By Richard Steranka, VP in the Intel Security Group, head of global channel operations at Intel Corporation
Enterprise cloud adoption approaching 80 percent of IT budgets
Enterprise computing projects are moving rapidly to cloud-based solutions, and companies around the world expect 80 percent of their IT budget will be dedicated to cloud computing services by the beginning of 2017. This shift towards a cloud-first approach to enterprise services is being driven not just by improved agility and cost savings, but also by increasing trust in all things cloud, with 77 percent of organizations saying they trust clouds more now than they did a year ago.
Cloud computing covers a wide range of services, from infrastructure to applications in private, hybrid, and public variants. Based on a survey of 1,200 IT professionals responsible for cloud security across eight countries, organizations are currently using just over 40 cloud services (that they know about), from a low of 29 in the United Kingdom to a high of 55 in Brazil.
While Software-as-a-Service (SaaS) is often the first thing to come to mind when talking about clouds, future investment planning for the majority of organizations encompasses the whole range of service models. Infrastructure-as-a-Service (IaaS), such as Amazon Web Services or Microsoft Azure, is the most likely to be deployed in the future (81 percent of organizations). SaaS is surprisingly the least likely to be deployed, but is still in the plans of well over half those surveyed (60 percent). Departments are also storing a wide range of data in their clouds, including financial accounting (52 percent), employee records (48 percent), and customer personal information (40 percent).
The increased deployment of cloud services appears to be building on an implicit trust, but there are still many unknowns. More than 20 percent of IT departments cannot be certain whether there are unauthorized cloud services in use, and 13 percent cannot say for certain what is stored in their clouds.
Those who try to control these shadow IT services find they are being used by many departments, especially sales, R&D, marketing, and legal. In a typical twist of corporate irony, more than half of these groups expect IT to secure their unauthorized services. IT departments are using a variety of methods to deal with shadow IT, including database activity monitoring (49 percent), next-generation firewalls (41 percent), and web gateways (37 percent).
An interesting and innovative tactic is working with the finance department to identify expense reports for cloud services. When they find some shadow IT, 46 percent of respondents block access to the service, while 37 percent migrate it to an approved option. While less than 25 percent of organizations have experienced unauthorized access to their cloud data or services, the continued lack of visibility is the greatest concern, expressed by 58 percent of those surveyed.
Perhaps the darkest cloud on the horizon is the apparent disconnect between board-level and C-suite involvement in cloud security decision making, and their awareness and understanding of the risks involved. Only 34 percent of respondents feel that their executives and directors fully understand the security implications of the cloud, while 20 percent believe that the C-suite is virtually unaware of the potential dangers.
Improving The Forecast
To keep the dark clouds away, cloud security has to be a shared responsibility between service providers and enterprises, including both IT and the departments using the services. IT professionals may find they achieve better results as service brokers, working with business units to find the best solution to their needs and reducing the demand for shadow IT. Security tools such as data encryption, email protection, identity and access management, and data loss prevention are becoming key areas for security investments.
Finally, the potential damage to the organization’s reputation and bottom line, as demonstrated by recent breaches of cloud services, should be sufficient incentive for senior executives to learn more about this rapidly growing part of their business. The gap in risk awareness and understanding by boards and non-IT executives calls for more education, greater involvement of CIOs and CISOs in boardroom discussions, and inclusion of cloud security as a priority topic in business plans.
The security industry has a role to play educating customers on the benefits and risks of cloud services, helping them see through the hype and fear, to build an appropriate balance of trust and caution. Electronic devices of employees, partners, and customers are increasingly dependent on cloud computing and storage, and with the appropriate security mechanisms and knowledge, the power of clouds will continue to be a positive force.
Richard Steranka is vice president in the Intel Security Group and head of global channel operations at Intel Corporation. He leads worldwide channels at Intel Security, heightening the company’s commitment to bring proactive, connected security to its partners and their mutual customers. With more than 25 years of experience in strategic sales and channel leadership roles, Steranka leads the global team responsible for Intel Security’s ecosystem of distributors, value-added resellers, managed service providers, alliances, and embedded OEMs.