At the end of every year, analyst firm Gartner makes predictions about the next year and several years beyond. One prediction that Garner made at the end of 2015, and that should catch the attention of IT directors, is the following: "Through 2020, 95% of cloud security failures will be the customer's fault."
Most enterprises are overly concerned with the security postures of cloud service providers; and this concern is misplaced. Enterprises should focus instead on establishing organisational security and governance processes that will prevent cloud security and compliance mistakes. Furthermore, according to Garner, organisations are shying away from using public cloud services that in reality would be more secure than processes implemented within most on-premises data centres.
Of all the reasons enterprises avoid the use of public cloud services security is number one. But while media reports on security failures are on the rise, most incidents involve small providers. It turns out that most of the larger cloud providers offer better security than the majority of enterprise can build in-house.
According to Gartner: "Recent history has shown that virtually all public cloud services are highly resistant to attack and, in the majority of circumstances, represent a more secure starting point than traditional in-house implementations. No significant evidence exists to indicate that commercial cloud service providers have performed less securely than end-user organisations themselves. In fact, most available evidence points to the opposite. Only a very small percentage of the security incidents impacting enterprises using the cloud have been due to vulnerabilities that were the provider's fault."
So what should CIOs do?
Gartner advises IT directors to take a strategic approach to cloud competency. CIOs should build expertise and put in place processes that take advantage of the security offered by cloud providers. As cloud offerings grow, and as the incentive to shop around increases, those organisations that understand cloud security are at an advantage. They are able to more quickly, and more rationally, make decisions about which cloud services to use.
A variety of cloud platforms provide services to enhance security. For example, some offer ID as a service. Others offer features to ensure common configurations and policies, and feature to monitor and govern user activities. IT departments should bone up on these services to make better decisions about how they use cloud.
Enterprise should also take care in how they user the parts of the cloud stack under their control. Poor practices on the part of in-house IT personnel can result in widespread security or compliance failures.
How much progress have enterprises made?
Gartner says that overall, enterprises are getting better at understanding cloud security. The analyst firm predicts that by the end of 2016 "40% of enterprises with more than 1,000 employees, and 80% of organisations with over 10,000 employees, will have policies and practices in place to approve and track the use of SaaS".
Furthermore, a growing number of organisations will put at least some sensitive data in the public cloud. According to Gartner: "The number of enterprises with policies against placing any sensitive data in the public cloud will drop to 5% by 2017."