As I was researching my Cost of Lost Trust blog, I came across “Security of Cloud Computing Users Study.” The Ponemon Institute published this study in March 2013 based on a survey and analysis completed in late 2012. It is a follow-up to their initial 2010 study on the same subject, and CA Technologies sponsored both studies. The full report is well worth a read if you are concerned about security in the Cloud; and if you are moving any part of your IT infrastructure to the Cloud you should be.
The study was based on the analysis of survey responses from 696 IT or IT Security practitioners across the United States. 58% classified themselves as IT in general, with 21% classifying themselves in security roles. Over 40% were in the banking, government, health care and retails industries, with the rest scattered in about 20 other industries. Almost 80% of the respondents reported directly to the CIO (Chief Information Officer), the CISO (Chief Information Security Officer) or the CTO (Chief Technology Officer). The respondents each have an average of 10 years IT or IT security experience.
Here, in my opinion, are some of the encouraging, and disturbing, highlights of this study. As often happens, some of the survey results can fit in both categories.
Overall, most organizations have improved their Cloud security practices since 2010. However, only about half of the organizations felt positive about security of their implementation as they moved to the Cloud and were unable to create confidence in the Cloud within their company.
The use of SaaS (Software as a Service) and IaaS (Infrastructure as a Service) has increased, and security practices have improved since 2010. However, only about half of the organizations even bother to evaluate their Cloud Service Provider (CSP) from a security perspective prior to deployment. Not surprising, about the same number are not confident about the security provided by the CSP. Even more worrisome, only about half of the organizations surveyed involve their security team in planning a Cloud implementation.
One of the biggest issues with security is “who is responsible?” The survey indicated that 36% of SaaS users expect the CSP to ensure the security of their applications, and 22% of IaaS users have the same expectation. Yet only about 10% of the organizations actually engage in discussions with the CSP on security issues. Almost 80% of the respondents believe their end-users are “the number one group responsible for the security of cloud service providers.”
No matter how you handle it, security is your responsibility. If something goes wrong, it is your problem to fix, your fines to pay, and your customer relationships that are damaged. Your CSP will likely help to investigate the problem, but the CSP will not take responsibility nor accept any liability. Make sure you and your own security and compliance team are satisfied with your total security and compliance status, including your partners’ security and compliance status. Also make sure you can convince your senior management and customers that you remain secure.
I have said this many times before, but it is your responsibility to:
- Understand the real security requirements of the workloads you plan to move to the Cloud. Remember to include data Life Cycle Management, archive and backup requirements in this analysis.
- Work with your CSP to make sure these security requirements can be met.
- Document how your security requirements are being met, and who is responsible for each step and requirements.
- Periodically review the requirements, since they will change as compliance, laws, and your workload change. At a minimum you should be reviewing your security requirements anytime you add a new application or start collecting new data,
- Periodically review the security status of your IT environment to ensure that you are still meeting your requirements.
- Talk to your stakeholders throughout the process to address their concerns and make them confident of your plans and implementation.
Of course you are already doing 1, 3, 4 and 5 in your IT environment today, so the real work is in adding in a new partner, your CSP. If by chance you are not currently doing these steps, then I strongly suggest you do steps 1, 3, 4 and 6 before you move to the Cloud.
Security is like dust on the furniture. Nobody notices when there is no dust, but you will get real attention if you have a security problem.
The last word:
I periodically see articles that the Cloud is not meeting expectations, and I wrote on the State of the Cloud in January. In September 2012, TechTarget conducted its Cloud Pulse survey, focused on Cloud Computing adoption and usage. Their Cloud Adoption Index for Public and Private Clouds is 25%. If all respondents moved entirely to the Cloud, then the Cloud Adoption Index would be 100%, so essentially one quarter of the respondents’ workloads are running in the Cloud on average. 61% of the respondents are using the Cloud in some way.
TechTarget found that of those who said in March 2012 they were moving to the Cloud in the next six months, the September survey indicated that many had not yet made the move. The top reasons for the delay are the usual ones:
- 34% cited a lack of control over what happens in the Cloud compared to their own on-premise facility.
- 33% indicated that they had a ways to go in simple virtualization, a necessary first step for most Cloud migrations.
- 31% are concerned about security in the Cloud.
Both the Ponemon and TechTarget surveys are “glass half full / half empty” results. But perhaps the real answer is the engineer’s response: the glass is too big. The Cloud is a technology, not a product, and your journey to the Cloud is unique. Someday you will be there, but you need to evaluate the Cloud from your own business perspective to determine how and when you are ready.
Keep your sense of humor.