Organizations still unclear on cloud security responsibility
Vanson Bourne surveyed 1,300 IT decision makers from organizations using public cloud Infrastructure as a Service (IaaS) from the Americas, Europe, Middle East and Africa (EMEA), and from Asia Pacific (APAC).
Background public cloud use
Respondents’ use of public cloud is on the rise, as is their sophistication in working within the cloud. On average, organizations have nearly 40 percent of their infrastructure in the public cloud today, with the expectation to increase this to 70 percent over the next five years. Four in 10 reported that their organization relied on public cloud deployments to expand their services, often replicating those over multiple regions, while 30 percent said they only migrated selected services to the cloud and kept the balance on premises.
Overall, the survey found that organizations are growing more comfortable with hybrid environments that deploy a range of public cloud services along with more traditional on-premises infrastructure.
Public cloud benefits
Nearly all the respondents (99 percent) said that their organization has seen benefits as a result of moving to the public cloud, including greater scalability and reduced IT expenditures.
The survey found, on average, that organizations didn’t use a single cloud provider for everything, and cited a number of reasons for this: Top of mind was that different providers had different strengths (63 percent), followed by the view that this increased security (51 percent) and helped keep costs down (42 percent).
Public cloud challenges
Security remains to be the biggest challenge when it comes to using the public cloud – 71 percent felt that security concerns restricted their ability to migrate workloads to the public cloud. Nine in 10 (91 percent) of organizations reported they worried about their use of public cloud, with cyberattacks being the chief concern at 54 percent.
Phishing (50 percent), DDoS (47 percent), APTs (45 percent), and ransomware (41 percent) were the main threats that most concerned them. Over half (56 percent) had experienced at least one cyberattack, and found that the average number of attacks an organization had seen were five.
The challenge with security was further heightened with the information organizations are storing in public clouds: Over 50 percent of all organizations store some type of personal data (personnel records, medical records, etc.) in the public cloud, and nearly the same percent (55 percent) store customer order history.
Public cloud security
The Shared Responsibility Security Model – wherein cloud providers are responsible for the security of the cloud, while organizations using the cloud are responsible for the security of what they put in the cloud – is not new, and 72 percent felt they fully understood their cloud security responsibilities.
This was in stark contrast to what organizations believed their cloud provider was responsible to provide for security – 71 percent felt the cloud provider was responsible for customer data in the public cloud, and 66 percent for applications in the public cloud.
Additionally, 52 percent were confident that their move to the cloud was secure, with three in five – 62 percent – responding that they had included additional security solutions in their public cloud infrastructure.
“This report highlights the ongoing increase in public cloud use globally, with many organizations seeing substantial process and financial benefits. However, there are still a significant number of organizations that are not clear on the shared security model and the implication to their data and applications,” said Senior Vice President and General Manager of Security at Barracuda, Hatem Naguib. The challenges in migrating legacy security appliances and architectures require having the right infrastructure for securing hybrid cloud solutions. Organizations need to select cloud ready security solutions that are designed for the new architectures and capabilities enabled by public and hybrid cloud adoption.”
Organizations often end up with multiple cloud providers, as well as having an on-premises (legacy) infrastructure. This can have implications on complexity and overall costs; it’s further compounded when third-party solutions such as security are added to the mix. Therefore, customers are advised to look for third parties who support a wide range of ecosystems with the same or similar solutions.
As customers weigh licensing options – by usage, per hour, unlimited, etc. – we see customers beginning to understand how they can leverage different ones to gain greater cost controls. This becomes more important when third-party vendors are added to the mix. Customers value when third parties offer equivalent licensing options to how the customer is licensing their public cloud infrastructure.
Companies deploying the most common security routine – routing branch locations’ traffic through a central security solution – generally find these solutions lack scale and cost benefits as their cloud leverage increases. Companies that look at distributed security solutions, such as next-generation firewalls and web application firewalls, closer to the point of access reduce those issues, but find new ones in managing multiple devices. Therefore, look for vendors who can provide a common management scheme – either in their products or using public cloud security infrastructures – to simplify managing and monitoring ongoing security.