multi-cloud organizations confront it security challenges · many benefits for companies. but...
TRANSCRIPT
DRIVEN IN PART BY SHADOW IT INVESTMENTS, THE PROLIFERATION OF CLOUD SERVICES HAS PROVIDED
MANY BENEFITS FOR COMPANIES. BUT SECURITY CONCERNS AND CHALLENGES REMAIN.
Multi-cloud Organizations Confront IT Security Challenges
WHITE PAPER
Cloud deployments and cloud-based services adoption are not
only mainstream business practices today, but the dominant
mode of computing for many organizations. This rapid transition
has delivered many business and technical benefits but, inevi-
tably, has also introduced challenges and concerns.
For most IT professionals, cloud and security concerns have
always been intertwined. Typically, these concerns have focused
on securing sensitive information and applications in public
cloud environments outside of corporate firewalls. Over time,
security doubts have moderated as reputable cloud providers
have proved their security chops, and cloud computing became
more commonplace. Ironically, however, the growing popularity
and proliferation of cloud solutions has introduced new
security concerns.
Virtually all companies today are “multi-cloud” organizations.
This term reflects the strategic decision to use multiple cloud
environments—public, private, or hybrid—to run enterprise
applications, and the decision to use a mix of cloud service
providers. More broadly, however, the multi-cloud designation
encompasses every cloud service being tapped by company
employees as part of their business activities.
IBM and IDG content
Within large enterprises, the number of cloud services at play
can easily number in the hundreds, if not thousands. Further-
more, many of these deployments are materializing via shadow
IT investments made by individual business units—often without
the involvement of IT.
Not surprisingly, the proliferation of multi-cloud environments
and associated vendors and services has triggered its own set
of security challenges. Organizations still have to address the
“traditional” issue of securing data and software—but now for
dozens or hundreds of cloud environments rather than just
a handful. In addition, companies must ensure that all their
environments don’t have security vulnerabilities that emerge
in the gaps both among them as well as between cloud and
on-premises IT infrastructures.
A new survey of large multi-cloud enterprises conducted by IDG
Research has revealed an interesting mix of both confidence
Market Pulse
2 MULTI-CLOUD ORGANIZATIONS CONFRONT IT SECURITY CHALLENGES
and concerns among those responsible for securing these fluid
and evolving environments. The survey also provides insights
into security reporting hierarchies, and explores organizations’
varying attitudes about shadow IT.
High confidence in security skills, but concerns persistTo get a window into the issues affecting organizations, IDG
Research surveyed 200 IT decision makers at companies
that have deployed workloads across multiple cloud service
providers. The respondents—all with director-level or higher
titles—work at companies with revenues from $500 million
to $10 billion, and across a wide variety of industry sectors.
Overall, respondents exhibit high levels of confidence in their
in-house information security expertise. Nearly 95% character-
ized their security capabilities as either expert (58%) or knowl-
edgeable (36%).
As is often the case, however, those closest to the front lines
of the security battle are more circumspect in their self-assess-
ments. Only 38% of the survey respondents with director-level
titles rated their companies’ security skills as expert, compared
to two-thirds (67%) of the C-level respondents. This disconnect
between C-suite perceptions and operational realities suggests
some top executives may not fully grasp the daunting security
challenges their organizations face.
When it came to cloud-specific security issues, the surveyed
organizations again professed generally high confidence levels in
their own capabilities. For example, [as shown in Figure 1], 90%
of the survey respondents either strongly or somewhat agreed
with this statement: “We have a good understanding in-house of
the security related regulatory and compliance issues involved
with cloud migration.”
Despite their generally high confidence levels, significant
percentages of the survey respondents expressed concerns
about some aspects of the multi-cloud trend. Three-quarters
say technology adoption—of which cloud deployments are a
big part—introduces increased security risks. True, more than
70% say the specific security risks associated with that cloud
computing are outweighed by its benefits, but that still leaves
nearly 30% of the respondents who believe otherwise.
Also, even though most of the respondents express confidence
in their in-house security skills, many tacitly acknowledge the
need for outside security assistance. In one of the more notable
data points, 74% agree that cloud providers can offer a better
level of security than their in-house resources can provide.
