This also got me thinking about some research that we recently commissioned and how, even in today’s super-technical and highly sophisticated security world, many organisations still rely way too heavily on simple blind trust.
Astonishing I know, but that is what we found when we surveyed over 100 IT decision makers and security experts who leverage the cloud infrastructure and/or Disaster-Recovery-as-a-Service. We embarked upon this research with Enterprise Management Associates (EMA) because we wanted to better understand the way in which cloud deployment impacts the IT security and compliance postures of companies across North America. And although this was a North American study, to be honest, I think the same principals apply to any organisation regardless of location.
I have to say that the findings were enlightening.
Why? Because nearly half of the security experts EMA polled said they just trust the cloud to be secure and compliant. More specifically, 47% of security personnel stated that they ‘simply trust’ their cloud provider to meet security agreements without further verification.
Now, iland runs a cloud. And we really love it when people trust us - it's core to our value proposition. But we also encourage organisations that we work with to verify, not to just have faith in our marketing, our assortment of compliance logos or our brand.
And that leads me to the key point of EMA’s study: Blind trust is not a security strategy.
Perhaps because blind trust in cloud vendors is so prevalent, the study also found that far more teams are just adding a host of security technologies on top of their cloud workloads. It seems loading up their workloads with nearly 50% more "stuff" than on-premise helps make that trust feel less scary.
In fact, the survey found that ‘security features’ topped the list of priorities that companies consider when selecting a cloud provider, ranking above performance, reliability, management tools and cost. EMA also noted that it may be easier to deploy and update these technologies in cloud than on-premise and that IT now sees cloud adoption as an opportunity to improve security with previously unused technology. Further, when asked why they had not deployed specific security features in the cloud, respondents indicated they were currently in the evaluation phase twice as often as any other reason for non-deployment, including cost, complexity, availability or that the technology was not necessary.
But, I can’t help feeling that this is like adding a wheel lock to an unlocked car. Or like setting up motion-activated lights around your house without checking that the front door is actually locked.
Furthermore, the evidence pointed to a real lack in organisational ability to consume the information coming off these security technologies, with gaps in security tool integration, analytics and reporting. So in reality, what this means is that if the alarms go off - will anyone actually come and check the property? And how can you be certain nothing was stolen? Do you actually know?
In my view, this isn't really the fault of IT teams, who we already know are completely overwhelmed by the sheer volume of work hitting them on a daily basis. Responsibility and accountability go far beyond their control. If anything, they are deploying the best strategies they can to shore everything up.
That said, I would propose there is another way - one in which you find clouds that do integrate security technologies, make sense of alerting and provide on-demand reporting. You find clouds where your desire to verify security is welcomed - not questioned. In short, you find a partner - not a supplier, who can work to provide all the verification you need.
I am sure that over the course of the coming week there will be an abundance of new and innovative approaches to securing your infrastructure at Infosec 2016, but to be honest, if all we are relying on is blind trust as the best security policy, much of this investment will be wasted.
If you are interested in reading the full published survey entitled: Blind Trust is Not a Security Strategy: Lessons from Cloud Adopters please click here. Alternatively, come and see us on our stand number L24 at Infosec. We would love to chat to you.