The typical public cloud service provider employs a bifurcated approach to IT security in the cloud. They'll take responsibility for securing the infrastructure services they provide, but any software running on top of those infrastructure services is the responsibility of the developer or the IT organization that put it there.
A new survey of 100 IT decision makers conducted by the market research firm Enterprise Management Associates (EMA) on behalf of iland, a provider of cloud hosting services, finds that when it comes to securing application workloads nearly half (48 percent) of IT organizations are spending more on security technologies than they ever did when they only ran application workloads on premise.
The paradox, of course, is that 55 percent of respondents also said cloud uses superior technology to on-premises, and 56 percent indicated that security technology is more consistently applied in the cloud. More telling still, 47 percent admitted they “simply trust” that their cloud providers are delivering on security agreements, rather than verifying the level of IT security being provided independently or through a third party.
Areas where IT organizations need help
By and large, public clouds run by some of the best IT personnel around are going to be more secure than an on-premise IT environment managed by an IT staff that may have limited exposure to the latest threats or limited ability to implement and maintain best practices. In fact, a larger percentage of IT organizations are relying more on the IT security expertise of managed service providers when moving application workloads into the cloud.
The iland study also finds that 68 percent of organizations have staffing shortages and 34 percent have skills shortages. As a result, it may not come as a surprise to IT service providers that IT organizations are specifically looking for more help when it comes to integrating security technology (52 percent), improving security reporting (49 percent), and improving security analytics (44 percent).
In addition, the survey identifies premium security services that IT organizations would be willing to pay extra to have delivered. That list includes virtual machine encryption (59 percent), on-demand compliance reporting (58 percent), role-based access control (57 percent), and advanced persistent threat (APT) protection, and advanced targeted attack (ATA) protection (54 percent).
Higher expectations for security services
At the same time, however, the study makes it clear that more of the onus for providing security is falling on the cloud service providers. For example, half the participants said they feel that a compliance/privacy liaison should be included as part of the basic services, while only 33 percent identified that function as being an element of a premium upgrade.
Thanks to the rise of digital business models and, of course, the cybercriminals trying to steal money from organizations large and small, IT security has never been a higher priority than it is today. For IT service providers that means it’s now virtually impossible to bid on an IT project that doesn’t include provisions for IT security. Whether they develop that expertise internally or partner to deliver it doesn’t matter. Any IT proposal that doesn’t include a robust IT security component is going to dead on arrival.