In cloud storage land, it’s all roses, sunny skies and rock-solid security with fewer employees frittering away less time on securing data—that is, if you trust vendor-funded studies.
For example, Microsoft released a study this week that shows that 35 percent of small and midsize businesses have experienced higher levels of security in the cloud. (Whatever that means; I requested the full study to seek more granular detail, but neither Microsoft nor study preparer comScore had answered by the time this was published.)
Security management time for these lucky organisations is also reduced by 18 hours a week, according to comScore’s report summary. However, does that mean per information security professional or per company? This isn’t explained.
So that means that before they move storage into the cloud these SMBs spent a whopping 37 hours per week (19 plus the reported savings of 18 hours = 37 hours total) managing security, compared with the 25 hours that noncloud SMBs spend.
Does that mean that cloud users are in the habit of spending so much more time managing security than their noncloud peers? Does it mean they’re more frequently victimized by cyber-threats? Does it mean they’re somehow not doing security right?
These results might point to a large number of SMBs turning to cloud because they’re simply overwhelmed by the task of security management—small wonder, given the amount of time it’s sucking up for them.
This hypothesis is backed up by the fact that 41 percent of the surveyed cloud users felt that their cloud service provider was “entirely responsible for information security,” according to the report summary.
The numbers paint an image of overburdened SMBs, desperate to offload their entire security burden to somebody else. Fortunately, a larger number, 57 percent, felt they shared responsibility with their cloud provider.
And that’s exactly where organisations’ heads should be when it comes to cloud storage security, because you just can’t wipe your hands clean of certain elements of cloud security. As the report notes, organizations that turn to cloud still need to retain, for example, responsibility for client security.
It’s in cloud service providers’ interest, of course, to spin the data to show that security worries about embracing cloud storage are easing. Left out of the service providers’ rosy picture, of course, are situations such as the MegaUpload debacle, in which millions of users who stored data on the file-sharing service faced losing their documents forever when the law shut the site down for copyright infringement.
Interestingly enough, when Sophos polled conference attendees about cloud storage riskiness at Infosec Europe in April, 64 percent of the respondents said they thought that cloud storage is risky, but 45 percent said they still went right ahead and used it.
In general, people who attend security conferences are more attuned to security risk than those who do not, so I’d trust their perceptions over those reported in a cloud service vendor-funded study. But then again, security vendors make their money from security risk, so mix the results of surveys together, add a dollop of your own real-life experience and see what floats to the top, credibility-wise.
One of the biggest takeaways from the Sophos survey was that employees use cloud even when its security proposition is iffy and even when they don’t have their bosses’ permission. It’s just too easy to exchange and share and store files in the cloud; you can’t expect people to pass it up.
Chris Pace, a product specialist at Sophos, said you’ve just got to assume that users will take advantage of cloud services and prepare for the technology’s inherent security vulnerabilities. Otherwise, ungoverned employee use could lead to data compromise.
Whether businesses are using cloud services without official sanction, thanks to employees, or whether they’re using cloud because they (wrongly) think cloud will solve all their security problems, all organisations should be aware that all cloud services are not created equal.
Symform, provider of cloud network services, offers a few security issues to consider when choosing a service provider:
Pace recommends these other, simple precautions:
To which I would add one more bullet point:
Does your cloud knowledge inspire confidence? Try our quiz
F5 says BIG-IP application delivery controllers used on many corporate and government networks are vulnerable…
A fire at Natanz uranium-enrichment facility may have been a cyber-attack Iranian officials say, recalling…