Two recent breaches involving unsecured AWS storage became public knowledge in the last month. The first, of video editing application, left potentially thousands of user videos accessible to anyone directly accessing them via their storage bucket's URL. The second, involving a company called Onlinevitalus, exposed more than 700,000 applications for birth certificate copies, containing information like users' date of birth. Breaches involving misconfigured permissions in cloud storage buckets are nothing new; what is new is a shift in tone of the coverage of these breaches away from them being a 'cloud data breach.' In both cases, it was stated in the media coverage that the companies that were cloud users were responsible for the permissions mishap.

For the most part, that's entirely appropriate. Newly created S3 buckets are private by default; access must be provisioned. AWS identity and access management (IAM) policies allow permissions at the user level; bucket policy and ACLs also govern access. A free permissions check from AWS Trusted Advisor is available, and there is an explicit 'public' label on buckets that are publicly accessible, as well as a separate public-access setting for S3 buckets, allowing users to set a default access setting for their accounts. To put it more succinctly, the cloud provider has taken a number of steps to protect users from their own configuration mishaps, and the security/technology trade media has taken note and shifted coverage of who is at fault.

A similar shift in understanding of cloud risk is occurring at the enterprise level, identified in results of the past four years of 451 Research's Voice of the Enterprise: Information Security studies. More enterprises are using cloud services for complex, mission-critical and high-risk applications, and the current trend line sees that continuing.

The 451 Take

Security concerns around cloud center on fear of data loss and a lack of control generally, but perceptions toward the security of cloud are shifting, such that answers to how security managers are securing the cloud have become more sophisticated and more reliant on security monitoring. As a result, there are fewer enterprises saying the cloud is 'too risky' for high-risk applications. This isn't altogether surprising – the growth of cloud computing necessitated enterprise security managers getting up to speed, but it's more than that. Partner networks, marketplace offerings, the controls and guardrails built into the cloud offerings themselves, and a vendor ecosystem of cloud infrastructure security offerings have all improved over time. Enterprises are unquestionably still figuring how to make this all work, according to the live interviews conducted as part of 451 Research's end-user studies, but the answers to 'how will you secure your cloud?' are markedly more sophisticated than they were just a couple of years ago.

Shared Responsibility

Security has often been cited as an inhibitor to cloud adoption. In early quantitative studies conducted by 451 Research, the response to the question for how security managers were securing their enterprises' cloud infrastructure was typically some variation of 'whatever the cloud vendor provides.' The problem with that response, both then and now, is that it fundamentally misunderstands the nature of the shared responsibility that exists when hosting resources in the cloud.

"People look at [cloud security] as different beasts, but it's really not. It's just a server somewhere else. It's understanding the lack of control. If you take Amazon as a great example, I would say that most people don't understand the shared security model that Amazon has.... Amazon has a huge document explaining it, but the question is: Does everyone read that, or do they just make assumptions?"
     - IT/Engineering Managers and Staff, 10,000-49,999 employees, $10bn+ revenue, Real Estate

This is not for lack of trying on the part of the major cloud providers to educate their consumers – for example, both Microsoft and AWS have published shared responsibility models. For Microsoft it's a three-tier model that notes users are responsible for information and data, devices, and accounts and identities, while Microsoft is responsible for physical hosts, networks and datacenters. Other pieces, such as network controls, operating systems or applications, sit in a middle state between the customer and cloud provider, depending on the service being provided. AWS describes the difference in responsibility sets as 'security of the cloud,' which rests on it, versus 'security in the cloud,' which relies on customer decision-making. The security team at 451 Research predicted that this shared responsibility model would require a learning curve in its early discussions of a simplified concept called 'console security' – or the idea that it is the user, not the cloud provider, that is responsible for security 'from the console on up.'

"We are not using [Azure] to the extent that we want to use. We've been struggling in terms of making sure all the security parameters are taken care and there is enough guardrails in place, and that's been a lengthy process. So we have couple of apps, and we are working on some large initiatives that will be going live in the next quarter and next year."
       - Senior Management, 100,000+ employees, $10bn+ revenue, Consumer Retail Products & Services

Shifting Perceptions toward Cloud Risk

In our Voice of the Enterprise: Information Security surveys, starting in 2015, the following question has been asked annually: How would you best describe your organization's policy toward usage of hosted cloud computing platforms (hosted private cloud, IaaS or PaaS) today? The idea behind this is determining any potential shift, year over year, in the perception of security managers toward their enterprise's cloud computing initiatives.

Figure 1: Erosion of security as an inhibitor to cloud adoption

Source: Voice of the Enterprise Information Security, Budgets & Outlook 2019

While trends rarely move in a straight line, especially in survey-based research when attempting to measure attitudes toward risk, a couple of trends have emerged. The first is confirmed through other sources – that the percentage of organizations not using any form of cloud computing infrastructure is diminishing, moving from 18% in 2015 to 14% in 2019. The second trend is the one highlighted in the chart. In 2015, 27% had taken the training wheels off of their cloud infrastructure, considering it for the hosting of any application, independent of risk profile or importance to the organization. Four years later, in 2019, that percentage increased to 35%. While cloud proponents may hope for a more dramatic delta, security teams tend to be somewhat conservative in the adoption of new technology, and a clear trend line is emerging.

Enterprise scale is not so much a predictor of attitude toward cloud risk as some might assume; in fact, the larger the organization, the more conservative its practices tend to be for this question. Among organizations with more than 10,000 employees, 48% limit hosted cloud to low-risk applications, while 35% say cloud can be used for anything. Only 9% of organizations at that scale lack a policy toward public clouds, so it's much more likely to have been considered at larger companies. To compare, 30% of organizations with 250-999 employees limit cloud usage, as do 24% of those with fewer than 250 employees.

The strongest predictor of attitude toward cloud risk is an organization's approach to technology adoption. Sixty-six percent (66%) of those that classify their organizations as 'early adopters' place no limitation on cloud usage. Thirty-eight percent (38%) of those that are 'pragmatic, but will act sooner rather than later' similarly will use cloud no matter the risk profile of the application. That's compared with 20% for those that rank their organizations as 'conservative,' and a similar 20% for those that consider their organizations 'skeptical' of new technology. If early adopters are seen as a bellwether, this is further indication that security is eroding as an inhibitor to cloud deployment.
Daniel Kennedy
Research Director, Voice of the Enterprise: Information Security

Daniel Kennedy is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference.

Jeremy Korn
Research Associate

Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received a MA in East Asian Studies from Harvard University, where he employed quantitative and qualitative methodologies to study the Chinese film industry.

Aaron Sherrill
Senior Analyst

Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation and disruption in the Managed Services and Managed Security Services sectors. Aaron has 20+ years of experience across several industries including serving in IT management for the Federal Bureau of Investigation.

Want to read more? Request a trial now.