Cloud security concerns are overblown, experts say
- 27 February, 2014 11:29
SAN FRANCISCO -- Security concerns should not deter enterprises from using public cloud technologies when it makes business sense.
A panel of practitioners said at the RSA Security Conference here this week agreed that if cloud providers are vetted properly, most enterprise workloads and data can be safely migrated to cloud environments.
Any lingering questions by IT security pros about data security and privacy of cloud computing will be allayed just as concerns about virtualization were in the past, they said.
"The horse is largely out of the barn," said John Pescatore, director of research at the SANS Institute. "There is no debate about whether we are going to use the cloud," he said.
Today, though, security concerns are still the major inhibitor of cloud adoption at many large companies. The concerns are most significant among those IT executives considering a cloud migration. Those who have already made the leap appear mostly satisfied with cloud security, the panel agreed.
An Intermap survey of 250 decision makers at medium and large companies found that 40% of those who described themselves as "cloud-wary" cited security as their biggest impediment to adoption. In contrast only about 15% of "cloud-wise" respondents felt the same way.
Intermap said its analysis of the findings determined that cloud-wary companies are likely substantially overestimating the security risks substantially. This group is less concerned about the performance and cost challenges cited by companies that have moved to the cloud.
Bruce Schneier, a panelist and CTO at Co3 Systems Inc., a vendor of incident response technologies, suggested that companies first consider the level of security offered by the provider.
Cloud vendors provide different levels of security, he said. "The basic issue is, do I trust that other legal entity that has my data on their hard drive?" Schneier said.
Making that leap of faith shouldn't be too difficult for IT executives, he said. Just like they had to learn to trust hardware, software and outsourcing vendors, enterprise IT executives will one fay have to start trusting cloud vendors.
The popular perception that the cloud is inherently insecure is wrong, said Wade Baker, managing principal of research and intelligence at Verizon. "It seems to imply this relationship with the cloud is untrustworthy or higher risk."
Despite all the fears about cloud security, there are few instances where enterprise data was compromised because it was moved to the cloud, he said. In fact, a vast majority of enterprise breaches involving cloud providers, stemmed from enterprise failures and not cloud provider faults, added Pescatore.
The issue of how to deal with government requests for data in the cloud is still only being worked out, the panelists noted.
Larger cloud providers like Google and Microsoft have already taken steps to foster great transparency. Such firms are well equipped to legally to fight government requests for data access than individual companies, the panelists said.
"The cloud is not an all or nothing strategy," said Eran Feigenbaum, director of security for Google Apps. By properly classifying data and moving public and sensitive data to the cloud, companies can do a better job protecting the really critical information internally, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.
Read more about cloud security in Computerworld's Cloud Security Topic Center.