Is “perception” the main barrier to adopting the Cloud for sensitive information?
As a Cloud Architect at Nexor, I have many conversations about adopting cloud technologies and how to securely exchange information. Always a great deal of debate to be had.
It was great to have a chance to explore this topic recently with fellow cyber security professionals at a workshop during the Cyber Security Professionals (CSP:2017) event in York.
The question we attempted to tackle was: “What was the barrier to adopting the Cloud?”
A Hytrust study in April 2016 found that the perennial concern executives have with cloud adoption is security. About 67% said security concerns will slow cloud migration, whilst 55% predicted more data breaches and security problems in the year ahead. But despite these concerns, about 70 percent said they believe security will become less of a concern for cloud services by the end of the year .
The study summarised that:
“This disparity is the result of a mismatch between the technologies that are available to solve security problems and the prevailing attitudes about cloud’s ability to be secure…. there seems to be more of a perception issue with the cloud“.
So, we asked the cyber security professionals in York what they thought the main barrier to adopting the Cloud was?
As you can (nearly) see in the online poll we conducted, trust in the Cloud Security Provider and problems with accreditation were the two major barriers cited. And, as the discussion in the workshop flowed, it became apparent that there was a consensus that there is a lot of overlap in regard to these two barriers; with a Cloud Security Provider needing to convince both the customer and an accreditor about a lot of the same issues.
In the workshop, we explored how the National Cyber Security Centre (NCSC) has set out a framework of “14 Cloud Security Principles” that organisations need to consider when procuring a cloud service – summarised in the graphic below.
As part of your procurement process, the NCSC recommends that you should assess the proposed services against these principles to ensure you are being offered the security controls your organisation needs.
Also of relevance, is the Cloud Security Alliance’s (CSA) “Security, Trust & Assurance Registry” (STAR) which contains both a more detailed controls framework and a registry of how Cloud Security Providers implement the controls.
Both of these frameworks (NCSC and CSA) cover governance. The STAR registry contains details of the governance processes the Cloud Security Provider
Using these tools, you can establish what security controls the Cloud Security Provider has implemented, their governance mechanisms, including audit regime, to enable you to come to a risk judgement of the viability of the environment.
Nexor’s specialism is in ensuring the secure exchange of information into, out of, and within those cloud environments. You can read more about this in our white paper “Enabling secure information exchange in cloud environments“.
It appears that the barrier to adopting the Cloud has moved on in the last 12 months – from a question of
At the same time, we have seen a major change amongst our customer base in Government, Defence and Critical National Infrastructure, to explore, and in some cases, start, deploying the Cloud for storing sensitive information.
Learn more about Nexor’s approach to cloud security.
Author Bio - Joshua G. Edwards
Joshua G. Edwards was a Cloud Architect at Nexor providing solutions that allow Defence, Government and Critical National Infrastructure organisations to use cloud technologies. He is an experienced full stack web developer turned technology architect and DevOps engineer, with a BSc First-Class Honours in Web Design and Development from Northumbria University.
Be the first to know about developments in secure information exchange