Light Dark
September 28, 2016 By Jay Choi 3 min read
Cloud Security

There are clear benefits to adopting cloud services, such as improved availability and cost optimization. Cloud also offers an opportunity to update legacy systems and processes that may have been on the risk register for a long time with no clear mitigation strategy in place.

Common Misconceptions About Cloud Security

IDC predicted more than 80 percent of enterprise IT organizations will implement hybrid cloud architectures by 2017. IT executives remain concerned about operating model changes, however, and many are wary of the perceived security challenges and increased operational complexity of cloud solutions.

Below are some common misconceptions related to cloud adoption.

Cloud Computing Is Less Secure

This should not be the case if done correctly. Security risks vary depending on the deployment model, but a clear assignment of ownership and accountability between the organization and the cloud service provider (CSP) can provide adequate security for the migrated workloads. The homogeneous operations and management practices applied by CSPs in their IT and operating environments can actually improve your security posture.

Cloud Security Is Too Complex

Cloud security poses a new challenge since it is managed as an extension of the current controls environment. However, a comprehensive security framework can prioritize areas of control enhancement and inform investment decisions. Added focus on data security and privacy may compound the complexities from a compliance perspective.

Cloud Security Is Difficult to Maintain

Many IT professionals are concerned about transparency and assurance. Establishing strict governance backed by metrics and enforceable service-level agreements (SLAs) can assist in measuring a CSP’s performance.

Related:

Frequently Asked Questions

Taking the first step on a journey to cloud adoption can be daunting. Some common questions to ask at the beginning of this process include:

Which Framework Do We Use?

Multiple standards are available, each with different benefits, depending on circumstances and the environment. It is critical to establish a comprehensive cloud security controls framework that leverages industry best practices and aligns with the organization’s risk appetite.

It is also important to recognize key sets of security controls and delineate roles and responsibilities clearly. This will drive performance measurement against the SLA if the CSP is appointed as a vendor.

What Are the Regulatory Implications?

Cloud offers a new set of challenges in terms of data transfer and protection, especially with new regulations coming down the pipeline. The European Union’s General Data Protection Regulation (GDPR), which will take effect in May 2018, adds to the list of concerns. To remain secure and compliant, organizations need a holistic view of the regulatory landscape.

Will I Have Full Access to the CSP’s Security Environment?

Typically, this is not the case, but some CSPs provide more security transparency than others. This should be clearly identified as part of the vendor due diligence phase. Transparency requirements must be satisfied before agreeing to the vendor’s terms and conditions.

What Workloads Can I Put on the Cloud?

This depends. Some organizations experience scope creep in cloud adoption, leading to the unplanned migration of more sensitive workloads onto cloud and negligence of the initial security principles. Such issues must be monitored to avoid a mismatch of expectations.

Where Do I Start?

Security needs to be at the heart of your cloud strategy and design. An effective cloud strategy must match the workload with the appropriate controls framework to provide assurance and protection. This approach ensures that the security capabilities offered and managed by the CSP align with the organization’s risk appetite. The framework should also consider regulatory, legal and compliance requirements that are relevant to the organization.

A Dynamic Framework

IBM utilizes a unique cloud security framework that breaks down the domains into eight categories: governance, metrics, cloud security optimization, data security, application security, network and system security, secure operations, and identity and access management.

Security teams can use governance and metrics to measure and audit the security capabilities in place. The domains consist of cloud-centric categories as well as business-as-usual security. For these domains, fundamental changes relate to maturity in service integration and the manner in which roles and responsibilities are defined within a clear ownership structure.

Conclusion

A successful transition requires a clearly defined cloud security strategy. That strategy should identify the target state and provide prioritized road map considerations that may lead to a consolidation of cloud activities within the organization.

A paradigm shift in operating models comes with many challenges. By clearly defining the workload sensitivity and controls framework, security teams can enable efficiency, agility and trust when it comes to cloud security.

Watch the on-demand webinar: Demystifying Cloud Security Transformation

 |  |  |  | 
Jay Choi
Executive Consultant - Global Security Services, IBM

More from Cloud Security
January 22, 2025

2024 Cloud Threat Landscape Report: How does cloud security fail?

4 min read - Organizations often set up security rules to help reduce cybersecurity vulnerabilities and risks. The 2024 Cost of a Data Breach Report discovered that 40% of all data breaches involved data distributed across multiple environments, meaning that these best-laid plans often fail in the cloud environment.Not surprisingly, many organizations find keeping a robust security posture in the cloud to be exceptionally challenging, especially with the need to enforce security policies consistently across dynamic and expansive cloud infrastructures. The recently released X-Force…

January 8, 2025

Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased?

3 min read - IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing,…

December 18, 2024

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature