Opinion

Blind trust is not a security strategy

6 min read

17 June 2016

With Infosecurity 2016, arguably the biggest security show in Europe, just around the corner I’ve been thinking about all the new technologies, innovations, standards and trends that will be displayed over this coming week – and how many organisations still rely way too heavily on simple blind trust.

Astonishing I know, but our recently commissioned research, which surveyed over 100 IT decision makers and security experts who leverage the cloud infrastructure and/or Disaster-Recovery-as-a-Service, truly found that trust was the key issue. We embarked upon this research with Enterprise Management Associates (EMA) because we wanted to better understand the way in which cloud deployment impacts the IT security and compliance postures of companies. And although this was a North American study, to be honest, I think the same principals apply to any organisation regardless of location.

I have to say that the findings were enlightening. Why? Because nearly half of the security experts EMA polled said they just trust the cloud to be secure and compliant. More specifically, 47 per cent of security personnel stated that they “simply trust” their cloud provider to meet security agreements without further verification. 

Now, iland runs a cloud. And we really love it when people trust us – it’s core to our value proposition. But we also encourage organisations that we work with to verify, not to just have faith in our marketing, our assortment of compliance logos or our brand. And that leads me to the key point of EMA’s study: Blind trust is not a security strategy.

Read more about trust at work:

Perhaps because blind trust in cloud vendors is so prevalent, the study also found that far more teams are just adding a host of security technologies on top of their cloud workloads. It seems loading up their workloads with nearly 50 per cent more “stuff” than on-premise helps make that trust feel less scary. 

In fact, the survey found that “security features” topped the list of priorities that companies consider when selecting a cloud provider, ranking above performance, reliability, management tools and cost. EMA also noted that it may be easier to deploy and update these technologies in cloud than on-premise and that IT now sees cloud adoption as an opportunity to improve security with previously unused technology. Further, when asked why they had not deployed specific security features in the cloud, respondents indicated they were currently in the evaluation phase twice as often as any other reason for non-deployment, including cost, complexity, availability or that the technology was not necessary. 

But, I can’t help feeling that this is like adding a wheel lock to an unlocked car. Or like setting up motion-activated lights around your house without checking that the front door is actually locked. And the evidence pointed to a real lack in organisational ability to consume the information coming off these security technologies, with gaps in security tool integration, analytics and reporting. So in reality, what this means is that if the alarms go off – will anyone actually come and check the property? And how can you be certain nothing was stolen? Do you actually know?

In my view, this isn’t really the fault of IT teams, who we already know are completely overwhelmed by the sheer volume of work hitting them on a daily basis. Responsibility and accountability go far beyond their control. If anything, they are deploying the best strategies they can to shore everything up.

That said, I would propose there is another way – one in which you find clouds that do integrate security technologies, make sense of alerting and provide on-demand reporting. You find clouds where your desire to verify security is welcomed – not questioned. In short, you find a partner – not a supplier, who can work to provide all the verification you need. 

I am sure that over the course of the coming week there will be an abundance of new and innovative approaches to securing your infrastructure at Infosec 2016, but to be honest, if all we are relying on is blind trust as the best security policy, much of this investment will be wasted.

Lilac Schoenbeck is VP of product marketing and development at iland.

Trust is the linchpin of any successful business. But as we move to a digital society, businesses must learn to build that trust without the luxury of human interaction. We take a look at the growing importance of logo and design in the digital age.