No more excuses – time to get a grip on your cloud security

By on May 01, 2016

Cloud use continues to grow rapidly in the enterprise and has unquestionably become a part of mainstream IT – so much so that many organisations now claim to have a ‘cloud-first’ strategy.

That’s backed up by a survey* we commissioned here at McAfee that questioned 1,200 cloud security decision-makers across eight countries. One of the most startling figures it revealed is that 80 percent of respondents’ IT spend will go to cloud services within just 16 months.

Even if that outlook overestimates cloud spend it still shows a dramatic shift in mindset and it’s often the business, rather than the IT department, that is driving it. In today’s digital world the pull of the cloud and its benefits of flexibility, speed, innovation, cost and scalability are now too great to be dismissed by the usual fears. To compete today businesses need to be able to rapidly adopt and deploy new services, to scale up or down in response to demand and to meet the ever-evolving needs and expectations of employees and customers.

This newfound optimism for the cloud inevitably means more critical and sensitive data is put into cloud services. And that means security is going to become a massive issue.

If we look at our own survey results the picture isn’t great when it comes to how well organisations are doing cloud security today. Some 40 per cent are failing to protect files located on SaaS with encryption or data loss prevention tools, 43 per cent do not use encryption or anti-malware in their private cloud servers and 38 per cent use IaaS without encryption or anti-malware.

Many organisations have already been at the sharp end of cloud security incidents. Nearly a quarter of respondents (23 per cent) report cloud provider data losses or breaches and one in five reports unauthorised access to its data or services in the cloud. The reality check here is that the most common cloud security incidents cited were actually around migrating services or data, high costs and lack of visibility into the provider’s operations.

Trust is growing in cloud providers and services but 72 per cent of decision-makers in our survey point to cloud compliance as their greatest concern. That’s not surprising given the current lack of visibility around cloud usage and where cloud data is being stored.

The wider trend to move away from the traditional PC-centric environment to unmanaged mobile devices is another factor here. Take a common example of an employee wanting to copy data to their smartphone from a CRM tool via the Salesforce app. The problem is that they have the credentials to go to that cloud service and access that data but in that case with an untrusted and unmanaged device. Now multiply that situation across all an organisation’s cloud services and user devices.

There is clearly a need for better cloud control tools across the stack. Large organisations may have hundreds or even thousands of cloud services being used by employees – some of which they probably don’t even know about. It is impossible to implement separate controls and polices for each of them.

To securely reap the benefits of cloud while meeting compliance and governance requirements, enterprises will need to take advantage of technologies and tools such as two-factor authentication, data leakage prevention and encryption, on top of their cloud services and applications.

Increasingly, organisations are also investing in security-as-a-service and other tools that can help orchestrate security across multiple providers and environments. They help tackle the visibility issue and ensure compliance needs are met. That’s why I believe we are starting to see the rise of so-called ‘broker’ security services. These cloud access security brokers (CASBs) will enable consolidated enterprise security policy enforcement between the cloud service user and the cloud service provider. That’s backed up by Gartner, which has picked out CASBs as a high growth spot in the security market and predicts by 2020, 85 per cent of large enterprises will use a CASB for their cloud services, up from fewer than five per cent today.

This will all be driven by the rapid growth in enterprise cloud adoption and the need for a new model of security that enables the centralised control or orchestration of the myriad cloud services and apps employees use across the enterprise. Cloud security is now a critical element of any business and it needs to be taken seriously from the boardroom right down to the end users.

*Blue Skies Ahead? The state of cloud adoption

The survey of 1,200 IT decision-makers with responsibility for cloud security in their organisations was conducted by Vanson Bourne in June 2015. Respondents were drawn from Australia, Brazil, Canada, France, Germany, Spain, the UK and the US and across a range of organisations, from those with 251 to 500 employees to those with more than 5,000 employees.

About the Author

Rolf Haas

Rolf Haas is a Senior Enterprise Technology Specialist focused on Data and Cloud Protection at McAfee. With more than 20 years of experience in IT Security, Rolf has built up extensive technical knowledge in different ICT Security areas. He provides structured and innovative approaches to solving complex technical issues, as well as solutions and responses ...

Read more posts from Rolf Haas

Subscribe to McAfee Securing Tomorrow Blogs