Cloud Confusion: Who Handles Data Security?
As enterprise adoption of public cloud services accelerates, confusion persists among cloud providers and customers over responsibility for data and application security.
A vendor survey of 300 IT decision makers released this week confirms that public cloud adoption is growing at a rapid rate as a range of industries look beyond on-premise datacenters to scale storage and computing.
The survey released Tuesday (Sept. 19) by data security specialist Barracuda Networks Inc. revealed that a healthy 44 percent of respondents run their infrastructure in the public cloud. That percentage is expected to double over the next five years, the survey forecast.
Despite growing adoption of public cloud services, security concerns persist, with nearly three-quarters of those polled still worried about data and network security as new vulnerabilities emerge on a weekly basis.
With more data governance and privacy regulations, the survey uncovered a new concern: confusion over data security responsibilities in the cloud. Seventy-seven percent of those polls said public cloud providers are responsible for securing customer data in the cloud. Meanwhile, 68 percent of IT executives said cloud providers are also responsible for application security.
Despite—or perhaps because of—confusion over the "shared responsibility" model, 30 percent of enterprises have yet to add additional security layers to their public cloud deployments. Security "remains a key concern for organizations evaluating public cloud, and there’s confusion over where their part of the shared responsibility model begins and ends," Tim Jefferson, vice president of public cloud at Barracuda (NYSE: CUDA), noted in releasing the survey results.
"Many organizations realize that their cloud deployments can be inherently more secure than an on-premises deployment because cloud providers are collectively investing more into security controls than they could on their own," Jefferson added. "However, the organizations benefitting most from public cloud are those that understand that their public cloud provider is not responsible for securing data or applications and are augmenting security with support from third-party vendors."
Security vendors such as Barracuda, Campbell, Calif., are betting the shift to hybrid IT and multiple cloud vendors will increase complexity. Hence, cloud security specialists are broadening support for on-premise as well as cloud deployments. They are also offering licensing options designed to meet layered security requirements for protecting customer data and enterprise applications.
With the rise of multi-cloud and hybrid cloud deployments—on average, the survey found that enterprises are using three public cloud providers—security firms also are pitching centralized management schemes as a way of reducing complexity while addressing the current disconnect over who precisely is responsible for securing data.
Microsoft (NASDAQ: MSFT) extended its cloud security efforts last week with the release on its Azure cloud platform of "confidential computing," or encryption of data while in use, “a protection that to date has been missing from public clouds,” according to Microsoft CTO Mark Russinovich.
Cloud customers are meanwhile beginning to take security matters into their own hands: two-thirds said they are adding security features when accessing public clouds while 64 percent said they route branch office traffic to their headquarters and then relay it to public clouds via a dedicated network link at a central location, Barracuda reported.