Shift: public cloud considered more secure than corporate data centers | ZDNet

http://www.zdnet.com/article/shift-public-cloud-more-secure-than-corporate-data-centers/

The survey’s key takeaway was that IT managers are more confident in the security and reliability of public cloud than they used to be, and as a result they are running more data and applications on public cloud infrastructure. The survey found that 51 percent said data security is better in the cloud than in their own data centers, and 58 percent said public cloud was the most secure, flexible and cost-effective solution for their organizations. In addition, 13 percent said they “trusted public cloud providers more than their internal teams” to handle data and applications.

So comfort levels keep growing when it comes to cloud. But security still needs to be the front and center concern.

The customer needs to hold vendors’ feet to the fire regarding security protocols, and embed them deeply into service level agreements. Cloud customers need to do their due diligence and get to know what and how vendors are providing security.

Other issues affecting public cloud adoption focus on control, or the loss thereof. At least 40 percent of IT executives said they were hesitant to move to public cloud services due to concerns about stability and public cloud’s long-term viability.

 

1 Comment

  1. Tomi Engdahl says:

    Go Boldly to the Cloud: Embracing the Security Benefits of the Cloud Infrastructure
    http://www.securityweek.com/go-boldly-cloud-embracing-security-benefits-cloud-infrastructure

    Businesses are moving mission-critical applications to the cloud at a rapid pace. The cost savings and other benefits simply are too persuasive not to move to the cloud. So why do organizations hesitate? Analyst studies cite security concerns as the number one inhibitor of moving sensitive applications to the cloud.

    I was once concerned that moving to the cloud was fraught with unknown perils. Then I walked into a cloud security panel of really smart, progressive security types at the RSA Conference in 2014 called “Is the Cloud Really More Secure Than On-Premise?” No less a luminary than Bruce Schneier told the audience to essentially wise up and realize that established cloud providers had more security resources and expertise than any enterprise, and that they provide security that is comparable to or exceeds that of any enterprise.

    In other words, the cloud is more likely to be secure than your own environment. Therefore, you can add security to the list of benefits that make the cloud so enticing, and remove it from your list of concerns. Privacy experts will continue to call attention to questions about data leakage and other potential maladies, but the cloud environment appears to be a secure choice. Certainly there has been no flood of breach stories coming from the early adopters.

    What we had to worry about was ourselves. Research actually shows that it is not the cloud that is the security risk. Over 90 percent of security issues originate with the enterprise, and not the cloud. We remain our own worst enemy, it seems, even as technology moves forward.

    It is important to note that experts like Schneier are speaking from an infrastructure perspective, focusing on the broader network and data security. We still need to consider my second point regarding the security of the actual applications running in the cloud.

    For that I will start with a simple truth: Moving an application full of security vulnerabilities to the cloud does not make it more secure.

    The IaaS model is often the entry point for organizations moving to the cloud, as they are able to “lift and shift” applications from their environment to the cloud in order to start reaping the benefits.

    Picking up an application with security problems from your infrastructure and placing it into the cloud does not suddenly remediate the security vulnerabilities or mitigate the risk. It is like the Neil Gaiman quote “Wherever you go, you take yourself with you.” Wherever you run an application, its vulnerabilities will follow. If an organization does not follow the basic principles of software security, the risks remain.

    Even as organizations evolve to the Platform-as-a-Service model where the provider supplies just about everything but the application and the data, eliminating vulnerabilities from the software is critical.

    In spite of the growing recognition of risks associated with web applications, organizations have stubbornly continued to pump spending into network and infrastructure security. When the organization begins to move to the cloud and relies on the security of the cloud infrastructure, it makes less sense than ever to continue down this path. Perhaps organizations will turn their attention (and budgets) to securing applications appropriately.

    At the basic level, organizations should begin by analyzing the cloud platform layer controls and testing applications for vulnerabilities, remediating what is found. If more money is moved to software security, organizations can perform deeper testing, combining static testing (SAST) and dynamic testing (DAST) and code review. Given that 50 percent of application vulnerabilities begin in the architecture level, architecture and design reviews along with threat modeling make for a comprehensive program of removing the risks of web applications. It is entirely possible to bring the security readiness of the application to the security readiness of the cloud.

    Organizations should fear security concerns when considering moving applications to the cloud. But they need to recognize that moving web applications to the cloud does not make them secure.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*