Carla Arend (Lead analyst European Cloud Research)

Security has been cited as the biggest obstacle to cloud adoption for as long as I can remember, and indeed in our latest European cloud survey, 42% of organizations mention security as their biggest concern regarding public cloud, followed by regulatory compliance issues. That number has dropped significantly from over 60% a few years ago, but shows that organizations are struggling to get it right and cannot accelerate their cloud journeys before they have added cloud into their security and governance frameworks.

The significant change today is that 66% of European organizations are now convinced that public cloud and SaaS solutions can offer better security than their own internal IT departments and that the benefits of using public cloud solutions outweigh the security concerns. But how can security be both the biggest concern and a benefit to cloud adoption? What is going on here?

It is now widely accepted, that public cloud service providers (including IaaS, PaaS and SaaS) are investing heavily in security, because they understand that they will be out of business if they have a breach and their entire business depends on getting security right. The challenge remains, however, to connect securely to cloud services and to implement security frameworks and governance spanning from on-premise IT to the public cloud.

It is also accepted by 73% of organizations that cloud services provide better business continuity and disaster recovery than on-premise IT at a lower cost, as companies are shying away from the investment in a secondary data center and from testing their BC and DR solutions regularly, because of fear of service disruption and unplanned downtime.

One common misconception needs to be addressed: 62% of organizations believe that security of data and systems in the cloud is the sole responsibility of the cloud provider. That is not the case! There is a shared responsibility between the customer and the cloud provider. The customer of cloud services is ultimately responsible for the security of their data “in” the cloud. The cloud service provider is only responsible for the security “of” the cloud, i.e. to ensure that the processing of the data in the cloud is happening in a secure way.

Consequently, 72% of organizations believe that they should use cloud security solutions like cloud security gateways (CSG) to ensure that users, applications and data are secure in the cloud and security policies can be defined and executed in the cloud.

If you want to learn more about cloud security, join us in Copenhagen, Stockholm, Oslo, Helsinki and/or London at IDC’s security conferences.