Security Forecast: Cloudy with Low Data Visibility
Businesses are moving more sensitive data to the cloud but struggle to monitor and manage it once it's there.
A need for greater flexibility, speed, and convenience is driving more businesses to the cloud. Less than 25% had their applications, data, and infrastructure in the cloud two years ago but 44% have them cloud-based today, and 65% will be cloud-based two years from now.
The data comes from a study by Google Cloud and the MIT SMR Custom Studio. Researchers polled more than 500 IT decision-makers and found security is also a key driver of cloud adoption: 44% of respondents moved to the cloud because of their increased confidence in security. Overall, 74% of participants are more confident in cloud security.
In Dark Reading's upcoming 2017 Cloud Security Survey, 62% of IT leaders report moderate to heavy usage of cloud services and applications. Thirty-six believe the cloud is, or eventually will be, more secure than their on-premises IT environments. Twenty percent say they are moving more data to the cloud, partly because of its strong security capabilities.
A Change in Perspective
"It used to be that security was one of the things holding organizations back from the cloud," says Rob Sadowski, trust and security marketing lead for Google Cloud. "What we're starting to see, and what we saw in the research, is the script is almost flipping."
While Sadowski admits the confidence is partly due to improved documentation, he says two-thirds of respondents attribute their confidence to direct experience in the cloud. The top most consistent two reasons for moving to the cloud include "increased flexibility in business processes and vendor choices," and the "ability to integrate with new tools and platforms."
For many, the transition is gradual. Many businesses start out by doing some of their test and development work in the cloud, says Sadowski. They learn how to build new applications in the cloud. Once they achieve a certain level of comfort, they think about other workloads.
"It could be bulk storage, file sync-and-share or collaboration, or sharing data and collaborating," he says. "As you work with more organizations that are distributed around the country and around the globe, having that data in the cloud enhances their productivity."
Over the past 5 to 10 years, the amount of data organizations generate "is exploding," Sadowski continues. After they feel comfortable with testing and development in the cloud, businesses move more important data to understand its growth, apply analytics, and gain insight.
But what happens to all of that data once it's moved to the cloud? Many aren't so sure, and poor visibility could be putting their data at risk.
Data Visibility Remains a Challenge
The confidence boost doesn't mean the cloud is completely secure, or that all companies are fully on board. In Google's study, 63% of respondents who chose not to move data to the cloud cited security concerns. A survey by Threat Stack and Enterprise Strategy group found 31% of respondents are unable to maintain security as cloud and container environments grow, and 62% are seeking greater visibility into public cloud workloads.
"It is a concern for organizations," says Sadowski of visibility, which is a challenge as personally identifiable information and healthcare records move to the cloud. Businesses may be responsible for disclosing the movement of data to the cloud because sensitive data types are often regulated.
Participants in a new SANS survey say they lack visibility, auditability, and controls to actually monitor everything in their public clouds. More than half (55%) say they are hindered from doing adequate forensic and incident response activities because they can't access logs, or underlying system and application details, in cloud environments.
One-third of Dark Reading's cloud survey respondents say visibility is a "mixed bag" and they have good visibility in some areas but none in others. One-quarter say they have good visibility overall with a few blind spots; 11% say "most of our data is invisible to us."
Sadowski advises looking into auditability tools to have greater visibility into who is accessing data and what they are doing with it. This would let you set audit and edit permissions to ensure activity aligns with corporate policies, as well as query the data and make sense of it.
He also emphasizes the importance of encryption to directly protect data. "Encryption is highlighted by many as something they care about, but it's a difficult solution to implement in a lot of cases," Sadowski notes.
Nearly 80 of Google's respondents said it was somewhat or very important to manage the strength of their encryption, or manage the encryption process itself. However, whether the company or cloud provider controls the encryption keys is "a really big bone of contention", says Michael Fuller, associate principal at consultancy The Hackett Group, in the report.
Related Content:
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
About the Author
You May Also Like