Cloud service providers might talk the talk — but few, it seems, walk the walk. A new report shows that while an increasing number of cloud services are improving their security practices, the rates at which cloud providers are adopting appropriate security practices are abysmal.
According to the latest quarterly study by Skyhigh Networks, a cloud security solutions provider, although the number of cloud services that support multifactor authentication might have doubled in 2014, only 17% of the 10,000 cloud services tracked in 2014’s fourth quarter supported multifactor authentication.
At the same period in 2013, only 470 services encrypted data at rest. Now, some 1,802 cloud providers encrypt data, but that’s only 11% of companies. Similarly, just 5% of cloud providers held ISO 27001 information security management certifications, but that’s still a big improvement from the numbers shown at the same time in 2013.
Most importantly, though, not even 11% of cloud services studied had the basic security capabilities required by enterprise businesses, meaning a whopping 89% of cloud providers were not up to snuff.
“Any modern company provides mechanisms to encrypt data in transit. Encrypting data at rest does provide an extra layer of security, but at a higher cost and performance overhead,” says Jason Eisert of Sectorlink. “The main advantage of this kind of encryption is to provide defense against unauthorized physical access to server hardware, which, at this time, is not a very common cause of data compromise in the IT industry.”
According to InformationWeek, 100% security can never be guaranteed, but there are five practices that can greatly improve cloud solution providers’ security. When choosing a new cloud provider, companies’ decision makers should look for continuous visibility, exposure management, strong access control, encryption practices, and compromise management.
As to why so many companies were slow to adopt the surveyed security practices, Skyhigh’s vice-president of products and marketing, Kamal Shah, said that “a lot of people don’t think it’s a priority,” adding that the biggest challenge with encryption is that the application has to be smart enough to also decrypt the data. This technology, he said, is only now “coming to the forefront.”