Whether there’s a lack of data security in cloud environments or not is a topic of heated debate. To help clear the air, Dave Shackleford, a well-respected security consultant (Voodoo Security) and SANS Institute instructor, conducts an annual survey interviewing security analysts from a wide range of industries, including technology, cybersecurity, banking and finance, and government.

Shackleford’s interest is well-founded based on the rapid growth of cloud-based services. “Gartner estimates 2017 will see growth of 18 percent in spending of public cloud services and that cloud adoption will influence more than 50 percent of IT spending through 2020,” writes Shackleford in the paper Cloud Security: Defense in Detail if Not in Depth. In addition, Deloitte Global predicts IT as a Service will capture more than half of all IT spending by 2022.

SEE: Cloud computing policy (Tech Pro Research)

What’s being uploaded to the cloud?

From a security standpoint, it’s all about the data–what’s being moved to the cloud? In the diagram in Figure A, Shackleford itemizes the types of data being uploaded to the cloud and whether the percentage has increased or decreased from last year.

The big change is in customer information (highlighted). “The percentage who said their organizations store customer Personally-Identifiable Information (PII) in the cloud rose from 35 percent in 2016 to 40 percent this year,” notes Shackleford.

Figure A

SEE: The cloud v. data center decision (free PDF) (ZDNet/TechRepublic special report)

What are the top concerns about cloud security?

With an ever increasing amount of sensitive data being stored in the cloud, Shackleford asked the survey participants if they had any security concerns. The top two were:

  • Unauthorized access to data by outsiders: 62%
  • Users able to circumvent security controls using unmanaged digital devices: 60%

Shackleford adds, “Other concerns revolve around the potential for disaster created by the inability to investigate when you’ve been breached, poor data hygiene, and dishonest staff at cloud-service providers.”

Besides concerns, survey participants were asked whether or not any of their worries came to fruition. The diagram in Figure B compares participants’ concerns with actual incidents.

Figure B

Interpreting the diagram above, one could conclude those queried by Shackleford might be overly anxious. “In 2016, 45 percent of respondents indicated that they experienced some downtime in the cloud, with this number hitting only 18 percent in 2017,” writes Shackleford. “In 2016, many also stated that they experienced a lack of visibility in the cloud (38 percent), and this number is way down in 2017 (10 percent).”

SEE: Essential reading for IT leaders: 10 books on cloud computing (free PDF) (TechRepublic)

Shackleford suggests those surveyed might be focusing on the wrong attack methods. As mentioned earlier, participants are mostly concerned about “unauthorized access by outsiders.” However, as the diagram in Figure C shows: Denial of Service is the predominant attack vector.

Figure C

Cloud security: The big picture

The survey next looked into the overall state of the participating organizations’ cloud security, and Shackleford compiled the following conclusions.

  • Lack of confidence: 58% of those who responded were not confident, but felt they have some ability to mitigate risk. “This may indicate general frustration on the part of these organizations more so than true helplessness,” adds Shackleford. “Or it may be the result of a lack of understanding of the shared-responsibility model and the delineation of customer and service provider responsibilities common to most cloud providers.”
  • Improving governance: Survey respondents have improved their support policies with 62% mentioning they have cloud-security policies and governance in place (up from 48% in 2016).
  • In-house or outsourced: Survey results indicate organizations continue to find success in outsourcing cloud security controls including some movement from in-house security toward security-as-a-service (SecaaS) (Figure D).

Figure D

Cloud security wish list

According to Shackleford, there is a lot of work to do when it comes to cloud-security strategies. He asked the participants for their feedback as to what would be of help, and here is what they said:

  • More security controls offered natively by providers.
  • Organizations need to define which data stays on premises. Not all applications and data are appropriate for use in the public cloud.
  • Involve security departments in governance decisions, particularly when multi-cloud deployments are used.

SEE: Cloud Security Alliance lays out security guidelines for IoT development (ZDNet)

Conclusion: Status quo

Cloud security is improving, but… “Until cloud providers become more open and accommodating of security data and controls, it’s likely to be a slow process,” concludes Shackleford. “This is fundamentally the same conclusion we reached in 2016.”

Shackleford is heartened that cloud-service providers are increasing the benefits of using cloud services. He cautions though, saying, “Progress and acceptance of in-cloud controls and services continue to lag behind the pace of adoption.”