Enthusiasm must not cloud security

16th September 2019


Russell Haworth

Russell Haworth
CEO

It is almost six decades since the very beginnings of cloud computing – and over a decade since Amazon popularized the term with its Elastic Compute Cloud product – yet only now can we confidently say that the cloud is becoming a common feature of the modern business.

This outsourced approach to storing and managing data was initially seen as radical, feared for the assumed security risks of letting your assets off-site. Today, the cloud seems to be settling into an accepted – even necessary – support system for both growing businesses and established companies looking to expand while safeguarding their data. In 2018, the global cloud market was valued at nearly $325 billion, having grown 10% each year since 2014, and is expected to reach almost $528 billion by 2022.

It’s easy to see why companies have been keen to adopt this technology. The cloud can be used to support digital strategies, enabling a business to develop and host complex applications and expand their services, while reducing the cost of infrastructure. Ultimately, the cloud helps companies grow faster and leaner in a competitive market, which could prove critical to their survival in fast-moving digital times.

But is this done despite the security risks? Are businesses more interested in expanding than securing their operations? The recent Capital One data breach has served to raise concerns about cloud security, and questioned whether companies are doing enough to ensure criminals can’t infiltrate these systems. At Nominet, we were intrigued by the rise of the cloud (excuse the pun) and conducted our own research into cloud security. We spoke to business leaders about their usage and attitude towards the associated security risks, and while some results were unsurprising, others were more insightful.

As expected, the vast majority of those we spoke to (88%) are currently engaged with or planning to adopt cloud services, mainly via Software-as-a-Service (SaaS – 71%) or Infrastructure-as-a-Service (IaaS – 60%) solutions. All sectors appear to be equally keen except, notably, those operating critical national infrastructure (CNI) – just 64% of these organizations are interested in the cloud. It’s almost a given that security is more important for CNI and perhaps lower levels of interest could be due to difficulties in transitioning to the cloud while continuing to meet their (likely higher) security requirements.

Despite high take up, not everyone is confident about the security of the cloud; 71% of respondents admitting to being either moderately, very or extremely concerned about security, with concerns significantly higher for those in the US compared to those in the UK. No single risk emerged as the most concerning and the usual suspects attracted similar attention: the loss of customer data (56%), increasing sophistication of cyber criminals (54%), IoT (53%) and increased threat surface (52%).

Clearly, though, these concerns are not large enough to stop organizations using cloud software, and any perception of it carrying greater security risks than on-premise systems have largely fallen away. Only a third of the organizations thought use of the cloud was riskier (37%), compared to 61% who believed the risk levels were equal or even lower. This raises the question, is cloud security getting better or are companies perceiving the risk to be lower due to the prevalence of cloud adoption?

The true answer is both. Cloud has become mainstream and accessible, and the understanding of how to secure the cloud services being used has increased. Companies are assisted in this as the security field moves enthusiastically into the cloud, with a whole raft of new products and tools now available. The companies we spoke to are using a wide-variety of these, including firewalls (55%), email security (52%), antivirus/antimalware (48%), and data loss prevention (48%). These are not without their challenges – some identified by our respondents include staff training, data privacy and budget.

That said, experts have intimated that many of the cloud security failures are the user’s fault, not that of the cloud itself. Jay Heiser, Research Vice President at Gartner, predicts that during 2022, at least 95% of issues will be due to the user, as they have access to more controls. Responsibility to protect (or not) the data increasingly falls onto the shoulders of the CISO and the business’ security team.

Perceptions of the cloud, its security risks and benefits, are clearly on the move. In a relatively short space of time, the cloud has transformed from a niche, cutting-edge method to an approach almost everyone is taking, fuelled by the innovative software and a wealth of affordable cloud-based tools. But we are not at an endpoint here, and if more massive data breaches like Capital One are associated with cloud security, who knows what the future will hold for adoption. Like so many aspects of our digital world, this approach to business will likely remain in a state of constant change as technology develops – and the cyber criminals get smarter.

Whatever happens, it cannot be overstated how crucial security must always be, both as a risk concern and a benefit, when considering use of the cloud. We must be bold enough to embrace the cloud for the inherent, wide-reaching benefits, but be savvy enough to recognise and mitigate the risks – and use the technology to help us.