Getting firms to move to the cloud hasn't been all that easy. Many companies have justifiable concerns and fears about moving their most vital non-human asset – data – outside their data center.
While cloud providers have struggled to assuage those fears, they don't seem to be getting through. A study by the Ponemon Institute and Netskope, called "Data Breach: The Cloud Multiplier Effect," shows many firms still have concerns regarding data loss in the cloud, but none of it is based in reality.
Ponemon surveyed 613 IT and IT security practitioners in the United States who are familiar with their company’s usage of cloud services and the findings were cynical, to say the least. While 51 percent of respondents said on-premises IT is equally or less secure than cloud-based services, 66 percent of respondents say their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information. And 64 percent believe it makes it difficult to secure business-critical applications.
Dr. Larry Ponemon, head of the group that bears his name, thinks part of it is IT being a little territorial. "I think there's a little fear they will become obsolete," he said. "They aren't driving the cloud train, business is. There is a sentiment that what I don't know is worse than what I do know. They may think there's a problem because they weren't involved in the selection."
There were other negative sentiments as well.
* 69 percent of respondents said they believed that their organization is not proactive in assessing which information is too sensitive to be stored in the cloud.
* 62 percent of respondents said they believed the cloud services in use by their organizations are not thoroughly vetted for security before being used.
* 72 percent of respondents said they believed their cloud services provider would not notify them if they had a data breach involving the loss or theft of their intellectual property or business confidential information.
* 71 percent said they believed they would not receive immediate notification following a breach involving the loss or theft of customer data.
In the latter two findings, there is something to that concern. Hackers were stealing credit card information from unsecured wireless networks at TJX for 18 months and the company fired an employee who leaked that the company was still using unsecured networks even after the hack was exposed. Nortel Networks was the subject of a decade-long hack by Chinese criminals who stole pretty much all of the company's IP, which led to its demise.
"There's a lot of frustration in the complex world we are in," said Ponemon. "Cloud providers are not motivated to say their data was exposed, even though it's required by law. Also, a lot of cloud providers don't find out about it until the FBI contacts them. Target first learned about their breach from the Secret Service. A lot of companies don't have the tools or ability to know they were hacked and it can go on for months."
It comes down to many IT professionals having no faith in cloud providers. Along with IT being left out of the decision-making process – thank you, BYOD, for letting the inmates run the asylum – Ponemon said there are two other reasons.
A lot of organizations have rushed to the cloud for cost efficiency or because it's the cool thing to do. As a result of that rush, they don't factor into the equation that data entrusted to the cloud can leak out. Not just from criminal activity but mistakes and glitches. Users might log on to a perfectly secure cloud storage system from an insecure place, like a Starbucks.
And occasionally the cloud provider makes a mistake, like Dropbox did in 2012, when a bug allowed anyone to access a Dropbox account without using the correct password. Later in the year, a security hole was found in Dropbox’s iOS app, which allowed anyone with physical access to your phone to copy your login credentials.
That said, Ponemon said some cloud providers are "very, very secure and I would trust them more than some on-premises IT configurations."