Are Companies Doing Enough for Cloud Security?


How comfortable are enterprises with cloud security?

A Microsoft-sponsored study conducted by 451 Research, Yankee Group and the Uptime Institute, found cloud security issues are top-of-mind for IT decision-makers, with respondents ranking two best practices related to security (well-defined architecture for security and train users to be cautious with access and security) as among the most essential for cloud success.

A RightScale survey found that nearly a third of organizations that lack experience with cloud name security as their biggest worry – though that number drops to just 13 percent among more experienced consumers of cloud services.

Cloud topped both the lists of technologies that security professionals responding to a Trustwave survey felt pressured to use and technologies that the respondents felt presented the greatest security risk.

Single Sign-on in the Cloud

Yet despite these concerns, a study from security vendor Bitglass found that few companies had implemented single sign-on (SSO) to protect data in the cloud. According to Bitglass, just 9 percent of customers and 5.5 percent of Box customers use SSO, which Bitglass calls "the most basic security measure for SaaS adoption."

Using SSO for cloud services is one of Bitglass' recommended strategies for improving cloud security. Noting that SSO "provides a single login for all company applications, so when employees access cloud apps they are automatically redirected to a company login page for authentication," the vendor says: "The IT organization now controls password requirements and can enable or disable employee access across all company applications in one fell swoop."

While this certainly makes life easier for IT pros, users also benefit from not having to remember multiple passwords for different services.

Not coincidentally, Bitglass provides SSO solutions. It also provides some of the other security products mentioned in the report. Among them are solutions for: encrypting data; blocking restricted content from being downloaded; implementing group-based authorization, location-based policies and device-type restrictions; and intercepting network traffic to corporate cloud apps so data can be inspected and secured.

Alert Logic, another security vendor that released a cloud security report earlier this month, found that certain types of attacks, including vulnerability scans and brute force attacks, are becoming more common in the cloud. This demonstrates that companies must get more aggressive about cloud security, said Stephen Coty, the company's director of threat research.

"Companies have traditionally spent time, money and man hours implementing in-depth security solutions within the corporate space, using multiple tools like antivirus, forensics, netflow collection, routers and firewalls," Coty said. "Our data shows a need for the same kind of approach within the cloud. As an IT manager or CISO, you need to drive that. You need to look at all the different layers of security that can be applied in the cloud."

Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.