In this day and age, I feel almost embarrassed to write about cloud as though it’s somehow special or different, or even deserving of its special vaporous moniker. Cloud is simply how things are these days, so it’s no surprise that enterprise cloud adoption is on the rise – and for good reason. Cloud environments provide organizations with enticing benefits – such as agility, scalability, cost benefits and innovation. And according to a forecast from Gartner, the market for cloud services will grow 18 percent this year, to $246.8 billion in total worldwide revenue from $209.2 billion. But just as we always had to consider security in traditional compute environments, enterprise organizations must consider the security of their data when they move to the different operating environment of the cloud.
In the June Geekwire Cloud Tech Summit, Microsoft cloud executive Scott Guthrie made some rather thought-provoking remarks about cloud security. According to Guthrie, “If people say, ‘If I sign with you, can you guarantee I won't be hacked?’ If I say yes, I’m lying.” Guthrie also notes that when it comes to cloud security, “you can never be paranoid enough.” This is not to say that everything is hopeless or that Microsoft is worse than other providers. Far from it; Guthrie is simply reflecting the reality that achieving security requires effort and understanding, and nothing is inherently 100 percent safe. (Fortune’s Barb Darrow has a more complete report on the conference and key takeaways.)
The State of Cloud Security
All cloud service providers (CSPs) advertise security offerings in their services, and they certainly offer some benefit, but be sure to read what you’re getting. In the main, these are essential but basic features that all users need configured the same way: bulk encryption or firewalling, for example. Meanwhile most reported problems in cloud environments have stemmed from the more detailed or customer-specific areas for security that can’t be easily commoditized or generalized – a compromised credential or misconfiguration at the enterprise level, not the cloud provider. For a deeper dive into the recent AWS data leaks and what your organization can do to shore up its defenses, check out my colleague, Charles Goldberg’s recent blog post here.
Perhaps as a result of the built-in security defenses in cloud environments, when we conducted the 2017 Thales Data Threat Report – Advanced Technology Edition we found that while concerns about using the cloud are still quite high, they have dropped somewhat from a year ago – typically in the range of 8-12 percent from last year. Nonetheless it remains one of the biggest inhibitors to an organization’s digital transformation. But just as CSPs like AWS always remind their customers, cloud security must be a shared responsibility – and to that I would add that it must also be a shared priority.
Enabling Security While Juggling Multiple Clouds
As organizations are deciding where best to run their applications and store their data, many are debating whether to work with a single CSP, or to spread their workloads across multiple clouds. Whether for pure redundancy and choice, or for considered reasons of best-in-class specialist provider sourcing, the multi-cloud approach is winning. According to IDC’s Worldwide Cloud 2017 Predictions, by the end of 2018, over half of enterprise-class businesses will subscribe to more than five different public cloud services. ESG research also shows that 75 percent of current public cloud infrastructure customers use multiple CSPs.
This multi-cloud approach is what I would call the “new normal” of cloud security. Just like organizations used to get their office suite, accounting, HR, email and networking software from multiple vendors, so too will they subscribe to their cloudy equivalents from multiple providers. And as data flows between these multi-cloud services, securing it can be especially problematic for organizations seeking compliance since they need to prove they can control their data by following best practices around cloud data security shared responsibility models.
Thales Enables Trust in Cloud Environments
The security of any cloud service depends on the level of protection given to the cryptographic keys used to protect sensitive data. These keys are the root of trust in an enterprise’s entire system – if they are lost, so is the data. If they are stolen, secrets might not stay secret for long. If they are compromised then access control assumptions may not hold.
Last week, we announced new capabilities to help organizations simplify control and ensure compliance over data security in multi-cloud environments. Our solutions integrate with the leading CSP platforms from AWS, Google, Microsoft and Salesforce, allowing users to establish strong safeguards around their sensitive data and applications in the cloud.
Whether your organization opts for a single-cloud (for now) or multi-cloud (from the start) strategy, Thales enables you to trust cloud services with more of your valuable information assets, giving you the confidence to accelerate cloud deployments – even (especially!) in hybrid deployments with traditional data centers.
To learn more about Thales’s solutions for single- and multi-cloud environments, leave a comment below, or tweet me @jongeater.