What Mary Meeker Missed about Cloud Security

January 15, 2019  Jeff B. Copeland

When Mary Meeker speaks, Silicon Valley listens. Last week, the Valley’s most respected forecaster (and partner at venture capitalist firm Kleiner Perkins), presented her annual lnternet Trends report for 2017, a 355-slides extravaganza of predictions.

Slides 178 through 190 covered Meeker’s take on the rapid growth of cloud technology, including this warning about cloud security:

“More Cloud Applications →More Vulnerabilities”

To which we would respectfully reply:

“More Cloud Applications → More or Less Vulnerabilities, Depending on the Risk Posture of the Cloud App Provider”

First, here’s how Meeker (and associate Alex Kurland) told the story:

Spending on cloud infrastructure is approaching traditional data center spending, up 37% in 2016 over 2014. Companies are rapidly moving applications to the cloud.

But, danger…

Look at the right side of this slide: 94% of all cloud apps are not really scaled for use in large enterprises. “This has serious security and compliance implications.”

And that clearly has CISOs and auditors concerned, as they should be. The next slide shows data security is still the biggest worry about cloud services, though that concern eased a bit from 2012 to 2015. Meanwhile, concerns about compliance and governance rose with the proliferation of cloud-based apps.

Going Beyond ‘Concerns’

Recently, RiskLens risk analysts helped a learning institution that wanted to be not just concerned about cloud security, but able to make a financially based decision on how to handle data in the cloud.

They focused on this challenge for the analysts: “Show us how much risk is associated with different security encryption strategies related to our CRM (Customer Relationship Management) cloud data.” The analysts looked at three alternatives:

  • Keep the current CRM instance running in the cloud with encryption by a Cloud Access Security Broker (CASB)
  • Run the CRM with encryption at the database level.
  • Run the CRM with no encryption.

Using the FAIR model and the RiskLens application, analysts assessed the value of the learning institution’s data in the cloud and the likelihood and impact of various cyber threats, and ran the values through thousands of simulations to calculate a range of potential annual losses for the institution.

The result? Turns out they were far better off with their current cloud solution than switching to the alternatives.

The implication?

"More Applications in the Cloud → Need for More and Better Risk Analysis"... for well-informed and case-by-case decision-making.

Learn More:

Learning Institution Assesses Best Architecture To Secure Cloud App

Quantifying Cloud Risk for a Hospital