Cloud adoption continues to top the charts as an industry must-have – but are the risks outweighing the benefits?

Cloud adoption continues to be an industry must-have for growing business opportunities. A pivotal point has been reached in the enterprise due to cloud-oriented businesses attracting more customers. The conversation has moved from where the cloud is going next to technology leaders considering it as a serious business must-have - and asking how it can benefit their organisation.

But are the risks outweighing the benefits? Today’s increasing usage of cloud is coinciding with heightened security threats. Although cloud enables workforces to have the freedom and flexibility to work remotely and have more control over their workload and devices – it also opens up a huge risk to companies.

A study by the Cloud Industry Forum shows that the overall business cloud adoption rate in the UK now stands at 88 per cent - with 67 per cent of users expecting to increase their adoption of cloud services over the coming year. No one could predict how the future of global networking would evolve when cloud was first conceptualised by J.C.R. Licklider in the 1960s. In the early days, only five per cent of an organisation’s workload was part of the global network in the cloud but now, Gartner predicts that more than 50 per cent of outsourcing deals will be influenced by cloud adoption strategies. Meanwhile, Forrester predicts the global public cloud market will rise to $236 billion in 2020.

There are many positives to adopting cloud, especially a hybrid cloud solution; from improved efficiency, a competitive edge and reduced costs to a step change in flexibility and scalability. For instance, it’s much easier to update your capabilities to fit your requirements and allocate and reallocate resources to meet changing workloads as and when needed using cloud. A hybrid cloud architecture is also more flexible in terms of security, as confidential information can be stored on a private cloud while the public cloud is still leveraged for other needs. It also has the added benefit in that security policies can be applied consistently across the infrastructure, ensuring that wherever workloads reside, they have the appropriate level of protection.

However, while businesses are seeing the cloud as a means for flexibility and growth - without the upfront costs of investing in their own physical data centres - there are real concerns as to how secure their critical data will be once it’s in the cloud and who exactly is responsible for that security.

A massive two billion records were stolen in 2016; partly because traditional methods of IT security, such as firewalls, aren’t protecting businesses from the shifting threat landscape. Global enterprises in 2016 experienced increasingly numerous, varied and sophisticated security threats. For instance, CyberEdge Group reports a staggering 61 per cent of companies were attacked by ransomware last year. Today’s cloud is currently as safe as a normal firewall was about seven years ago.

Many of the security risks are also coming from remote users increasingly adopting their own cloud applications to access data on company devices and connecting to different networks. This naturally creates problems for businesses in protecting their data and opens them up significantly to the threat of cyber-attacks.

At Arrow’s ‘Security in the Cloud’ 2017 event, Stephen Davies, Strategic Alliances Director at FireEye, explained how issues with cloud services could affect businesses - referring to an incident in March where an update was misconfigured: “We saw the impact of a service disruption at a cloud provider recently. This wasn’t a security threat but a patch problem. However, I think this demonstrates the potential vulnerability of organisations. In the cloud, security becomes more challenging as it hides visibility and therefore impacts remediation. This means that it’s critical that companies adopt the right approach and the end-point is a crucial part of this.”

Furthermore, with the upcoming GDPR (General Data Protection Regulation) to protect EU citizens’ data, no one can afford for their data not to be protected. By the 25 May 2018 deadline, companies will need to apply improved measures to ensure they comply with the new regulation or face penalties up to €20 million or four per cent of annual global turnover (whichever is higher) for the severest breaches.

So where does this leave security in the cloud? And who is responsible for securing it - the provider, the company, or the user? 

As cyber-attacks have become more advanced and aggressive, simply implementing more firewalls just isn’t going to cut it. When dealing with these threats, the point product strategies of the past don’t come close to providing the required protection. Companies cannot yet purely rely on security solutions in the cloud, they still need on-premise solutions as well. This isn’t to say that the basic levels of security aren’t still valuable, but they aren’t enough by themselves. By not relying on one technology, access to network applications and other indispensable services such as email are assured and never lost.

To ensure they are completely secure, organisations and their data now need to be enhanced by other security layers and technologies. The best way to tackle the security landscape in 2017 is through a proactive and multi-layered stance - a move away from individual solutions providing security at single points to a more holistic, identity-driven approach that addresses security concerns across users, data, devices and apps. Businesses must ensure they can detect an attack before it causes any damage by proactively monitoring behaviour on the network – both when users are working alone, and interacting with others.

However, another issue is that a significant number of companies – particularly in the IT channel -think it’s the cloud vendors’ responsibility for providing these security controls; when in actual fact it’s a joint responsibility for the cloud vendor protecting the infrastructure and the client responsible for the applications and data. But to be 100 per cent secure, businesses need a third-party layer that can provide more insight.

Security in the cloud today should be a collaborative effort in order to stay on top of the increasingly numerous, varied and sophisticated threats. Businesses need to be constantly questioning themselves in every way possible - and not only making sure systems are equipped to prevent, respond to and recover from those attacks, but that the multi-layered security software learns and adapts from the other layers. Organisations that take this into account will create more aware cloud platforms that can tackle threats quicker and more intelligently.

David Fearne, UK Technical Director , Arrow ECS
Image Credit: Rawpixel / Shutterstock