Beware: Looming Security Crisis in the Cloud

Grazed from Channelnomics. Author: Chris Gonsolves.

There isn’t much doubt or debate: Cloud computing and the “-as-a-service” models of information technology are the most important and disruptive enterprise technologies to surface in decades. cloud security stormAlso true: The cloud is one major security snafu or data breach away from collapsing before its complete value is ever realized.

Such a catastrophe appears to be inching closer to reality, as evidenced by a new survey making the rounds from the Ponemon Institute and Thales e-Security. On the surface, the report purports to show how cloud acceptance is continuing unabated, driven by ever-increasing zeal for new services at lower costs. But beyond the heady adoption numbers, there’s a chilling disregard for basic security. Even organizations that should know better, the survey shows, are playing fast and loose with their data in the cloud and fumbling even the most fundamental tenets of data integrity with poor encryption practices…

Here are some of the survey’s disturbing findings:

• Who is doing it? A full 50 percent of respondents say they are putting “sensitive or confidential data” in the cloud. Another 33 percent will do so within the next two years.
• How’s that working out? An early 40 percent of those polled say cloud adoption has decreased their companies’ security posture.
• Who is responsible for all this? Sixty-four percent of those putting critical data in the cloud say the cloud provider is primarily responsible for security. More than 60 percent admit they have no idea what cloud providers are actually doing to protect all that data. Despite that ignorance, about half figure the provider is probably capable of handling security issues.
• What about data encryption? About half of those who bother with encryption at all apply it before the data is transferred to the cloud. The rest rely on encryption within the cloud environment. A quarter of those employing encryption hand over vital encryption keys to the cloud service provider, including a majority of those who encrypt in-house.

To summarize, the Ponemon and Thales global survey of 4,000 IT managers found that businesses are flocking to put their critical data in the cloud, where they assume the cloud provider will handle security even though they have no idea what that security entails. When they do engage in some sort of safety feature like encryption, they frequently turn the keys over to the third-party host, minimizing the ultimate security value of the technology.

Curiously, and somewhat paradoxically, one conclusion from the report is that the more security-conscious an organization is, the more likely they are to push critical data onto the cloud with little if any regard for its security or integrity.

“Organizations that have a strong overall security posture appear to be more likely to transfer this class of information to the cloud environment – possibly because they most understand how and where to use tools such as encryption to protect their data and retain control,” said Larry Ponemon, chairman and founder of the Ponemon Institute in Traverse City, Mich.

Possible, but not likely.

The more probable answer is that survey takers tend to self identify as secure and sound the same way poll respondents self identify as smart and good looking. If you are pushing your mission critical data to the cloud, but you’re not sure if or how it is secured, you are not a company with a strong security posture no matter how you answered the questions above.

This security precipice upon which business cloud services are now standing has been portrayed as an opportunity for services firms. “This represents an enormous opportunity for cloud providers to articulate what they are doing to secure data in the cloud and differentiate themselves from the competition,” Ponemon added.

That could also be true. But the fact that organizations are responding this way at this late date in the cloud curve says two things. First, cloud providers have long been masters of hyping and marketing their services. If there was a strong differentiating message about what they are doing to secure cloud data, we’d have heard it. A lot. It would be plastered on the sides of buses and scrolling across neon marquees in Times Square. The relative silence and obvious market confusion is a better indicator that there isn’t a lot there.

Second, service providers have already dropped the ball. If the plurality of businesses are this confused about a technology they feel they must have, even at great risk to their own survival, the cloud purveyors have waited too long to take security seriously and start showing their customers how to leverage this technology prudently. August 2012 represents an enormous opportunity to articulate cloud security? Where have they been all this time?

Richard Moulds, vice president for strategy for Thales e-Security, the U.K.-based network security division of defense giant Thales Group of Neuilly-sur-Seine, France, hits closer to the mark in a video and blog titled “Data protection in the cloud – are we fooling ourselves?” that accompanied the survey’s release.

“We all know that in general the cloud has already become central to the IT strategy of many organizations around the world, but I expected to hear that organizations took a much more cautious approach when it comes to their more security sensitive business processes and data,” said Moulds. Once again we see that economics seems to trump security.

“You would expect that those that perform encryption themselves, inside their organization, would keep control of the keys but the survey showed that less than half retain exclusive control of the keys,” he said. “That sort of approach might raise a few eyebrows, particularly from your auditor!”