BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
NEW YORK -- Despite the increased adoption of cloud computing in the enterprise, many executives are still wary about moving their data to the cloud. And while much of their reluctance stems from security and privacy concerns, those fears aren't always valid.
In fact, many organizations' cloud security fears are based largely on myth, said Paul Mazzucco, chief security officer at TierPoint LLC, a cloud and colocation services provider based in St. Louis. There are four myths, in particular, that keep executives up at night, Mazzucco said at the Cloud Computing Expo here this week.
Myth one: Data is inherently less secure in the cloud
Many executives wrongly assume their data is more vulnerable in the cloud than it is on-premises, Mazzucco said.
Meanwhile, these concerns are heightened when business executives, in the wake of recent high-level data breaches, drive more and more of the cloud security conversations within an organization.
"We have a tech committee that is basically a few of the head shareholders of our firm – [they're] not IT at all," said Jon Williams, regional support supervisor at Ogletree Deakins, a law firm based in Greenville, S.C. "All these [IT] decisions today are getting approved, and we will bring up ideas to them and vice versa. But they are the ones who are really trying to nitpick and ask questions."
Despite business leaders' concerns, data security is typically more robust in the cloud than it is on-premises, Mazzucco said. This is because the majority of cloud providers build security -- often using a multi-layered approach -- into their infrastructures from the ground-up.
Moving data to the cloud also reduces the risk of shadow IT, or users bypassing IT to access unsanctioned cloud apps. While most executives believe their business runs 50 or fewer cloud-based apps, the average enterprise uses more than 500, Mazzucco said. Deploying a formal cloud strategy gives IT more transparency and control.
Myth two: A security strategy can wait
Defining a cloud security strategy should be top-of-mind for both the business and IT from the get-go of any cloud deployment. Simply bolting on security after deployment is a risk no business should be willing to take, according to Mazzucco.
"It's an action to take now," he said.
Even after an organization puts proper security measures in place -- and ensures, via a service level agreement (SLA), that its cloud provider is doing the same – on-going monitoring and reporting should always be a priority.
Myth three: A certified cloud provider guarantees protection
Many organizations asses a cloud provider's security model based solely on the number of compliance or regulatory certifications that provider holds. But that shouldn't be the case, Mazzucco warned. Instead, IT should always "go to the next level" to evaluate a provider's security environment.
"Always validate the compliance claims your provider has handed to you," he said.
To do this, enterprises should conduct independent security assessments of their provider, or enlist a third party to do so. As a starting point, reference the Cloud Security Alliance's Consensus Assessment Initiative Questionnaire, a list of questions cloud users and auditors should ask of potential cloud providers.
Moreover, organizations should always demand at least some transparency into their provider's security practices, and put that language in an SLA, where possible.
Myth four: Set it and forget it
Just as IT shouldn't cobble together a security strategy after deployment, they can't forget about that strategy when it’s live, either.
A solid cloud security model is one that's constantly evolving, Mazzacco said. It should entail a multi-layered approach, on-going and advanced threat detection, real-time alerts and consistent monitoring and reporting. Continuously updating antivirus and antimalware technology should be just as much a priority in the cloud as it is in on-premises environments.
"The old 'out of sight, out of mind' mentality is dangerous when it comes to cloud security," Mazzucco said. "Of course, having a dedicated group who looks at all the layers of compute, all the logs, everything that equals a security environment is leaps and bounds [better] over the old approach."
Kristin Knapp is site editor for SearchCloudComputing. Contact her at firstname.lastname@example.org or follow @kknapp86 on Twitter.