Report
Building Trust
in a Cloudy Sky
The state of cloud adoption and security
Building Trust in a Cloudy Sky2
Report
Table of Contents
Introduction5
Methodology & Demographics6
Research Findings8
Cloud architecture shifting from private to hybrid8
Cloud First strategies afecting IT budgets10
Perceived benefts of public cloud surpassing private cloud 11
Skills shortages afecting cloud adoption 12
Sensitive data moving to the public cloud 12
Integrated security better at securing sensitive data14
Senior management more understanding of the risks and rewards14
Usage of PaaS growing faster than SaaS or IaaS 15
Greater than 50% chance of getting malware from a SaaS application 16
Issues and concerns with cloud service providers 17
Data in transit top concern for SaaS18
Integrated security top concern for IaaS18
Actions to increase public cloud adoption19
The growing nemesis of Shadow IT 19
How IT is fnding Shadow IT20
How IT is securing Shadow IT 21
Data center infrastructure shifting to true private cloud 21
Unauthorized access top concern about private clouds 23
DevSecOps improving efciency of security teams23
Conclusions 24
Recommendations24
Building Trust in a Cloudy Sky3
Report
Foreword
I am pleased to provide a foreword to Intel Security’s survey and research paper, “Building Trust in
a Cloudy Sky”. This report contains a rich set of fndings of the progress towards cloud adoption
by a diverse global audience and the key security considerations in play. Reading this document
will greatly aid practitioners in taking a data-driven approach towards securely migrating to cloud
computing and I encourage security professionals to carefully review these fndings and share
broadly with management and other key stakeholders outside of the security organization.
This report clearly resonates with the anecdotal information I have received in my travels
representing the Cloud Security Alliance this past year. Cloud computing is maturing and broad-
based adoption is occurring. This maturity is not manifesting itself by a period of stasis, but is
instead highly dynamic. New technologies and market entrants abound, and just as importantly, key
players are exiting the cloud markets. The one constant in all of this is the clear responsibility of
cloud users to understand their role in assuring that cloud computing is as secure as it can be and
needs to be. Proper cloud security education and tools are every organization’s bulwark against the
evolving threat vectors in cloud.
I expect that we will see several important milestones in cloud computing in 2017. Microservices
such as containers and APIs will gain signifcant traction as important means to enhance the value
of virtual machines. DevSecOps will become a mainstream information security topic. Several
strategic regulatory bodies will announce new guidelines that will in efect ease the path to adoption
of cloud computing for providers and customers. Information security professionals should
prepare themselves for this next wave of cloud adoption. Understanding the current cloud security
benchmarks articulated in this survey provides a fantastic way to continue your journey.
Jim Reavis
jreavis@cloudsecurityalliance
CEO, Cloud Security Alliance
Building Trust in a Cloudy Sky4
Report
Preface
Cloud First. Two simple words, but the approach is now well and truly ensconced into the
architecture of many organizations across the world. In our survey from 2015 there were some
remarkable fndings, none more so than the average of 16 months the surveyed IT organizations
believed it would take before 80% of their IT budget was devoted to cloud solutions. Our initial
assumption when designing the survey, that there was a gap between intent and implementation
and that the transformation to cloud would take several years, was proven inaccurate. The desire to
migrate quickly towards cloud computing appears to be on the agenda for most organizations. This
year the average time before respondents thought their IT budgets would be 80% cloud-based
was 15 months, indicating that Cloud First for many companies is progressing and remains the
objective.
We can still see some dark clouds on the horizon. It is evident from our survey that the lack of
cybersecurity skills is having an impact on cloud adoption for organizations of all sizes. Previous
concerns about the lack of trust in public clouds seem to be dissipating compared to the responses
in 2015, with more practical considerations becoming the biggest concerns today. Senior
management also appear to be more understanding of the risks involved in storing sensitive data
with third-party providers.
Perhaps one of the reasons that a Cloud First approach is moving ahead is that incidents are
decreasing. Yet again more practical issues dominate the landscape, such as interoperability,
the lack of transparency of data movement, and public cloud operations. In one year, the IT
professionals surveyed have moved away from the feeling the cloud is untrustworthy, to a better
understanding of the benefts that it can bring. What is equally encouraging is IT departments have
made progress, not only in terms of articulating the risk up the management chain, but also across
the company. Public cloud benefts are being realized, with the cost of outsourcing compared to
hosting internally acting as the key motivator.
As we move forward into a world where cloud computing is almost ubiquitous, we are faced with
practical issues that could slow adoption. These issues need to be addressed, and research eforts
such as those conducted by the Cloud Security Alliance can aid organizations looking for best
practices. Remarkable progress has been made within the past 12 months, and the cloud and
security industries are now moving into a new phase of work to be done.
Raj Samani
@Raj_Samani
Chief Technology Ofcer, EMEA, Intel Security
Building Trust in a Cloudy Sky5
Report
Introduction
There does not appear to be any question that cloud services have been accepted as a viable IT
option for organizations. More than 90% of the over 2,000 cloud security professionals surveyed
stated that they were using some type of cloud service in their organization, and many are now
operating under a Cloud First strategy.
Clouds come in a variety of shapes and sizes, and while they are defnitely saving money and
enabling greater fexibility, the change in technologies is straining some IT resources. Investigating
the impact of the security skills shortage on cloud adoption is a priority for this year’s report. We
also asked more details this year about operating architecture, types of services in use, and ongoing
concerns. The overall objectives of this research are to identify the types of cloud architectures and
services currently in use, understand organizational security concerns and how to address them,
and investigate the nature of Shadow IT and the impact it has on an organization’s adoption of
cloud services.
Survey respondents were asked what types of cloud services they were using, and could choose
one or more from the three options:
■Software-as-a-Service (SaaS) e.g. Salesforce, Dropbox, DocuSign
■Infrastructure-as-a-Service (IaaS) e.g. Amazon Web Services, Microsoft Azure
■Platform-as-a-Service (PaaS) e.g. Google App Engine, Red Hat OpenShift
Respondents were asked which of three types of cloud architecture were in use at their
organization, and could choose only one option:
■Private only
■Hybrid, or a combination of public and private
■Public only
Perhaps most important to the success of cloud services is the rapidly improving perception of
public cl