Enterprises considering adopting public clouds are concerned about where their data is located and how it’s protected, according to a new survey by IDG.
Companies will have about 60 percent of their IT environment in public, private, or hybrid clouds, according to a survey of about 1,000 IT decision makers.
Of those considering public cloud deployments, the top concerns were where data is stored, at 43 percent of respondents, and security, with 41 percent of respondents.
And with all the high-profile hacks of well-known online brand names, it’s no surprise.
However, clouds are not necessarily less secure than on-premises deployments, said Rich Campagna, VP of Products at Campbell, Calif.-based Bitglass, Inc.. The company’s research team is working on a cloud adoption report that examines cloud usage at more than 120,000 organizations, which will be released next week.
“What many have started to realize is that cloud app vendors have invested massively in security and aren’t suffering from the major hacks that some had predicted,” he said.
However, there are challenges in getting full visibility.
For example, multi-tenant cloud environments can make it difficult to monitor data in motion, said Ananda Rajagopal, VP Product Management at Santa Clara, Calif.-based security vendor Gigamon Inc.
“One cannot just tap into a virtual switch,” he said.
Even just finding out where the data is kept can be a challenge.
“In a cloud computing environment, data is stored in logical pools, the physical storage spans multiple servers and often locations,” said David Rubal, chief technologist for data and analytics at Herndon, Vir.-based DLT Solutions, which provides technology and consulting services to public agencies. “With this model, it is very difficult for a cloud provider to pinpoint exactly where any portion of customer data is stored.”
And even when the vendor does provide information, it’s not always easy for a customer to confirm that it’s accurate, said Monzy Merza, head of security research at San Francisco-based Splunk Inc. “So cloud customers may feel that they taking the vendors word for it.”
Many vendors, however, are beginning to take transparency seriously, said Michael Sutton, CISO at San Jose-based cloud security vendor Zscaler, Inc.
“Consumers should insist that cloud providers pull back the curtain and explain how their infrastructure is operated, maintained and secured,” he said. “If a cloud vendor refuses to tell you where your data is stored, look elsewhere.”
In addition, 46 percent of the survey respondents said that they need to ensure that cloud service providers’ security meets their compliance requirements before moving ahead with deployments.
Unfortunately, vendors aren’t required to share proprietary security information, and many will often provide details only to their largest customers, said Richard Cassidy, technical director at Houtson-based Alert Logic, Inc.
Third-party reviews can help, said Dana Simberkoff, Chief Compliance and Risk Officer at Jersey City, NJ-based AvePoint Inc.
“Many leading cloud service providers — including Microsoft, Amazon and Box — have already taken steps to document and certify their cloud solutions,” she said. “But the obligation still falls on a company to evaluate their cloud provider.”
There’s also the FedRAMP accreditation program, which certifies that a vendor can secure data in the cloud, said DLT’s Rubal.
Finally, there is a growing ecosystem of vendors who provide third-party visibility, security and monitoring services, said Splunk’s Merza.