Clutch's new survey data analyzes trends in cloud security, revealing companies' preference for the cloud, their willingness to invest heavily in additional cloud security, and the most popular cloud security features and regulations.
The cloud is a hot topic in the IT industry. Once considered a foreign and insecure technology by many users and companies, the cloud has gained respect and popularity rapidly over the past few years.
In the first report of Clutch’s Annual Cloud Computing Survey, we examined trends encapsulating how businesses use the cloud in 2017.
In this report, Clutch takes further data from the survey to examine trends regarding cloud security specifically.
Unsurprisingly, we find that among businesses using the cloud, there is a strong preference for the technology. Furthermore, businesses as a whole are spending large amounts on additional security features.
Lastly, we examine security risks with the cloud, and discuss popular means companies employ to protect their data in the cloud.
The data is from 283 IT professionals at businesses across the U.S. that use cloud computing.
- Nearly 70% of businesses feel more comfortable storing data in the cloud than on a legacy system.
- Over half (56%) of businesses spend more than $100,000 on additional security measures for their cloud.
- Nearly 1 in 4 businesses on the cloud utilize IoT features, despite potential security concerns.
- Almost two-thirds of businesses (65%) follow regulatory standards from the Cloud Security Alliance.
- Additional encryption is the most used additional security feature.
Strong Preference for the Cloud
For those businesses already on the cloud, the technology is largely preferred over legacy systems. This may be due to a variety of factors, including increased comfort with the concept of the cloud and cost.
Almost 70% of these businesses say that, in regards to security, they feel more comfortable storing data in the cloud as opposed to on a legacy system.
In many cases, the cloud’s security is stronger than what a business can provide with its own system, especially when it comes to smaller-sized companies.
Consider how an average-sized business’ data center may simply sit behind a locked door in an office building accessible by many people.
Instead, large cloud service providers’ data centers follow strict security regulations and may have a number of high-end security features, including biometric identifications, surveillance cameras, redundant power sources, and tall fences and concrete walls.
Since a cloud service provider’s business mainly revolves around security, they will spend more and focus more time on protecting data than an average business could potentially afford.
In addition, businesses migrate to the cloud for a variety of other factors, and thus their preference for the cloud could be based on any number of elements that provide an advantage over legacy systems.
Kevin Rubin, President and COO of Stratosphere Networks, a Chicago-based IT managed service provider, discusses some of these elements:
“Some users move to the cloud because they want to reduce internal support costs and responsibilities. Another chunk are simply attracted to the easy-to-understand monthly costs structure, which can be found on the cloud, as opposed to out-of-pocket cost.”
Any one factor could be the necessary advantage to justify a business’ migration to the cloud. Rubin also said that generational differences can play a part in feelings towards the cloud.
“As the younger generation grows up using more cloud solutions such Skype or instant messaging – those methods of communication make it only easier for people to move to more cloud systems because that’s what they are used to.”
As the cloud becomes more and more an everyday aspect of IT environments, challenges towards its adoption will likely lessen. It may become what IT professionals are most used to, as opposed to a foreign obstacle to tackle.
Spending on Cloud Security Measures
When it comes to security, many businesses are investing a lot of money in additional security features.
Over half of businesses are spending more than $100,000 per year on additional security measures for their cloud service.
Unsurprisingly, though, this measurement varies based on companies’ sizes. Almost 70% of businesses with 1,000+ employees spend more than $100,000 on additional security measures, while less than one-third of businesses (32%) with less than 1,000 employees do the same.
Jeremy Przygode, CEO of Stratalux, Inc., a California-based Amazon Web Services (AWS) Advanced Consulting Partner and Managed Service Provider, spoke to how this cost might be due to skepticism towards the cloud’s security.
“Cloud, at the end of the day, is a multi-tenant architecture so you’re sharing resources with other cloud vendor customers,” said Przygode. “Because of that, there’s an inherent thought of less security or less ability for others to intervene. They might want some heightened view into it with new tools and solutions.”
Yet, the high spending may also be due to a greater awareness of a company’s responsibility when it comes to application-level cloud security.
In the first report in this series, we broke down the three elements of cloud security: physical security, infrastructure security, and application-level security.
Application-level security involves which users can access data, how they access it, and other individual interactions.
While physical and infrastructure security are mainly the responsibility of the provider, application-level security falls more within the responsibility of the company and its users.
For example, a cloud provider cannot fully protect a user’s data if the user is sharing their password freely, if they aren’t regulating which users can and cannot access the data, or if the user falls prey to a spear phishing attempt.
Haresh Kumbhani, Founder and CEO of Zymr, Inc., a San Francisco-based cloud consulting and agile software development services company, spoke on the increasing awareness among companies.
“There is suddenly a number of people recognizing that application-level security needs to be done by the user, not the vendor,” said Kumbhani. “If this is the case, then they need to invest top dollar in securing the data.”
While the cloud is, in many ways, incredibly secure, you must account for unpredictable user error by implementing safeguards for application-level security.
The Internet of Things Poses Risks
The Internet of Things (IoT) grows rapidly – and its security risks grow alongside it.
IoT is the interconnection of everyday objects with the Internet, and its scale is largely made possible by cloud computing.
IoT objects can include anything from smart thermostats, which automatically adjust heating, to biochip transponders on farm animals, to electronic toll collection systems on highways.
Clutch’s survey found that nearly 1 in 4 businesses on the cloud are utilizing IoT services.
On October 21, 2016, the world experienced a significant hack, which led to severe traffic disruptions for a number of popular websites, such as Netflix, Amazon, and The New York Times.
