Cloud security concerns are evolving with the increasing adoption of cloud computing, but continue to top the list of barriers to adoption, a study reveals.

Enterprise cloud security concerns are rising as investment in cloud grows, with abuse of user credentials seen as the biggest single threat, a report has revealed.

More than half of 2,200 global security professionals polled said unauthorised access through misuse of employee credentials and improper access controls is the single biggest threat to cloud security, followed by hijacking of accounts (44%) and insecure interfaces (39%).

“More than 56% of surveyed organisations use Active Directory on-premises to authenticate and authorise access to cloud applications, such as Microsoft Office 365,”

said Alvaro Vitta, principal solutions consultant at Dell Systems and Information Management.

“The failure to provide adequate on-premises Active Directory security controls leave cloud-based applications vulnerable to unauthorised access. Don’t let on-premises Active Directory be your hybrid directory environment’s Achilles’ heel,”

he said.

One in three organisations said external sharing of sensitive information is the biggest security threat, according to 2016 Cloud Security Spotlight Report by Crowd Research Partners, in collaboration with Alien Vault, Bitglass, Cato Networks, CloudPassage, Dell Software, Dome9 Security, Immunio, (ISC)2 and Randtronics.

Overall, the study indicates cloud security concerns are evolving with the increasing adoption of cloud computing, and that security concerns continue to top the list of barriers to cloud adoption.

General security concerns are cited as a barrier to adoption by 53% of respondents, up from 45% a year ago, followed by legal and regulatory compliance concerns cited by 42%, up from 29%, and data loss and leakage risks cited by 40% of respondents.

From theory to reality

According to the survey report, the rise in specific concerns about compliance and integration suggests that companies are moving from theoretical exploration of cloud models to actual implementation.

“As organisations look to cloud computing to reduce IT costs, increase agility and better support business functions, security of data and applications in the cloud remains a critical requirement,”

said Holger Schulze, founder of the 300,000-member Information Security Community on LinkedIn.

“The 2016 Cloud Security Spotlight Report indicates that as organisations increase investments in cloud infrastructure, they are seeking a similar level of security controls and functionality to what’s available in traditional IT infrastructures,”

he said.

Traditional tools unsatisfactory in the cloud

However, Schulze noted that organisations are finding traditional security tools ineffective in the cloud.

“In a shared responsibility model, this is an opportunity for organisations to implement effective cloud security systems to strengthen their security posture and capitalise on the promise of cloud computing,”

he said.

The survey found that 84% of respondents are dissatisfied with traditional security tools when applied to cloud infrastructure. Respondents say traditional network security tools are somewhat ineffective (48%), completely ineffective (11%), or cannot be measured for effectiveness (25%) in cloud environments.

Nat Kausik, chief executive of Bitglass, said while cloud security has made great strides, neither native nor traditional tools fully address IT concerns.

“With purpose-built cloud security tools such as cloud access security brokers, organisations can achieve compliance and limit risk of data leakage,”

he said.

IT’s rapid transformation to a more agile ecosystem of shared, elastic infrastructure and continuous delivery, breaks traditional security tools, according to Ram Krishnan, chief product officer at CloudPassage.

“Cloud computing requires security platforms that are purpose-built for the cloud, yet work in and across any infrastructure to provide visibility, automated compliance, rapid deployments and micro-segmentation that protects workloads wherever they reside,”

he said.

Strengthening cloud security

The top three security headaches for organisations moving to the cloud are verifying security policies (51%), visibility (49%) and compliance (37%).

These results suggest companies are further along in implementation of cloud models compared with 2015, and are looking for security systems that enhance the capabilities provided by service providers, the survey report said.

Organisations moving to the cloud have a variety of choices available to strengthen cloud security, the report said.

Some 61% of organisations are planning to train and certify existing IT staff, 45% are partnering with a managed security services provider, and 42% are deploying additional security software to protect data and applications in the cloud.

David Shearer, chief executive of (ISC)2, welcomed the fact that 61% of organisations plan to train and certify existing IT staff.

“This exemplifies the critical role that qualified and properly trained professionals play in securing the enterprise. As cloud security concerns continue to rise, we’re pleased to support this initiative,”

he said.