Market Pulse
The advent of multi-cloud environments has added a new twist
to these security calculations—more than three-quarters (77%)
of the survey respondents said that multi-cloud has made them
look at security differently. Whether this trend, on balance, is
positive or negative from a security perspective is open for some
debate, however.
Some survey respondents saw reason for optimism. Expressing
a common theme, one said, “Multi-cloud software means you
can store things in different places, so you are less likely to lose
all of your data.” Another noted that “cloud providers are rapidly
enhancing their security capabilities.”
On the flip side, one respondent warns, “Multiple systems
working together increases the risk exponentially. You are multi-
plying risk against risk.” And yet another cautions that there is a
“need to make sure that security is unified among on-premises
and the various deployed clouds. Governance and operational
execution is important.”
Shadow IT: An inevitable, but potentially positive, trendThe proliferation of multi-cloud environments is inextricably
intertwined with another trend: the rise of shadow IT. The ease
of purchasing cloud capacity or services without any need
Understand security-related regulatory and compliance issues
Succession plan is in place for key individual in cloud security
Multi-cloud environment and SaaS allow for more shadow IT
Cloud providers have deep expertise regarding data security
My organization has embraced shadow IT because it’s inevitable
Technology adoption opens up greater security risk
Cloud providers offer better level of security than in-house resources
Have adequate visibility into security practices of cloud providers
Cloud computing’s security risks outweighed by benefits
Percent of respondents who strongly agree or agree with the following statements; multiple
choice question so percentages are not mutually exclusive..SOURCE: IDG Research
Trust cloud-based data is secure
90%
85%
85%
85%
84%
76%
75%
74%
73%
72%
FIGURE 1. THE STATE OF CLOUD SECURITY
3 MULTI-CLOUD ORGANIZATIONS CONFRONT IT SECURITY CHALLENGES
Market Pulse
for buying, installing, and managing on-site IT infrastructure,
has essentially supercharged the ability for business users to
buy their own IT services. For most enterprises, business unit
purchases of software-as-a-service (SaaS) and other cloud-
based solutions have become an operational norm.
Indeed, three-quarters of the organizations surveyed see
shadow IT as inevitable. While some organizations continue
to resist this trend, most are trying to determine how to best
live with it.
Shadow IT brings with it a mixture of benefits and challenges.
Among the positive effects: It can make companies more
agile and competitive; can give users and business units more
autonomy and freedom to innovate; and can open IT to new
solutions, platforms, and applications.
As for its negative ramifications, rampant shadow IT can lead to
IT inefficiencies and redundancies; drive IT incompatibilities; run
afoul of regulatory and compliance rules; and, of course, it can
introduce security vulnerabilities.
This mixture of pros and cons has organizations dealing with
shadow IT in three distinct ways. A minority still have hopes
of preventing the practice. For the remainder, it’s a coin toss
between tightly controlling it or, alternatively, fully embracing it.
>> PreventAmong the multi-cloud companies IDG Research surveyed,
only 20% said they hope to prevent shadow IT purchases. As
one respondent explained, “This is a compliance issue with us,
because we are in the financial field and shadow IT leaves us
vulnerable.” Many of those hoping to prevent the practice cited
security concerns. “Shadow IT can lead to major issues [such
as] malware and ransomware,” said one respondent. “This could
cause loss of revenue, customers, and reputation.”
>> ControlAmong the remaining respondents 41% say they hope to control
the shadow IT practice, viewing it as the least onerous of the
available options given its inevitability. “[Shadow IT] cannot be
prevented, so to dedicate resources towards that aim would be
wasteful,” says one respondent. “Embracing it opens the doors
to security risks. The best approach is to implement controls
where applicable to prevent the worst offenses and discourage
its existence in general.”
Despite this ambivalence, some in the “control” camp see
benefits associated with shadow IT investments. One respon-
dent notes that business unit purchases of IT solutions helps to
supplement the central IT budget, for example. And a number of
those advocating control acknowledge the ability of shadow IT
expenditures to introduce new solutions and business practices
to their organizations.