The attack was found to be caused by security vulnerabilities within a large number of IoT devices, such as smart printers and baby monitors. These devices are often not updated for new security vulnerabilities and may not even be thought of as hackable by everyday users. Who would consider their baby monitor to be a security risk?
Yet, the dangers are real.
Jamie MacQuarrie, co-founder of Appivo, a platform for developing cloud-based web and mobile applications, spoke about the current state of IoT security.
“Nascent is the first word that comes to mind [regarding IoT security]. For every company that properly locks down IoT-enabled machines on a factory floor, you have thousands of unsecured ‘smart’ lightbulbs.”
These scenarios can arise from a simple ignorance of these device’s security vulnerabilities. While many IoT devices are well-secured, others are simply overlooked because they become so ingrained in our daily lives.
“Consider an auto plant with automated manufacturing lines sending data to a cloud for analysis… it’s probably tightly secured because a hacked production line means serious down-time that directly impacts the bottom line,” said MacQuarrie.
“Now consider a well-intentioned employee that installs an unsecured smart lightbulb in the break room, providing a gateway for hackers to pick away at the more secure internal systems,” continued MacQuarrie. “At that point, [the hackers] are across the moat and through the draw bridge, and nobody even knows it.”
For example, the well-known Target payment systems hack in 2013 was made possible by a remotely accessible HVAC system, explained MacQuarrie.
As the number of objects connected to the Internet grows at a rapid pace, the number of potential targets for hacks increases exponentially.
The Internet of Things provides seemingly endless possibilities for innovation and improvement. However, IoT security needs to catch up, or the risks could begin to outweigh the benefits.
Protecting Your Cloud
Despite these fears, there are many ways to protect your cloud. Following respected standards and regulations is a good means of ensuring your security is up to par.
There are many regulations, both voluntary and mandatory, that seek to protect data in the cloud.
The Cloud Security Alliance (CSA) offers by far the most popular standards, according to our survey.
The Cloud Security Alliance has a large amount of research on the best practices for the cloud across a spectrum of industries. This includes research on data governance, big data, the Internet of Things, and more.
These are not enforced laws, but rather guidelines for the best means to use the technology.
Benjamin Caudill, CEO of cybersecurity firm Rhino Security Labs, said that Cloud Security Alliance’s standards are helpful when it comes to the commonalities among cloud platforms. However, the standards’ breadth is also their weakness.
“More developed cloud platforms (such as AWS) have services with very specific security needs. AWS permissions, for example, have very specific misconfigurations which wouldn't be covered in CSA standards,” said Caudill.
The guidelines still provide good general direction, though.
Other regulations are not optional. The third most-followed regulation, HIPAA, is law and has strict punishments for non-compliance. HIPPA, or the Health Insurance Portability and Accountability Act, dictates how medical information is safeguarded online.
The regulation includes numerous security requirements to prevent medical patients’ sensitive information from being compromised. Organizations found violating HIPAA can face fines of up to $1.5 million annually.
Following regulations are a good means of protecting your data in the cloud, especially for those with imperfect knowledge of the technology.
Consider Implementing Additional Security Features
Features such as additional encryption can add an extra line of defense to your data’s security.
In fact, almost two-thirds of businesses (64%) have implemented additional encryption as a security measure for their cloud service.
The majority of businesses have also implemented third party software or security management, on-site inspections and tests, and regular audits.
Encryption is an incredibly powerful tool for security. Encrypting data ensures that even if the information is compromised, hackers won’t be able to understand the data if they do not also hold the encryption key for translation.
To hackers without the encryption key, the data will simply read as a meaningless string of nonsense.
The Cloud Security Alliance, in their Security Guidance for Critical Areas of Focus in Cloud Computing, requires numerous levels of encryption for their guidelines, including:
- Encrypting all sensitive data moving to or within the cloud at the network layer
- Encrypting sensitive volumes in IaaS
- Encrypting sensitive data in PaaS applications and storage
Data is encrypted by cloud providers when it is in travel. However, Skyhigh Networks, a security firm, published a report in 2015 that found that only 9.4% of cloud providers encrypt data at rest.
Encryption, whether data is in travel or at rest, is a largely simple and powerful way to protect your data from potential security risks.
Stay Aware of Your Cloud
Clutch’s data confirms or reveals several trends regarding cloud security.
First, our data confirms that among companies already using cloud computing, the cloud is strongly preferred over legacy systems.
Second, we find that companies are spending a lot on additional security features to protect their data. This may be due to risks surrounding sectors such as the Internet of Things, whose state of security is still “nascent.”
Lastly, we discuss how there are numerous ways to protect your data in the cloud from such risks. Companies can, and are often required to, follow guidelines such as those by the Cloud Security Alliance or HIPAA, which provide valuable recommendations.
Furthermore, companies should implement additional security, such as additional encryption, to protect against unexpected user error.
The cloud is a highly evolving technology and no matter if you prefer the technology or not, it’s vital to stay on top of security trends.
About the Survey
The survey consisted of 283 IT professionals at businesses across the United States that use a cloud computing service. The majority (65%) of respondents are male, and 35% are female. Three-quarters (75%) of the respondent pool are 25-44 years old.
Questions? Comments? Contact Riley Panko at [email protected]
About the Author
Riley Panko is a content developer and marketer at Clutch, a B2B research firm in the heart of Washington, DC. Her research focuses on the cloud. Reach out with questions, comments, or concerns at [email protected]tch.co.