I’ve been writing about cybersecurity for a decade. I’ve been writing about the concerns surrounding cloud security for the entirety of that time. Ten years ago, businesses hesitated to adopt cloud computing because so many questions surrounded the security of data stored and used outside of the control of internal servers. Clearly, comfort with the cloud has improved because it is ubiquitous within business and personal computing. Cloud security has gotten better, but it continues to evolve, as a Network World article pointed out. Citing research from ESG, the article revealed that more than two-thirds of cybersecurity professionals said their organization is still learning how to apply security policies to cloud options and a little more than half admitted they don’t have the right staff in place to manage the security in the cloud.
These statistics are reinforced by the recently released 2017 Cloud Security Report, an online survey of over 1,900 cybersecurity professionals produced in conjunction with the following cloud security vendors: AlienVault, Bitglass, CloudPassage, Cloudvisory, Dome9 Security, Eastwind Networks, Evident.io, (ISC)2, Quest, Skyhigh and Tenable.
Like the ESG report, this one found that the lack of qualified security professionals has hindered cloud adoption and 53 percent of respondents are actively looking to train staff to deal with cloud security issues, while another 30 percent are looking for outside help through managed service providers.
Some things haven’t changed much in that decade. The greatest concern in adopting cloud computing remains the security of the data, with 57 percent worried about data loss and 49 percent worried about data privacy.
I understand why the concerns about cloud security continue to linger, particularly in regards to the lack of cloud-security trained staff to handle the issues of networking through a cloud infrastructure. But cloud security incidents, while they do happen, are considered to be very rare, Black Swans in a crowded security landscape, says eWeek. However, when a security event happens, the article continued, it can be massive:
Take the recent “CloudBleed” incident. A single-character coding error caused servers for the popular Cloudflare content-delivery service to overwrite their buffers, leaking sensitive information to the Internet. While there was only 0.00003 percent chance of potentially triggering the flaw, making data leakage rare, the security issue was triggered often enough that Google researcher Tavis Ormandy noticed corrupted Web pages being cached to the search provider’s servers.
In a piece written for Data Center Knowledge, Bryan Doerr argued that cloud security is not a dire problem and that IT departments shouldn’t be so hesitant to adopt cloud computing. He wrote:
It is 2017, and there are still some data center CIOs who have not accepted the possibility that the public cloud can be more secure than most on-premise platforms and (especially) legacy infrastructures. . . . After several years of improvement and innovation in cloud services and now broad market acceptance, CIOs need to take another look, especially where security concerns dominate their risk equation.
It’s an interesting argument. Where do you stand on cloud security? And why are companies slow to have staff trained to handle cloud security?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba