Organizations appear to be getting better at understanding the security implications of moving to the cloud through their review processes, according to a new report.
According to CompTIA's Trends in Information Security report, the percentage of companies saying they consider security-related subjects such as data retention, encryption, regulatory compliance and identity and access management when reviewing cloud service providers has gone up during the past two years.
"The distribution is also fairly tight, with 40%-60% of companies saying they always review each area," the report notes. "Businesses are recognizing the importance of conducting reviews and the breadth of issues that a review should cover."
Jim Reavis, CEO of the Cloud Security Alliance [CSA], told SecurityWeek that companies should first look inward and understand the specific business function they are putting in the cloud.
"This may not always entail a full risk assessment, but understanding the sensitivity of the data related to the business function, the risk appetite and other security-related service level objectives will help provide the security context companies need when selecting a provider that is a good match," he said. "Many companies use CSA's Consensus Assessments Initiative Questionnaire and Cloud Controls Matrix to assess their own maturity and prioritize their own requirements, then use these same documents to assess the provider. The advantage is that providers are typically already familiar with these standards and will be able to turn around responses more quickly. They may already have the answers publicly posted in CSA STAR [Security, Trust and Assurance Registry]."
Going through the process of understanding security requirements and reviewing cloud providers can drive internal changes as well, the report adds.
"Forty-eight percent of companies say that they have changed company policy as a result of changing views on cloud security, and 41% have built additional security features into cloud-hosted applications," according to the report. "Moving to the cloud does not just require additional security measures to close gaps that exist in the cloud provider, it also requires changes to application architecture and business workflow, and these changes often prove more challenging to implement than system migration."
Even with a review however, many companies find security issues still exist. Following an initial cloud migration, many of the companies acknowledged making a secondary move for security reasons, such as moving from a public cloud to a private cloud (36 percent), moving from a public cloud to an on-premise system (31 percent) or moving from one public cloud provider to another (30 percent), the report notes.
"Secondary migrations imply that there are some lessons being learned following a migration that could have been avoided with a proper review of a cloud provider’s policies," according to the CompTIA report. "Again, this review requires that a company understand its own security requirements up front, but once that understanding is in place, a thorough review of potential providers can help avoid confusion or additional work."
According to Reavis, many larger companies today have hundreds of cloud services, so they clearly have built some repeatable processes around provider engagement and onboarding. Still, he said, there is significant progress that needs to be made.
"I wouldn't say that providers are bending to demands more, but they are more often meeting in the middle on compatible approaches to a shared responsibility for security," he said. "A good example of this is with identity, where providers and customers have made progress in making systems compatible with SAML, to allow a secure exchange of identity authorizations rather than duplicating user ids and passwords across multiple systems."