As cloud infrastructure becomes more complex, security struggles with it

As more organisations get deeper into their cloud initiatives, their infrastructures become more complex – yet according to new research from WinMagic, security and compliance is struggling to keep up.

The study, conducted by Viga, polled more than 1,000 IT decision makers and found that while an overwhelming 98% of respondents say they use the cloud in some capacity – with on average half of a company’s infrastructure being cloud-based – security is lacking in comparison. Only one in three respondents said their data was at least partially encrypted in the cloud, while a greater percentage (39%) admitted they did not have unbroken security audit trails across VMs in the cloud.

Despite these failings, security remains, as it always has done, the biggest concern about cloud-based workloads. 58% cited security specifically as their largest issue, followed by protecting sensitive data from unauthorised access (55%) – which amounts to pretty much the same thing – and the increased complexity of infrastructure (44%).

The report also finds that the common concept of shared responsibility is – again – not a universal concept among IT decision makers. One in five said they thought sole responsibility for the compliance of data stored on cloud services rested with the vendor, while only 39% correctly noted they considered themselves ultimately responsible.

Each cloud provider differs of course – although it does not quite mitigate the 20% in the survey who believed they were covered by their vendor’s SLA – but to illustrate, AWS outlines it thus. The vendor, according to this document, is responsible for security ‘of’ the cloud – compute, storage, networking – while the customer is responsible for security ‘in’ the cloud, such as customer data, applications, and identity and access management.

“The simple fact is that businesses must get the controls in place to manage their data, including taking the strategic decision that anything they would not want to see in the public domain must be encrypted,” said Mark Hickman, WinMagic chief operating officer.