News Analysis: Lack of security skills stopping organisations from using cloud

Research has shown that companies are avoiding cloud services due to a lack of security skills.

When data is mobile and can be accessed from any point, it is understandable that not having the right security provisions in place could be a downfall.

More than 40% of UK businesses are either avoiding cloud-based services or attempting to block them completely, according to a QuoCirca study on behalf of CA technologies.

But industry professionals believe that these fears are unfounded. Gavan Egan, VP of sales, Verizon Terremark, says: "The most common barrier to cloud adoption is generally security, but the truth is that the cloud can be as secure as an on-premise IT environment." He also cites service reliability and data migration as major concerns, but says these can be overcome by paying due diligence when choosing a cloud provider.

"Enterprises need to pay special attention to which practices are being followed and which industry standards are being adhered to. Contracts backed by strict and transparent Service Level Agreements will give businesses considering a move to the cloud peace of mind that the service is secure, reliable and provides them with the full benefits they were hoping to achieve."

But John Thielens, chief security officer, Axway says that the cloud’s orientation towards self service makes it the perfect learning platform. "I would encourage people who want to develop skills on their own or enterprises who want to build up the centre of excellence within their own IT staff to begin a proof of concept. Throw people into the pool and have them learn how to swim: there’s lots of online training but there’s no way to really learn without doing," he says.

There are also online community groups, such as the Cloud Security Alliance, which offer online training and some forms of certification for those who want to learn more.

But in cloud, as with any form of IT security: awareness is the first and best line of defense.

Egan says: "With the widespread misconceptions over cloud security, it is understandable that some businesses choose to avoid cloud usage through fear of the unknown. As a result, cloud providers have an opportunity and a responsibility to educate their customers about the realities of the security threats that exist within cloud computing, helping them to overcome their uncertainties."

The research also revealed that 63% of UK organisations believed that security service such as single sign on, federated Identity and Access Management and identity governance could be best delivered through a cloud or hybrid model. This is particularly true as multiple user identities and access points become more difficult to manage, which can increase the risk of a security breach.

Thielens is a big advocate of identity federation. He believes that most companies would use a hybrid model because most companies use their on site employee database as the ID repository, which is often ties to email directory, meaning it is tightly integrated with hiring and human resources practices. "That’s the really critical bit," he stresses. "When they leave the company they need to be immediately disabled and when they join the firm they need to be productive immediately, so those repositories are very important."

Egan added: "Identity and Access Management makes user access management more efficient and more secure by centralising network access privileges for employees, partners, suppliers and vendors, across any device and location.

"Cloud-based IAM removes the complexity of federated identity by acting as a broker, enabling authentication between systems, much like a hub with spokes. By removing the complexity, new "spokes" can be added quickly and easily, whether they are additional, internal systems or new systems as a result of a partnership or merger," he says.

But with these multiple identities and additional sign-on points, cloud vendors must do more to consider how to protect online identities and credentials. Thielens gives the very good example of Google’s Gmail policy. Anytime someone tries to access his account from a new device, he receives a text message and he has to exchange a code. This is a great innovative way to secure cloud identity in a consumer context. But this shows that internal active directory-based systems need to step up their game.

"There’s more innovation and you can imagine Google’s posture in the industry they have a huge incentive to show some leadership there as they’re trying to entice corporations to use Google as their ID repository instead of active directory," says Thielens.

"But it’s interesting because maybe the cloud isn’t less secure. It’s less in your control so you have to do some research and negotiation before you’re comfortable with that but it may turn out that a full on cloud repository for ID management may wind up being more secure than what you can build on premise yourself."

With the widespread misconceptions over cloud security, it is understandable that some businesses choose to avoid cloud usage through fear of the unknown. As a result, cloud providers have an opportunity and a responsibility to educate their customers about the realities of the security threats that exist within cloud computing, helping them to overcome their uncertainties.