Rolf Haas, Enterprise Technology Specialist/Network Security and Content Division, Intel Security
Cloud use continues to grow rapidly in the enterprise and has unquestionably become a part of mainstream IT – so much so that many organizations now claim to have a “cloud-first” strategy.
That’s backed up by a survey* we commissioned here at Intel Security that questioned 1,200 cloud security decision makers across eight countries. One of the most startling findings: that 80% of respondents’ IT spend will go to cloud services within just 16 months.
Even if that outlook overestimates cloud spend it still shows a dramatic shift in mindset, and it’s often the business, rather than the IT department, that is driving that shift. In today’s digital world the pull of the cloud and its benefits of flexibility, speed, innovation, cost, and scalability are now too great to be dismissed by the usual fears. To compete today businesses need to rapidly adopt and deploy new services, to both scale up or down in response to demand and meet the ever-evolving needs and expectations of employees and customers.
This new-found optimism for the cloud inevitably means more critical and sensitive data is put into cloud services. And that means security is going to become a massive issue.
If we look at our survey results the picture isn’t great when it comes to how well organizations are ensuring cloud security today. Some 40% are failing to protect files located on SaaS with encryption or data loss prevention tools, 43% do not use encryption or anti-malware in their private cloud servers, and 38% use IaaS without encryption or anti-malware.
Many organizations have already been at the sharp end of cloud security incidents. Nearly a quarter of respondents (23%) report cloud provider data losses or breaches, and one in five reports unauthorized access to their organization’s data or services in the cloud. The reality check here is that the most commonly cited cloud security incidents were actually around migrating services or data, high costs, and lack of visibility into the provider’s operations.
Trust is growing in cloud providers and services, but 72% of decision makers in our survey point to cloud compliance as their greatest concern. That’s not surprising given the current lack of visibility around cloud usage and where cloud data is being stored.
The wider trend to move away from the traditional PC-centric environment to unmanaged mobile devices is another factor here. Take a common example: an employee wants to copy data to their smartphone from a CRM tool via the Salesforce app. The problem is they have the credentials to go to that cloud service and access that data, but in this case are using an untrusted and unmanaged device. Now multiply that situation across all an organization’s cloud services and user devices.
There is clearly a need for better cloud-control tools across the stack. Large organizations may have hundreds or even thousands of cloud services being used by employees – some of which they probably don’t even know about. It is impossible to implement separate controls and polices for each of them.
To securely reap the benefits of cloud while meeting compliance and governance requirements, enterprises will need to take advantage of technologies and tools such as two-factor authentication, data leakage prevention, and encryption, on top of their cloud services and applications.
Increasingly, organizations are also investing in security-as-a-service (SECaaS) and other tools that can help orchestrate security across multiple providers and environments. These help tackle the visibility issue and ensure compliance needs are met. That’s why I believe we are starting to see the rise of so-called “broker” security services. These cloud access security brokers (CASBs) will enable consolidated enterprise security policy enforcement between the cloud service user and the cloud service provider. That’s backed up by Gartner, which has picked out CASBs as a high-growth spot in the security market. Gartner predicts by 2020, 85% of large enterprises will use a CASB for their cloud services, up from fewer than 5% today.
This will all be driven by the rapid growth in enterprise cloud adoption and the need for a new model of security that enables the centralized control or orchestration of the myriad cloud services and apps employees use across the enterprise. Cloud security is now a critical element of any business, and it needs to be taken seriously from the boardroom right down to the end users.
*Blue Skies Ahead? The State of Cloud Adoption
The survey of 1,200 IT decision makers with responsibility for cloud security in their organizations was conducted by Vanson Bourne in June 2015. Respondents were drawn from Australia, Brazil, Canada, France, Germany, Spain, the UK, and the US across a range of organizations, from those with 251 to 500 employees to those with more than 5,000 employees.