Security is Still a Barrier to Cloud Adoption

Cloud computing has just about passed through its hype-and-adoption cycle, with the first rush of enthusiasm replaced by confusion over how to implement cloud and cloud services, to the point now where many public and private organizations are either in the process of adopting or planning to adopt them.

Security, however, remains a major barrier.

That’s been a concern from the beginning, focused for the most part on the exposure an organization’s data would have when sharing space in a cloud vendor’s infrastructure with that of other organizations. This co-tenancy feature of the public cloud has been consistently high on the list of cloud users’ fears.

Other threats have since joined this on the list, to where security is now seen as a broad-based concern for the cloud that spans a wide range of issues. The Cloud Security Alliance (CSA), a global forum that collects best practice expertise from both government and private organizations, last year published what it called its “Notorious Nine” cloud computing threats:

  • Data Breaches
  • Data Loss
  • Account or Service Traffic Hijacking
  • Insecure APIs
  • Denial of Service
  • Malicious Insiders
  • Abuse of Cloud Services
  • Insufficient Due Diligence
  • Shared (multi-tenant) Technology

On top of these, so-called Shadow IT—apps and services that are being used without an IT department’s knowledge or permission—has become a pervasive concern. Earlier in 2015, the alliance said that some 72 percent of the 200 executives and IT managers it canvassed for a survey admitted that they didn’t know the number of Shadow IT apps in their organizations.

Other revelations over the past year have only served to highlight the current state of flux of cloud security. MeriTalk, for example, found that just one-third of the agencies it talked to had met a June 5, 2014 deadline to ensure that their particular cloud solutions met FedRAMP (Federal Risk and Authorization Management Program) security criteria. Nearly 90 percent of agency IT executives said they were apprehensive about migrating applications to the cloud.

The Office of Management and Budget’s 2014 Federal Information Security Management Act (FISMA) report to Congress, released in February 2015, commented on security weaknesses with contractor systems, some of which resided in the cloud, found at the 17 agencies it examined. A third of them had systems that were “not compliant with FISMA requirements, OMB policy, and applicable NIST guidelines,” the OMB said.

Other concerns were that agencies didn’t reliably know if security controls of contractor systems and services were implemented properly, and that agencies did not have a complete inventory of systems contractors that were operating on their behalf.

Despite all of this, however, moving to the cloud has for most organizations become a matter of when and how, rather than if. Costs and other concerns mean IT organizations no longer have the resources to themselves implement and manage every system and application that’s needed by agencies. The flexibility of the cloud for manipulating such things as network loads and shared services is also driving cloud demand.

Still, with security fears so rampant, organizations are being cautious. Most studies now suggest two-thirds or more of those either planning or actually moving to the cloud are choosing hybrid cloud as their platform, such as keeping sensitive and mission critical apps and data in private clouds behind the agency firewall, and moving less sensitive things such as Web, email and collaboration apps to the public cloud.