Today, I begin a 5-part series of blogs discussing the results of a recent industry survey conducted on behalf of NetIQ to understand the perceptions of cloud security within enterprises worldwide. Extensive in scope, we 
gather responses from over 200 IT managers (and above) with our questions on cloud security. We targeted security professionals across the North America, EMEA, and APAC regions that were currently employed at companies with at least 500+ employees.
The results were often unexpected. Take for example, our question about whether or not IT managers believed their sensitive data would become more, or less, secure as it moves to the cloud (we also gave them the option of saying it was “too soon to tell” how their data security would be impacted.)
We anticipated that a healthy majority of respondents would say they believed their data would be less secure with a move to the cloud or, at least, that it was too soon to tell how the move to the cloud would impact data security. Surprisingly, about half (51%) of the respondents globally believed their data would be more – not less – secure with the move to the cloud. We also found that confidence levels in data security within the cloud varied wildly by region, with Europeans being the most sensitive to cloud-based data security, and IT managers in the USA least so.
On the face of it, the regional differences make sense. The US cloud provider market is more established than the nascent European market, whose growth has been delayed due to the many national and international laws at play. IT market researcher IDC predicts that IT cloud services revenue will reach $43.2 billion in the United States by 2016 – up from an estimated $18.5 billion in 2011. Along with that rapid growth, however, we’ve seen a rise in the misconception that migrating applications and services to a cloud infrastructure somehow diminishes cyber security risks due to the (perceived) sophisticated network security protections offered by the cloud provider. This is a dangerous assumption and probably one that contributed to the belief of 56% of the U.S. IT managers questioned that their sensitive data would somehow be more secure as it moved to the cloud.
In my blog post of last week, “The NSA Leaks: Security Lessons…and a Wake-Up Call”, I challenged security professionals to view the U.S. National Security Agency’s (NSA’s) PRISM program leaks as a wake-up call for those businesses and organizations that have grown complacent with the idea that their data is being protected adequately by “someone else”, be it a subcontractor or a cloud provider. I further posed the specific question of whether or not the incident would make organizations think twice about holding critical data on servers at clouds hosts – where presumably the government could, at will, see and gather it.
As the results of our survey showed, Europeans are more sensitive to cloud-based security. Fully 58% of the IT managers questioned believed their data would be either less secure as it moved to the cloud, or they were simply not sure (too soon to tell.) Only 44% believed their data would be more secure. The NSA leaks will do nothing to change that perception. In fact, the scandal may prove a turning point for the region’s young cloud computing industry.
In a July 4, 2013 statement by the European Commission’s vice-president, Neelie Kroes, U.S. based cloud providers were warned that the recent actions of the U.S. government may have long term effects on their business model. Said Ms. Kroes:
“If European cloud customers cannot trust the United States government or their assurances, then maybe they won’t trust US cloud providers either. That is my guess. And if I am right then there are multi-billion euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now…”
Some European cloud providers believe that the recent revelations of wide-scale, clandestine electronic surveillance by the NSA could hand them the competitive advantage they have long needed to catch-up with the dominant American cloud providers. Touting “servers owned by Europeans and located in Europe”, they market their ability to provide cloud services based upon infrastructure that is independent of U.S. cloud computing giants, and seek to certify certain conditions such as contract terms that comply with national privacy laws.
Yet while these European firms seek to make the privacy of their citizens a competitive advantage, they must accept the fact that while storing sensitive information on European-owned and -located servers could shield it from the prying eyes of the NSA, it does nothing to protect the information from the attentions of intelligence agencies much closer to home.
Spying scandals, international inquires and economic consequences aside, this simple fact remains: You must take back ownership of the confidentiality, integrity, and availability of your own data. It is ultimately your responsibility as a security professional to protect your organization’s sensitive data and to demonstrate compliance with the industry and governmental regulations that provide a framework of protection for that data. Relying on “someone else” to provide these protections, whether that other entity be a cloud provider or a subcontractor, operating in your particular region or not, is a risky proposition – one that is likely to result in serious reputation and financial damages when that big breach or compliance gap finally does occur.
Data-centric security programs remain the most targeted and effective way to protect your sensitive data as it moves to the cloud. Identifying sensitive data, applying appropriate layers of protection around that data, and tracking who is accessing it remain the best ways to respond to threats, meet regulatory requirements and minimize organizational risk – from anywhere and from anyone.
Thanks to NetIQ for the article.
Telnet Networks News 
Leave a comment