Who's to Secure Cloud: Vendor or User?

Survey Says Cloud Providers Emphasize Cost Savings, Not Security
Who's to Secure Cloud: Vendor or User?
Security is a primary reason many organizations pause when considering a move to cloud computing. Yet, if a new survey conducted by Ponemon Institute for enterprise software vendor CA reflects reality, most cloud computing providers don't see securing customer data as their primary responsibility. Most cloud providers see reducing costs and faster development as their main benefits to customers.

"If the risk of breach outweighs potential cost savings and agility, we may reach a point of cloud stall, where cloud adoption slows or stops, until organizations believe cloud security is as good as or better than enterprise security," Mike Denning, CA Technologies general manager for security, says in a statement accompanying Thursday's release of the Security of Cloud Computing Providers Study.

Only 43 percent of cloud computing service providers polled in the United States perceive security as very important or important for meeting their organization's IT and data processing objectives. Study researchers says they find it interesting that providers don't consider the security of cloud services as a competitive advantage despite the risks to data in the cloud.

Why do organizations enter contracts with cloud computing service providers? More than 90 percent of the providers surveyed cited reduced costs; nearly 80 percent said faster development time. A mere 11 percent responded improved security. "The focus on cost and speed, and not on security or data protection, creates a security hole," the report says.

The survey report authors says this explains why 62 percent of U.S. providers lack confidence that cloud applications they host are sufficiently secured. Two-thirds of U.S. cloud providers display a lack of confidence that their customer's security requirements are being met. "There is a lack of confidence that their cloud applications and other resources are secure," they write.

In some areas, however, cloud service providers tout their security capabilities, the survey shows. They're most confident about their ability to guarantee recovery from significant IT failures and ensure the physical location of data assets are housed in secure environments. They are least confident in their ability to restrict privileged user access to sensitive data and ensure proper data segregation requirements are met, according to the survey.

A year ago, Ponemon and CA teamed up to survey cloud computing services' users, and when compared with the new study, a stark difference of perception is revealed between provider and customer. Nearly 70 percent of users said vendors were most responsible for ensuring the security of cloud resources; only 32 percent of vendors cited themselves. Sixteen percent of providers but one-third of users said security was a shared responsibility. "These different perceptions about who is responsible for securing the cloud means organizations may be over relying on their cloud vendors to ensure safe cloud computing," the study's authors caution.

The survey report's authors say the surveyed providers conclude that they cannot provide complete assurance that their products or services are sufficiently secure. "Given the well-publicized concerns about the potential risks to organizations' sensitive and confidential information in the cloud, we believe it is only a matter of time when users of cloud computing solutions will demand enhanced security features," the authors write. "However, until this happens, users of cloud computing should be aware of their responsibility to assess the risks before migrating to the cloud."

Ponemon surveyed 103 American and 24 European cloud service providers.


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network