Enterprises face security lapses in the cloud

Slightly over 10% of the respondents currently have cloud computing projects in production, and close to half are either implementing or piloting new cloud applications, according to a survey of 1,200 IT decision makers in the US, UK, Germany, India, Canada, and Japan.

“One thing that stood out is that we’ve got a lot of existing cloud apps that have security problems and a whole bunch of new ones coming in that are being built the same way. So we are positioning ourselves to have more security problems coming up unless people take the right steps to secure their cloud”, said Dave Asprey, vice president of cloud security at Trend Micro.

An interesting finding is that 7% of those surveyed said that they did not use a cloud service providers, even though they identified cloud service provider as vendors they were working with.

“Sometimes people aren’t even sure that they are working with cloud vendors. They think, ‘Oh no, that’s just outsourcing’ but they might not know that it’s outsourcing to a company that uses the cloud….So it seems like the cloud is pervasive, but people don’t even know that they need to be thinking about it from a security perspective”, Asprey told Infosecurity.

A full 85% of those surveyed said that they encrypt data stored in the cloud, but they are using encryption key techniques that are vulnerable, the survey found.

Asprey said that the one of the best steps companies can take to improve cloud security is to implement a policy-based encryption key management service or software product. The vast majority of those surveyed were not using such an approach, he added.

“Companies are taking things that used to work when they controlled the data center and putting them in the cloud, which opens up obvious holes”, Asprey said.

According to the survey, the top barriers respondents see in adopting cloud computing services are concerns over security of data or cloud infrastructure (50%) and performance and availability of cloud service (48%).

“What we found is an almost equal weighting between security and performance and availability concerns. This is completely new and a shift that happened as a result of well-publicized business outages that came about as a result of security problems”, Asprey explained.

“Security is now becoming conflated with performance and availability. In the past, these were separate items and they were looked at separately; now the availability guy has to talk with the security guy because it has become such an issue due to aggressive organized crime hacking activities” that cause downtime, he concluded.

What’s Hot on Infosecurity Magazine?