Cloud adoption has grown in recent years as companies seek benefits such as reduced storage costs and improved mobility. These cloud deployment benefits, however, can be offset by often-overlooked security and risk management concerns, according to Chenxi Wang, a former vice president and principal analyst at Forrester Research Inc.
In this three-part SearchCompliance webcast, Wang discusses cyberthreats stemming from cloud use, as well as defense and security strategies to consider when moving operations to the cloud. Here in part one, she outlines cloud deployment trends and their associated risk and security concerns.
Chenxi Wang: Today we're going to be focusing on the cloud and cloud deployment, and what that means for your cybersecurity strategy. The cloud is certainly a big topic for IT and IT security, and it's been that way for a number of years.
I've seen cloud from its infancy, when people basically put applications in the cloud and called it multi-tenancy, then the migration from that to true multi-tenancy clouds and to the many different layers of clouds that is now happening: Infrastructure as a Service, Platform as a Service, all the way up to Software as a Service (SaaS).
So what's happening with cloud computing in 2013? The bottom line is that the public cloud option is primarily driven by the business, not by IT. We see across different industries that cloud deployment is driven by empowered developers, by business units who value time to market, and by those who value the flexibility and agility that the cloud brought to them.
The heaviest investments we see are in software services. Lots of cloud apps are really what we call the systems of engagement versus system of records. The distinction is that systems of engagements are really more active. They have a very active voice in client engagement, versus system of records that are more passive.
Given that core business transaction data is moving to the cloud, cloud security really tops the list of concerns for public cloud deployment.
Private clouds still remain a work in progress. Thirty-six percent of enterprise IT staff said that they were engaging in private cloud initiatives in 2012, but most of these efforts were not successful. They are primarily virtualization initiatives as opposed to true cloud building. The higher adoption rate is actually in virtual private clouds that are hosted elsewhere.
We get asked about hybrid clouds all the time, but most organizations are already hybrid. There are a lot of SaaS back-office integrations. If you're using SaaS, you likely are doing a certain level of back-office integration, and that means you're hybrid. There are a lot of different sourcing models happening across different business units, and you may have all different sourcing modules. Going forward, what will be key is really management of the hybrid clouds -- management in terms of integration as well as security.
In term of statistics, cloud adoption is really accelerating. From 2009 to 2011, the adoption was somewhat slow, but after 2011 we really see a high uptick for all three layers of clouds, with SaaS leading the charge.
Why are enterprises going to cloud? Agility is a top benefit, and 70% of people we talked to said, "Business agility and shortened time to market is why we've gone to the cloud," and 60% say innovation is one of the factors. Remote access, and obviously mobile access, is another factor that's driving applications into the cloud. Mobility is another visible driver for cloud adoption today.
One of the very interesting things that we're seeing is that, in the past, we saw a lot of public-facing applications, one-off computing tasks or things that require a lot of scalability changes, but are in themselves non-mission-critical workloads, going to the cloud. But recently and going forward, we see that core business transactions are increasingly being assimilated into cloud transactions and cloud applications.
If you look at the images in front of you, this is a survey we did in Q3 of 2012. We looked at more than 100 developers with firsthand experiences developing cloud computing applications.
The gray bars are the data that was hosted in the cloud at the time of the survey, and the blue bars are the types of the data that respondents expected to be hosted into the cloud within 12 months. At the time of the survey, lots of applications in the cloud had only public data.
In the future, that percentage of applications is being diverted. The survey found that in 12 months, developers expected to see more applications with core business transaction data moving to the cloud, and that is a very interesting trend. That brings me to our next topic, which is actually the main topic of the day: cloud security.
Given that core business transaction data is moving to the cloud, cloud security really tops the list of concerns for public cloud deployment. Sixty-two percent of the software decision-makers that we surveyed said they're concerned about security during public SaaS deployment, and 73% of the hardware or IT hardware-based executives were concerned about the security for public infrastructure service deployment. These are the top concerns in terms of a public cloud deployment -- more than performance issues, more than cost, more than anything else.
More on cloud deployments and security
Their concerns are valid. Cloud services really are big targets for security attacks because they concentrate data. Vendors may be well known and have high profiles, and they have lots of different clients. If hackers attack them, the possibility of getting valuable data is a lot higher than if they attack each individual organization.
In fact, we've seen this recently: Apple, Facebook and Twitter were all hacked. Twitter had 250,000 user accounts affected. Yahoo's mail users' accounts were affected. This is a fairly standard way of doing business for hackers.
If they compromise user account credentials, the first thing they do is they take the compromised credential, and they'll go to places like Gmail, they'll go to Twitter and sometimes Salesforce or some e-banking sites such as Chase or sites that have a lot of users. They'll scan these sites with the compromised credentials, and often they'll get a hit. Then they're able to compromise that user's Gmail account, or Yahoo mail account or Salesforce account because people reuse their passwords. That has been one of the big weaknesses of many breaches that we've seen.
When I interviewed cloud providers, I asked them, "What are the biggest security challenges for you to operate a cloud service with hundreds or sometimes thousands of user accounts, and with many applications?" Over and over again, the No. 1 challenge for them is improper password management by users.
It's not about how they complete security internally, because many of these cloud providers have a very solid team of IT security folks working for them. They complete very timely patch management. They scan the infrastructure continuously looking for possible vulnerabilities, possible signs of weaknesses, and they do those things essentially better, I would say, than most businesses can do internally. But what the cloud providers cannot manage is improper user password management, and that can lead to data compromises and breaches, subsequently.
Please visit SearchCompliance.com to view the next segment in this webcast, where Chenxi Wang will continue her discussion on cloud cyberthreats and defense strategies.