The wisdom of Charlie Brown and Company, written over 50 years ago, reflects both the ambiguity and angst associated with putting the words ‘cloud’ and ‘security’ in the same sentence. What do those words conjure up in your mind? Do you see a ducky and horsie, or the grim reaper? If your answer is ‘it depends on which day it is’, you are not alone. It seems that we, as an IT community, continue to flip-flop on the topic.
Consider the following studies – 6 years apart - stating that security is the #1 obstacle to cloud adoption:
2009: DARKReading cited “Launchpad Europe”, a company that helps emerging firms with global business expansion. In the survey, 49.5 percent of businesses said they are not using or planning to use any cloud technologies within the next 12 months. Of that group, 50 percent cited "security concerns" as the primary reason.
2015: A jointly sponsored survey by several security companies and published by the Information Security Community on LinkedIn, found that security is the single biggest factor holding back faster adoption of cloud computing. More than 1,000 cybersecurity professionals responded to the poll, the informational Web site InfosecBuddy said.
All that said, cloud adoption - be it SaaS, public or hybrid cloud - continues to ramp, seemingly unabated:
2015: A recent Forbes report on Global SaaS software revenues forecasted $106B in 2016, increasing 21% over projected 2015 spending levels. A Goldman Sachs study projects that spending on cloud computing infrastructure and platforms will grow at a 30% CAGR from 2013 through 2018 compared with 5% growth for the overall enterprise IT.
Soha Systems recently hosted a cloud security webinar with IDC Analyst Pete Lindstrom introducing the Emergence of the Cloud DMZ. (Full disclosure: I am the Sr. Director of Product Marketing at Soha Systems and co-hosted this webinar). We did our own polling during the webinar to get our audience’s temperature on the state of cloud security. Our results both mirrored and diverted from the aforementioned surveys, and revealed new, varied and unique-to-the cloud uses cases (and security concerns).
We first asked our webinar attendees (largely IT and security professionals at US companies with over 1,000 employees representing major banking, manufacturing and government organizations), to describe their status with respect to cloud security and Cloud DMZ:
Unexpectedly, respondents were basically still in an education and pre-deployment phase with 46% saying they were actively researching Cloud DMZ and other security options, while 54% said they have no active projects but were just trying to get educated. But no attendees claimed to be in an implementation phase. I acknowledge that Cloud DMZ is a new concept for many, but these results were surprising.
As the webinar proceeded, Pete Lindstrom and I discussed traditional and emerging security use cases for the Cloud DMZ, and solutions the Cloud DMZ could enable. Our last polling question focused on this, and again the results were unexpected. We asked:
It was illuminating to learn that our webinar attendees are grappling with a myriad of use cases. Managing third-party access / privileged access was the top use case, with 56% saying it was a security requirement. We hear a lot about this use at Soha, because traditional VPNs and SaaS-only single-sign-on solutions fall short with respect to security, privacy, ease of use and manageability. Multi-cloud routing, which 44% of the respondents said they were researching, is also a common theme for customers who need to connect users to applications in the cloud via the Internet. SaaS application protection (also 44%), as you might expect, is a common requirement. However the public cloud version of that – the Shared Security Model - where customers are responsible for providing their own application security was a mere (11%).
The cloud is often billed as a simpler, more agile way to execute IT strategy. And this is often the case. But, the cloud is also an enabler of doing business, sharing information, and collaborating in new, creative ways not contemplated a few years ago. Security will remain a concern. Enterprises should not assume traditional security vendors can retrofit their products to meet these new requirements. Rather, the focus should be on cloud security solutions that were born in the cloud, and have the perspective and understanding of the requirements for this new computing paradigm.