There are clear benefits to adopting cloud services, such as improved availability and cost optimization. Cloud also offers an opportunity to update legacy systems and processes that may have been on the risk register for a long time with no clear mitigation strategy in place.

Common Misconceptions About Cloud Security

IDC predicted more than 80 percent of enterprise IT organizations will implement hybrid cloud architectures by 2017. IT executives remain concerned about operating model changes, however, and many are wary of the perceived security challenges and increased operational complexity of cloud solutions.

Below are some common misconceptions related to cloud adoption.

Cloud Computing Is Less Secure

This should not be the case if done correctly. Security risks vary depending on the deployment model, but a clear assignment of ownership and accountability between the organization and the cloud service provider (CSP) can provide adequate security for the migrated workloads. The homogeneous operations and management practices applied by CSPs in their IT and operating environments can actually improve your security posture.

Cloud Security Is Too Complex

Cloud security poses a new challenge since it is managed as an extension of the current controls environment. However, a comprehensive security framework can prioritize areas of control enhancement and inform investment decisions. Added focus on data security and privacy may compound the complexities from a compliance perspective.

Cloud Security Is Difficult to Maintain

Many IT professionals are concerned about transparency and assurance. Establishing strict governance backed by metrics and enforceable service-level agreements (SLAs) can assist in measuring a CSP’s performance.

Frequently Asked Questions

Taking the first step on a journey to cloud adoption can be daunting. Some common questions to ask at the beginning of this process include:

Which Framework Do We Use?

Multiple standards are available, each with different benefits, depending on circumstances and the environment. It is critical to establish a comprehensive cloud security controls framework that leverages industry best practices and aligns with the organization’s risk appetite.

It is also important to recognize key sets of security controls and delineate roles and responsibilities clearly. This will drive performance measurement against the SLA if the CSP is appointed as a vendor.

What Are the Regulatory Implications?

Cloud offers a new set of challenges in terms of data transfer and protection, especially with new regulations coming down the pipeline. The European Union’s General Data Protection Regulation (GDPR), which will take effect in May 2018, adds to the list of concerns. To remain secure and compliant, organizations need a holistic view of the regulatory landscape.

Will I Have Full Access to the CSP’s Security Environment?

Typically, this is not the case, but some CSPs provide more security transparency than others. This should be clearly identified as part of the vendor due diligence phase. Transparency requirements must be satisfied before agreeing to the vendor’s terms and conditions.

What Workloads Can I Put on the Cloud?

This depends. Some organizations experience scope creep in cloud adoption, leading to the unplanned migration of more sensitive workloads onto cloud and negligence of the initial security principles. Such issues must be monitored to avoid a mismatch of expectations.

Where Do I Start?

Security needs to be at the heart of your cloud strategy and design. An effective cloud strategy must match the workload with the appropriate controls framework to provide assurance and protection. This approach ensures that the security capabilities offered and managed by the CSP align with the organization’s risk appetite. The framework should also consider regulatory, legal and compliance requirements that are relevant to the organization.

A Dynamic Framework

IBM utilizes a unique cloud security framework that breaks down the domains into eight categories: governance, metrics, cloud security optimization, data security, application security, network and system security, secure operations, and identity and access management.

Security teams can use governance and metrics to measure and audit the security capabilities in place. The domains consist of cloud-centric categories as well as business-as-usual security. For these domains, fundamental changes relate to maturity in service integration and the manner in which roles and responsibilities are defined within a clear ownership structure.


A successful transition requires a clearly defined cloud security strategy. That strategy should identify the target state and provide prioritized road map considerations that may lead to a consolidation of cloud activities within the organization.

A paradigm shift in operating models comes with many challenges. By clearly defining the workload sensitivity and controls framework, security teams can enable efficiency, agility and trust when it comes to cloud security.

Watch the on-demand webinar: Demystifying Cloud Security Transformation

More from Cloud Security

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…

How to Implement Cloud Identity and Access Governance

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult. In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows. As we continue our CIAG…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…