As infrastructure as a service becomes more popular the number of data breaches will likely increase. However, most of the breaches will be caused by user created vulnerabilities, rather than faults from cloud providers, according to Craig Lawson, Gartner research VP.
“We’re at a point today where I think we can make a defensible claim that arguably no one has better security on the public internet than the big public cloud providers,” Lawson said while speaking at the Gartner Security and Risk Management Summit in Sydney today.
“The blunt realities of public cloud security is that, to date, almost all of the cloud security failures have been attributed to customer actions.”
Lawson argued the level of security offered by the large public cloud providers, including Amazon, Google and Microsoft, is well beyond what most organisations can achieve independently and attention should turn to internal security and awareness.
“Security incidents from the providers are vanishingly small,” Lawson said.
“[Cloud providers] have off the charts amount of money and time they spend on their internal security operations. It really is impressive.”
If providers’ security was compromised significantly we would know by now, according to Lawson, who also argued the responses from large public cloud providers to past security incidents had been impressive.
The problem occurs, however, with the use of cloud. Lawson argues much of the data kept on public clouds is left vulnerable by the practice of open data sharing. Users, often unaware of the risks they are creating, change default settings and leave data unprotected and open to bad actors.
“There’s been lots of breaches where people have just left stuff on the cloud, open to everyone,” he said.
“This is actually the elephant in the room when it comes to cloud security as we are opening ourselves up to the naked internet with no controls.”
New regulation in Australia means when breaches do occur, in most cases they must be reported. The mandatory reporting of breaches has revealed an increasing amount of incidents, or at least the amount of incidents being reported.
According to Lawson, following the publicised breaches, providers are often wrongly implicated in the incident, when their security measures have actually been sufficient.
“What’s going to happen is people are going to continue to use the cloud… [But] unless these practices improve, we’re going to continue to see more cloud security exposure,” Lawson said.
“The key point is going to continue to be on us – the end users.”
Software as a service has given rise to ‘shadow IT’, where several business units now procure their own solutions – an unprecedented change in IT, Lawson said.
But as SaaS grows, often security awareness lags, according to Lawson.
“It’s not as good as it needs t be. People aren’t that ready, they don’t necessarily understand as much as they’d like to [about cloud security].”
The changes and consequences created by SaaS far eclipses IaaS concerns, according to Lawson. The increasing access to IT means individuals outside IT are well served to undertake courses some basic training in cloud security.