>> Embrace
It’s shadow IT’s perceived benefits that draw nearly 39% of the
respondents into the “embrace” group. “I’m quite convinced
shadow IT drives innovation,” says one respondent. Several others
noted that business units understand their own needs better than
Whose Job is It, Anyway? Almost all of the IT managers and executives surveyed by
IDG Research (95%) say their organizations have clear chains
of command for IT security responsibilities. At nearly half
of the companies (49%), chief information officers (CIOs)
shoulder the ultimate responsibility for ensuring security
needs are met. For most of the remaining organizations
(43%), this responsibility falls to chief information security
officers (CISOs) or chief security officers (CSOs).
Despite the roughly equal split of security responsibility
between CIOs and CISOs/CSOs, there are distinctions
beneath the covers. CIOs tend to function much more at
the strategic level than the security-titled executives. Only
13% of the survey respondents say their CIOs have mostly
or completely tactical responsibilities, with 62% being
completely strategic and another 24% mostly strategic. By
comparison, 34% of the CISO/CSO executives are seen to
have completely strategic roles, 37% mostly strategic, and
29% mostly or completely tactical.
Security requirements, of course, span both strategic and
tactical realms, and security’s importance is clear in the
budget expectations. In 2018, on average, security-related
investments will account for an impressive one-quarter (24%)
of the total IT budget, survey respondents predict.
At the high end of the spending spectrum, those in the
telecom sector expect to invest 30% of their IT budgets on
security expenditures. Even those in the lowest-spending
industry sectors – manufacturing/distribution and consumer
packaged goods, among others – anticipate spending 19% of
their IT budgets on security in the coming year.
4 MULTI-CLOUD ORGANIZATIONS CONFRONT IT SECURITY CHALLENGES
Market Pulse
the IT department can hope to grasp. “Each department knows
what is best for their organization, and shadow IT should be
embraced (with IT’s oversight),” says another respondent.
Some IT decision makers say they actually appreciate the
involvement of business units. “They may have found applica-
tions that we have not looked at, and they have done the work
for us. It is best to see what they have accomplished before
regulating it,” explains one respondent. Along the same lines,
another respondent notes, “Instead of fighting to retain control
I’m focusing on managing risk and on understanding where
employees are adding value with their self-provisioned tools
and apps.”
Beyond its ability to drive innovation and tightly align solutions
to business needs, some are embracing shadow IT primarily as a
corrective to slow and bureaucratic IT departments. “Shadow IT
isn’t the problem,” one respondent simply states. “The problem
is that going through proper channels is too difficult.”
Given current trends and the ease of deploying SaaS and other
cloud-based solutions, those still seeking to prevent shadow IT
are likely fighting a losing battle. Indeed, if they surveyed their
employees’ cloud usage, they could well find that the battle has
already been lost.
A better strategy is one that combines elements of both the
control and embrace strategies. Properly leveraged—and even
encouraged—shadow IT can fuel innovation, drive efficiencies
and productivity, and empower employees. But companies
need to establish clear policies, and the practice must be well
monitored and managed. With this approach, companies can
ensure that shadow IT’s benefits aren’t undermined by security
vulnerabilities and other risks it might otherwise introduce.
The Bottom LineThe emergence of multi-cloud organizations is very real. What-
ever the reasons why, the result is clear: companies need to
revisit their security technologies, practices, and needs.
Assessing the security of data stored in public cloud environ-
ments or within the servers of SaaS providers can be challenging
in its own right. Beyond such assessments, however, companies
must also ensure they have a comprehensive and consistent
security regime that encompasses both their on-premises IT
infrastructure and their multiple cloud environments.
To this end, it’s important that companies not overestimate their
own abilities to address the many security challenges associated
with the multi-cloud landscape. C-suite executives should be
aware that their high confidence in their in-house security exper-
tise may not be shared by the employees actually doing battle in
the security trenches.
Inevitably, the complex matrix of security challenges posed by
multi-cloud can stress even the most sophisticated of corporate
IT security professionals and teams. How should CIOs, CISOs,
and CSOs best deal with these security challenges? Their top
response: a partnership or collaboration with a managed cloud
provider. In fact, for multi-cloud organizations, third-party part-
ners may prove essential addressing many security risks.
Learn more about how IBM can help secure
and manage your multi-cloud environments.