While cloud adoption seems to be rising, according to a recent report from McAfee, security confidence still seems to be in the fog. “The problem,” says Tom Smith, Research Analyst at DZone.com, “is the code and applications hosted in the cloud have inherent security flaws because companies are more interested in getting a product to market and generating revenue than they are ensuring their applications, and the data they are collecting is secure.”

Smith, who has had the opportunity to speak to hundreds of IT executives about cloud computing, security, and many other IT issues, has found that there is “still a tremendous lack of knowledge, expertise, and trained professionals focused on security and everyone should be relying on the recommended ‘security best practices’ and security tools provided by the major public cloud vendors.”

People Are People

CloudSploit’s Founder Matt Fuller begs to differ. Most cloud security failure is the user’s fault. Fuller recommends that vendors continually monitor for security and configuration vulnerabilities. “Even the most secure cloud providers only offer security of the cloud,” says Fuller. “The user is responsible for security in the cloud. As groups, roles, and devices change, oversights and misconfigurations open vulnerabilities that lead to outright hacks. Unfortunately, a single misstep can compromise your entire infrastructure.”

But, even the most diligent may not be able to keep up the pace. “Today, the average company is utilizing hundreds of cloud apps and may not even know all of them,” says Nick Belov, Chief Information Security Officer at Computer Generated Solutions, Inc. “Know and understand where your sensitive and confidential data is stored and processed. Ensure that those systems are evaluated by a credible security assessor, and review the results.”

The Data is Key

According to a recent report from Thales e-Security, two of the top three concerns of adoption and data security within cloud environments are 1) 60% of enterprises would increase cloud use if cloud service providers offered data encryption in the cloud with enterprise key control and 2) ‘lack of control over the location of data’ (55%).

“Safeguard the data,” advises Jim Crook, Senior Product Marketing Manager at CTERA. “Make sure you own user identities, metadata, encryption keys and always control, data residency, network countermeasures and internal and external sharing policies.”

“This is what the good guys need to do before the bad boys get there,” says cybersecurity expert Ashwin Krishnan. He recommends identifying the sensitive assets in the cloud, encrypting the same, and most importantly keeping the encryption keys locally or on another cloud. The “rationale being it is akin to keeping all your key assets in a safe deposit in a bank and keeping the keys to the vault in the same bank.” Not the best of ideas.

Help is On the Way

The Thales e-Security additionally reported highlights that organizations interested in both taking advantage of advanced technologies and keeping data secure can do including:

  1. Consider deploying security tool sets that offer services-based deployments, platforms and automation;
  2. Discover and classify the location of sensitive data within cloud and SaaS environments
  3. Leverage encryption and Bring Your Own Key (BYOK) technologies

“100% of companies have been hacked,” adds Smith. “The good ones know this and have taken steps to mitigate the damage done and the information lost. The ignorant ones stick their ‘heads in the sand’ and refuse to admit it – ignorance is bliss.” At least it is until you’re lost in the cloud.