Does Cloud Mean Better Security Or More Vulnerability?

Examining the risks that come along with cloud adoption

Add bookmark

According to a report released by research firm Wikibon, cloud spending in 2012 generated $26 billion. In 2015, the year the report was released, spending rose to $80 billion. Now, Wikibon forecasts public spending on cloud services to reach approximately $522 billion by 2026.

As this emerging technology hasn’t been around for very long, IT professionals have long questioned the state of security in the cloud. Do traditional IT infrastructures bring less vulnerabilities, or is there a security trade-off when it comes to investments in the cloud?

See Related: Industry Roundup: Addressing The Hybrid Cloud Security Readiness Gap

In examining the implications for increasing cloud investments, there are three common themes among cloud security experts that have become abundantly clear: The cloud can be just as secure as traditional IT infrastructures as long as organizations get back to the basics of People, Process & Technology. Here’s how:

  1. PEOPLE: According to a recent article by Gartner, CIOs and their organizations must develop a clear enterprise cloud strategy. The security challenges surrounding the cloud oftentimes has nothing to do with the technology itself, but in the policies around control. “In nearly all cases, it is the user – not the cloud provider – who fails to manage the controls used to protect an organization’s data,” according to the article. Rather than hold back cloud initiatives, Gartner Research VP Jay Heiser suggests organizations make explicit decisions on their cloud strategy to provide more guidance to IT, as well as the business as a whole.

  2. PROCESS: The cloud can be just as (or more) secure than traditional systems. In fact, Cloud Expert David Linthicum notes that the variations in threat activity are not as important as where the infrastructure is located. “Anything that can be possibly accessed from outside -- whether enterprise or cloud -- has equal chances of being attacked, because attacks are opportunistic in nature,” he said. Clearly, as more workloads are shifting to the cloud, the mindset will shift in conjunction as enterprises better understand the technology, and develop the right security processes to fit their needs. Therefore, good planning is key.

  3. TECHNOLOGY: Investments in cloud security should be made on a case by case basis. ESG research highlights 43% of organizations which indicate they intend to increase their spending on cloud application and/or cloud infrastructure security. However, organizations need to take a hard look at cloud-native security controls provided by their cloud service providers versus third-party enhancements. In other words, for those companies using a single cloud service provider, their security controls are most likely sufficient enough. Whereas, those enterprises using multiple cloud service providers likely have to opt for third-party controls focusing on specific features/functionalities to supplement their cloud security needs.

While companies are already reaping the benefits of cloud potential – whether through Software-as-a-Service, Platform-as-a-Service or Infrastructure-as-a-Service, public, hybrid and everything else in between – adoption is not slowing down. There’s something to be said about being able to access more mobile and decentralized information that is always available at our fingertips. As such, cyber security best practices need to catch up as breaches flood the headlines of late.  

See Related: “Achieve Real-Time Visibility and Control of Your Hybrid Cloud

As with any new or emerging technology investment, getting back to the basics of people, process and technology, are also applicable here as so many CIOs, CISOs and IT professionals are oftentimes quoted.

Gartner predicts that in 2018, “the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures.” In other words, making more investments in the cloud doesn’t necessarily have to come with security trade-offs.