IT security is always listed as the number one barrier to adoption when it comes to cloud computing. But despite those concerns adoption of cloud security services continues to grow at unprecedented rates. In fact, while there have been some major breaches virtually none of them have involved a provider of a cloud service being used to deliver application services.
That doesn’t mean IT security professionals don’t have legitimate concerns. But it can be argued that in the absence of any compelling example many of those concerns remain theoretical. This week Crowd Research partners published a survey of 1,900 cyber security professionals that participate in a Security Community hosted on LinkedIn that goes a long way towards detailing what the potential issues with cloud security really are.
Top concerns include protection against data loss (57%), threats to data privacy (49%), and breaches of confidentiality (47%). Organizations are also realizing that legacy security tools are not designed for the cloud (78%) and that lack of visibility into cloud infrastructure is the single biggest security management headache they have (37%).
Just over half also acknowledge that a lack of qualified security staff is the second biggest barrier to cloud adoption. In fact, more than half of organizations (53%) are looking to train and certify their current IT staff to address the shortage, followed by partnering with a managed service provider (MSP) (30%), leveraging software solutions (27%), and hiring dedicated staff (26%). In most cases, the right solution will involve any combination of all four approaches.
While legitimate concerns, all these issues concern either something that might happen one day or a shortcoming of the IT security staff. After 10 years of cloud computing, there have been no major breaches on cloud platforms such as Amazon Web Services, Microsoft Azure, Google Cloud Platform (GCP) or any number of software-as-a-service (SaaS) application providers. There might very well be a major security breach one day. But by and large, the providers of cloud security services have shown by the test of time that their security is as good or better than what most internal IT organizations could do on their own.
Obviously, there’s still room for improvement when it comes to the tools being provided to IT security professionals that are ultimately held accountable for IT security. But the truth is that many IT professionals that view those cloud services as a threat to their continued employment like to cite vague security concerns as a reason to not make use of cloud services. The fact of that matter is that usage of cloud computing services is here to stay. It’s the job of the IT security community to figure out to better secure application workloads running in those environments. Barring some specific regulation that prevents an organization from deploying workloads outside their own data centers, IT security professionals are simply not in a position where they can tell an organization they can’t use an external cloud service. They may not understandably like it. But until there’s concrete evidence to the contrary, IT security professionals need to think a lot more about enabling organizations to securely do what makes the most economic sense for any given application workload.
Over time IT security professionals should expect to see roughly half of those workloads running in a cloud service, while the other half of the workloads continue to run on premise. The challenge and responsibility they now have are to make sure all those workloads are as secure as possible regardless of where they happen to be physically located