IT's cloud security concerns do not correlate to actual failures

Yet another research report highlights IT fears, but don't confuse security concerns with security failures

A new report from researcher Ovum and managed service provider FireHost concludes that companies aren't exactly confident in their cloud providers' ability to provide the right level of security.

In the survey of IT pros, 92 percent are concerned about the shared cloud infrastructure's security, 92 percent are concerned about a lack of control over where the data resides, and 91 percent are concerned about a lack of visibility into security controls.

We see these kinds of surveys fairly often. They don't actually tell you whether the cloud is secure, only that IT pros perceive that cloud providers lack security.

But in reality, cloud security is much different than what these surveys indicate. Indeed, the larger cloud service providers are doing a good job. Because cloud computing is still a fairly new technology, the providers use current approaches and mechanisms, such as identity-based security and advanced encryption for data at rest and in flight -- mechanisms many enterprises don't use internally.

I suspect that most of the worries are driven by the natural fear that comes from not having direct control over your systems and data. To adopt the cloud, you must put your trust in other organizations.

The cloud providers perhaps have not done a great job of explaining their true competence when it comes to security. Fortunately, Amazon Web Services, Google, and Microsoft are doing a much better job lately in teaching their cloud users about security and how they approach it.

The metric that matters is not IT pros' personal concern but actual security breaches. The large data breaches that have made the news, such as Sony, Home Depot, and Target, have been nowhere near the cloud. All these big breaches are in traditional enterprise IT environments.

Logically, you should be more afraid of internal, aging systems leaking your data than of cloud service providers and their modern, centrally managed security technology.

This does not mean concern over cloud security is foolish. No matter the technology or provider, it is a good idea to nurse a healthy skepticism around security. Enterprises that second-guess security in both cloud and local systems are more likely to have better-secured systems simply because they are proactive.

But don't confuse security concerns with security failures, as so many of these (often self-interested) surveys do.

Successful security is all about being proactive and practical. At the end of the day, cloud providers are successful at security.

Copyright © 2015 IDG Communications, Inc.