Cloud Security Concerns: IT vs. LoB
The cloud is here. You may choose to use cloud-based applications with software as a service (SaaS). Alternately, you may choose your own applications resident in the cloud with platform as a service (PaaS). In either case, you will likely be concerned about the security of applications in the cloud. Everyone agrees that security is important, but those in IT versus those on the line of business (LoB) side have different perceptions of the risks when it comes to cloud-based applications.
What’s in the Cloud?
You, like many other businesses, want to migrate to the cloud. You want to take advantage of unified communications and collaboration services that can be rapidly implemented, and which offer more features and functions while reducing your budget. The same thought process can apply to your contact center. The cloud is attractive for a variety of reasons, but the IT staff and LoB executives look at the security risks differently.
The Ponemon Survey
I recently read “Closing the Cloud Security Business Gap,” a Salesforce-sponsored survey conducted by the Ponemon Institute. The graphics in this blog are from the report.
The survey investigated a wide range of opinions, issues, and business positions dealing with cloud services. What I found interesting was that the IT organization’s view of security varies with the LoB. Because these two areas do not align themselves, there can be conflicts in creating procedures, implementing programs, defining budgets, and enforcing security.
The reasons for moving to cloud are common to both the IT organization and LoB. However, each group has different emphasis on the reasoning behind the move. IT wants to reduce costs, while LoB wants to increase efficiency and reduce deployment time. IT wants to improve security (24%) while LoB thinks this is less important (12%). See the chart below.
One of the conclusions of the Ponemon report is that not knowing all about the cloud applications and platform (SaaS or PaaS) in use can create risks. The report found that 77% of respondents do not have full visibility of what sensitive data is collected, processed, and/or stored. In another discovery, 50% are not confident that their IT organization knows all cloud applications presently in use. When asked to rate the risk level, 69% associated with not knowing all the cloud applications and platforms in use today as very high.
The graphic below shows that the perception of security is about equal for cloud vs. on-premises solutions. It also demonstrates that there appears to be a disconnect between the LoB (20%) and IT’s concern (38%) about the security of cloud resources.
IT security is concerned about data beaches which may result in stolen information, changed information on the corporate website, users getting connected to malicious code, or disabled enterprise resources. The most common culprit for data breaches is human error (48%). This means that an enterprise needs to monitor its users to discover behaviors that are in practice that can lead to security issues.
Cyber attacks account for 43% of security problems. Dealing with attacks requires a different set of tools, from monitoring the network and applications for abnormal behavior to installing preventive measures. What I found interesting is the third most likely source of security problems are system glitches (36%). This can mean improper installation, negligence, not updating the patches, postponing changes, IT staff ignorance, or poor training -- all of which are IT management issues.
SaaS vs. PaaS: Security Responsibility
Assuming you are using cloud services, who is responsible for security? There is a definite difference of opinion when comparing SaaS and PaaS security responsibility. When SaaS is in use, 29% of respondents reported they expected the cloud service provider to be responsible for security. When working with PaaS, then the percentage who expect the provider to be responsible for security drops to 17%. When asked if the security responsibility should be shared, SaaS customers expect to share responsibility (13%). This compares to 25% for PaaS customers.
IT vs. LOB Security Perceptions
The report concludes that LoB is more likely than IT security to believe sensitive/confidential information is more secure in the cloud than on-premises. According to graphic below, 46% of LoB respondents believe sensitive or confidential data is more secure in the cloud compared to IT respondents (28%). IT security respondents (33%) say their function is most responsible for securing information against 25% for LoB respondents.
IT security is more concerned about the risks related with not knowing all the cloud applications used within their organization (69% of IT vs. 40% of LoB respondents).
Using cloud services offloads work from IT. It also means that IT has less control and will depend on a third party for security. IT sees an increase in liabilities, while LoB sees a more efficient solution.
- IT thinks of risk as hampering their operation, producing extra work and complaints when an attack occurs.
- IT sees attacks as a cost because they are a drain on their resources.
- LoB sees an attack as a financial hit, not only in revenue and profit but also in fees and fines by regulatory agencies.
- LoB is concerned with customer loss and reputation damage.
I think that the IT vs. LoB security perceptions may be due to a less than favorable reputation with the on-premises security capabilities. Cloud marketing may be a greater influence on the LoB than their own IT department. IT and LoB have to communicate better with each other, learning more about the other’s perceptions, objectives, and situation reality.