The Cloud Security Myth persists… but why?
Thursday, April 18, 2019
As this year’s London based Techerati Conference (the new name for Cloud Expo Europe and associated shows) one of the themes that appears to have raised its head again is the question surrounding cloud security.
This concern has dogged the industry for years in a variety of forms. The real issue is that it is not the same argument as when this first appeared, it has evolved.
Unfortunately, the confusion is caused because it is still being presented in the same way as years gone by, namely:
“Our clients are concerned about cloud security.”
The long standing reality is that cloud is often more secure than many other solutions but the challenge of increasing technical complexity makes the management of security more difficult.
This justifies why the conversation about cloud security continues to be entirely relevant, unfortunately, the unintended consequence has been that the myth and misconception surrounding it has persisted.
The cloud security landscape has evolved rapidly and is becoming even more sophisticated. Some of the biggest breaches in the last few years have been caused by engineers and developers making configuration errors that have resulted in significant reputational damage. Whilst these errors are often not malicious nor intended, it does not alter the outcome.
The technology security industry faces the recurrence of an old challenge in an evolved form – addressing the people and process elements of technology security.
For example, the rise of microservices means that implementing the correct security settings is key, but significant oversight to check and verify these things can show a lack of trust in developers but also slows down the rate of deployment and therefore negating the benefits of this approach.
Given that nearly one-third of organisations inadvertently exposed at least one cloud storage service in 2018, according to Unit 42 report, it is clear that governance and security hygiene is a factor that continues to need work.
Many organisations are still unclear as to where their responsibilities begin and end within their cloud agreements, it is likely that the perpetuation of cloud security concerns will happen, but this is not going to be solved through a technical solution but through better understanding of responsibilities, governance and security hygiene.
The real question is which of the cloud security vendors will lead in the education and management of such hygiene measuring services in the coming years.