Bethesda, Md. – Information security (InfoSec) professionals trust the cloud even less now than they did last year, despite efforts by cloud-service providers to tighten security, according to the results of the second annual SANS Institute Cloud Security Survey to be released during a two-part webcast on Tuesday, Oct. 11 and Wednesday, Oct. 12, 2016.
Sixty-two percent of respondents said they are concerned that unauthorized outsiders could access data stored on public cloud services, compared to just 40 percent last year.
In 2015, 33% of respondents said they lacked the tools and low-level access to usage data that would allow them to identify a data breach or do forensic analyses that would make incident response effective; 56% made the same complaint this year.
InfoSec professionals seem to have accepted the ongoing migration to the cloud as inevitable, however, and are doing what they can to secure sensitive data and applications in the public cloud.
"InfoSec professionals recognize the flexibility and cost-effectiveness of the cloud as clearly as anyone else, but they are still concerned that the lack of tools and visibility makes it more difficult to secure data in the cloud," according to SANS analyst and survey author Dave Shackleford. "Many are working in tandem with business unit managers to find new technologies and policy approaches to reduce that risk--which is a big reason more companies feel comfortable storing employee and customer data in the cloud."
Overall, 48% of respondents' organizations store employee data in the cloud, and 24% store customer financial data there. In addition, 27% use cloud-based email and messaging and 17% use collaboration or document management services in the public cloud.
Shackleford continues, "Cloud providers do offer more security tools for their own platforms, and some have expanded support of industry standard security frameworks and reporting methods to increase visibility and integration with customers' existing security tools."
For InfoSec professionals, however, the greatest challenges are still the limited ability to access data controls built into cloud platforms, integration with existing tools and the slow progress toward APIs or services to bridge the gap between internal and external security.
"By this time next year we hope to see a lot more support for third-party solutions, better access for forensic analysis, and more openness about the security controls and processes cloud providers use," Shackleford says. "Cloud providers are improving, but they're not moving fast enough to address the needs of enterprises that continue to migrate sensitive data into the public cloud."
Full results will be shared during a two-part webcast at 1 PM EDT on Tuesday, Oct. 11 and Wednesday, Oct. 12, 2016, sponsored by Bitglass, CloudPassage, IBM Security, Intel Security, and Rapid7, and hosted by SANS. Register to attend both sessions of the webcast at www.sans.org/webcasts/102372 (Oct. 11) and www.sans.org/webcasts/102332 (Oct. 12).
Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and cyber security expert, Dave Shackleford.
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (https://www.sans.org)