) trust the cloud as much or more than on-premises software. Attitudes have come along way, as IT now recognizes the investments from cloud service providers in best-in-class security capabilities. Barriers still remain on the path to the cloud. Even enterprise-ready cloud services can be used in risky ways, as Gartner points out in their prediction that 95% of cloud security incidents will actually be the customer’s fault.
The survey reveals that while technology and attitudes have advanced, a shortage of professionals with expertise in securing cloud systems currently hinders more widespread adoption. 30.7 percent of respondents selected the “lack of skilled security professionals to maximize full value of new technologies” as the biggest barrier to detecting and stopping data loss in the cloud. The second most popular answer, with 26.5 percent of the vote, was the “lack of internal strategy for operationalizing threat intelligence data.”
Evidently, IT professionals’ primary concern is not the actual security capabilities of cloud software: it is their organizations’ ability to effectively use the tool’s available. Well-architected cloud environments can provide equal or greater security than their on-premises counterparts, but realizing this potential requires a fundamentally different approach than security teams may be used to. Specifically, cloud security requires acknowledging the fact that corporate data will move outside of the network perimeter and to a variety of geographies, devices, and types of employees. In other words, managing risk in cloud services requires contextual security and is less black and white than the standard principles of network security.
Cloud technologies are uniquely positioned to support a flexible and user-friendly security framework, from identity providers, to cloud access security brokers, to cloud providers’ themselves. Combined, these technologies can provide a “cloud perimeter” with capabilities analogous to on-premises controls. Unfortunately enterprise IT professionals may not be familiar with how to integrate and operate these tools. The issue will not go away overnight, either. Education takes time, but full-scale cloud adoption is happening now. The average company uses over 1,000 cloud services and uploads 14.7 TB of data to the cloud each month. Given that 15.8% of files in the cloud contain sensitive data, companies need to take action now to compensate for the lack of internal expertise.
Here are a few steps companies can take to improve their cloud security IQ:
- Leverage the wisdom of the crowd. Many cloud technologies provide insights on how other organizations are using the cloud, from data on cloud service attributes to employee behavioral patterns. With new services coming into existence every day, it’s especially helpful to outsource service intelligence to keep up with which applications have risky attributes or have been breached.
- Seek out opportunities to collaborate and exchange war stories. Organizations like the Cloud Security Alliance and security conferences provide the unique opportunity for security professionals to safely share insights on this rapidly evolving field. Many of the best practices for cloud security are changing every month or year, so frequenting industry events is the best way to keep up with the latest pragmatic advice from those on the front lines.
- Expect your vendors to play an expanded role as trusted partners. Security technology providers gather insights from customers across industries, so they have extensive experience with what works and what doesn’t. In such an emerging field, vendors not only sell products but can also provide a framework for how to implement a successful cloud security program.
- Finally, read up on the literature about the newest challenges and vulnerabilities for data in the cloud. The delay to educate professionals represents not only time spent studying, but also the time required to establish institutions with the necessary expertise. In the meantime, the top blogs on cloud security may actually be one of the top resources available for practical information on cloud security. For the socially inclined, networks like Twitter offer the opportunity to receive advice straight from the cloud security experts.
With the technology available, companies now need to move to address the cloud security skill gap. As traditional systems of education catch up, proactive IT professionals can still seek out knowledge to get ahead of the paradigm shift towards cloud security.