weerapat1003 - stock.adobe.com

CISOs think cloud safer, but security fears remain

The majority of information security leaders think cloud is now safer than on-premise, but security fears remain, with recently breached and highly regulated organisations most concerned, poll reveals

More than three in five (61%) chief information security officers (CISOs) believe the security risk of a security breach is the same or lower in cloud environments than on-premise, a study shows.

This marks a major tipping point in the perception of security of the cloud, according to Nominet, which commissioned the study based on a poll of nearly 300 senior information security professionals in the UK and US at large organisations in 10 industry sectors.

However, the survey also reveals that despite the perceived superiority of cloud over on-premise when it comes to security, respondents do not consider cloud systems to be completely safe, with only 10% saying they were not concerned about security in the cloud.

The majority of those concerned about cloud security (32%) said they were “moderately concerned”, while 19% said they were only “slightly concerned”, 20% said they were “very concerned” and 17% said they were “extremely concerned”.

As new regulations such as the EU General Data Protection Regulation (GDPR) have increased the potential penalties, over half (56%) of respondents cited fines for data leaks as their biggest concern, closely followed by the increasing sophistication of cyber criminals (54%).

US respondents are more wary of the cloud than their UK counterparts, responding almost twice as likely to be extremely concerned (21%) compared with just 13% of UK respondents.

Similarly, respondents from heavily regulated industries were more likely to be very or extremely concerned by the security risk posed by cloud, such as healthcare (55%), financial services (47%) and pharma (46%).

Organisations that were breached in the past 12 months were also more than twice as likely to say cloud is higher risk (52%) compared with 25% of organisations that did not report a recent breach.

“Security has traditionally always been cited as a barrier to cloud adoption, so it is significant that the perceived risk gap between cloud and on-premise has disappeared,” said Stuart Reed, vice-president of cyber security at Nominet.

“It is evident that security concerns are no longer an insurmountable barrier to cloud deployments given the high adoption rate of cloud services. And, as we move into the ‘cloud era’, arguably security teams need to channel their concern into finding solutions that work with the cloud, just as they have been doing in an on-premise environment.

“The shift in attitude between on-premise and cloud doesn’t change the remit for security teams, it just puts us on a different type of playing field.”

Cloud strategies

The study also looked into the relative security of cloud storage strategies and found that a multi-cloud approach is seen to be more risky than hybrid and single-cloud approaches.

Those adopting a multi-cloud approach were far more likely to have suffered a data breach over the past 12 months, the study shows, with 52% reporting breaches compared with 24% of hybrid-cloud users and 24% of single-cloud users.

Companies with a multi-cloud approach are also more likely to have suffered a larger number of breaches, with 69% reporting 11-30 breaches compared with 19% of those from single-cloud and 13% from hybrid-cloud businesses.

“When it comes to ensuring resilience and being able to source ‘best-in-class’ services, using multiple vendors makes sense,” said Reed.

“However, from a security perspective, the multi-cloud approach also increases exposure to risk as there are a greater number of parties handling an organisation’s sensitive data. This is exactly why an eye must be kept on integration and a concerted effort be made to gain the visibility needed to counter threats across all different types of environments.”

While the cloud is sometimes viewed as a challenge for businesses, it is also seen by almost all companies as a security enabler. “The cloud gives organisations access to outsourced security services and managed security services to enhance their overall security posture,” the report said.

While the survey shows that the adoption of different cloud solutions are mixed, with software as a service (SaaS) at 71%, infrastructure as a service (IaaS) at 60%, platform as a service (PaaS) at 48%, Business Process as a Service (BPaaS) at 30%, and framework as a service (FaaS) at 25%, the adoption of cloud-based security solutions in contrast is nearly ubiquitous at 92%.

The most popular cloud security tools are firewalls (55%), email security (52%), antivirus/antimalware (48%) and data loss prevention (48%). The majority (57%) of respondents said that they expected their cloud security budget to increase in the next 12 months.

“It makes absolute sense that organisations trusting an increasing amount of their data to the cloud are also utilising its benefits to improve their security,” said Reed.

“Security, more than any other enterprise IT function, requires speed of deployment and implementation. The ability of the cloud to rapidly deliver new security services that integrate easily into organisations’ existing systems is a key value driver and explains why cloud security tools have been adopted so broadly,” he said.

Read more about cloud security

Read more on Cloud security