With the genesis of cloud computing, many companies moved to embrace the promises of the new age: lower operational costs, greater scale, greater access to resources, business agility. These promises have drawn more and more companies to the cloud/SaaS model, creating today’s multibillion-dollar market.
The explosion in use of cloud and SaaS magnifies the challenges. “The sheer scale of applications, locations and devices is daunting,” says Christian Christiansen, program vice president for security at IDC, a market research firm based in Framingham, Massachusetts. “It used to be that a company had 20 SaaS applications. Today, a large enterprise can run discovery and find it has thousands of SaaS apps, many of which it didn’t know existed. They may belong to different business units or individuals.” Combined with the encroaching Internet of Things (IoT), it makes access control, management and provisioning a nightmare, he says.
Concerns for cloud security escalate with company size. Phillip Black, director of professional services at Hub City Media in New Jersey, says that the top issues for his clients – large Fortune 2000 companies – are the liability and governance laws, followed by fear of a data breach. For heavily regulated companies, the laws have not caught up yet with cloud security, says Black, and many questions are still unanswered including:
- If there is company data on a cloud in multiple locations, who bears responsibility? Is it the cloud provider or the company?
- How much is regulated by the state or country in which the data resides?
- Who is taking responsibility for access control and identity management?
The changing cloud security forecast
Initially, most companies moving to the cloud focused on cost reduction and most projects hosted on cloud were non-critical and non-strategic in nature. Security was a concern, but no more so than in any other non-critical computing environment.
As cloud adoption moved into the mainstream, security became a key concern and focus. Daniel Kirsch, vice president and principal security analyst at Hurwitz and Associates, a consulting and research firm based in Needham, Massachusetts, observes that “Initially there were companies that wouldn’t put anything in the cloud. Security used to be first, second and third on the list of an IT manager thinking about cloud.”
Thankfully, the state of security in cloud and SaaS has made significant strides. An increasing share of cloud and SaaS providers have taken it on themselves to deliver services that remove the bulk of the security burden from customers.
That led to a marked shift in the perception of security in the cloud. “Even three years ago, financial services companies claimed they would never use cloud; so did many in healthcare and insurance,” observes Kirsch. “Now they are all looking.”
In fact, for some companies a cloud or SaaS service can actually be a solution to key challenges of security. According to Mario Duarte, director of security at cloud software company Snowflake Computing, “Most of the cloud challenges have been reduced by Amazon Web Services, Microsoft Azure and Google. There is now a level of comfort with customers. Loss of control is not as terrible as it once was. Providers’ responsibility is to be good custodians of the corporate data.”
Today, cloud computing has passed a tipping point and organizations are making strategic investments in cloud and SaaS.
Instead of asking “Can the cloud be secure?” companies have shifted to focus instead on evaluating cloud and SaaS offerings based on their security capabilities.
However, confusion still lingers around cloud computing and security. One misperception is that all cloud and SaaS providers provide similar security, reliability and availability. Unfortunately, that is not the case.
Optimal cloud conditions
Companies and organizations contemplating cloud and SaaS adoption must conduct due diligence and planning, using both internal resources and trusted third parties, in order to correctly match platforms, activities and applications. Here are five tips.
- Weave security throughout activities and applications; detection and correction of vulnerabilities as well as proactively monitoring activity are essential to protect against data theft and system compromise.
- Ensure encryption. A fundamental tenet for cloud data is encryption. Sadly, many of the data theft sorrows in the world today could have been prevented by using encryption.
- Look carefully at how providers handle encryption, incident handling (both internal and cloud provider), application security and exposure to attack.
- Determine what is the right application and infrastructure for the targeted workload in the cloud and make sure all is secure.
- Keep in mind that security is no longer a steady state; anticipate the new threats that may arise in the future and be prepared for them as well.
Kirsch sums up concerns by saying, “Losing customer data and fear of reputational damage are the biggest drivers of cloud security today,” adding that no organization wants to be tomorrow’s Wall Street Journal winner in the sweepstakes for the latest big data breach.
Sally Hudson is an independent market research consultant and writer who has spent more than 20 years watching the software industry. In her 15 years as a director in IDC’s security products and services group, she developed and managed IDC’s identity and access management research program. Her articles have appeared in many industry journals including Application Development Trends, CIO magazine, and Computerworld, an IDG publication.