The sorry state of Cloud Security

May 4, 2011

With security still cited as the main inhibitor to end user adoption of Cloud Computing, the results of a new study by the Ponemon Institute isn’t likely to help matters with its claims that service providers aren’t focused enough on security.

The study – Security of Cloud Computing Providers – finds that the majority of Cloud providers allocate less than 10% of their resources to security while focusing attention on delivering benefits, such as reduced costs and speed of deployment.

The study – sponsored by Computer Associates – polled 127 Cloud service providers, 55% of whom offer Software-as-a-Service, 34% Infrastructure-as-a-Service, and 11% Platform-as-a-Service. Only 23 percent of US and 35 percent of European cloud providers strongly agree and agree that IT leaders of their organisations are concerned about the security of Cloud Computing resources provided to their customers.

The study’s main conclusions are:

* The majority of Cloud Computing providers surveyed do not believe their organisation views the security of their Cloud services as a competitive advantage.
* Cloud providers do not consider Cloud Computing security as one of their most important responsibilities Cloud providers do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.
* The majority of Cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. Providers also say their systems and applications are not always evaluated for security threats prior to deployment to customers.
* Cloud providers say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications.
* The majority of Cloud providers admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.
* Providers of private Clouds attach more importance to meeting security objectives than providers of public and hybrid Cloud solutions.
* Security as a “true” service from the Cloud is rarely offered to customers today.

This is the second study that Pokemon and CA have conducted. In May 2010, they released the Security of Cloud Computing Users study, involving 642 US and 283 European Cloud Computing users. Comparing the findings of both studies paints a depressing picture in which both users and providers seem unwilling to face up to their security obligations.

The latest study notes:
“Cloud Computing users admit they are not vigilant in conducting audits or assessments of Cloud Computing providers before deployment. They also seem to be frustrated because decisions to use certain applications are made by end-users who may not have the knowledge or expertise to properly evaluate security risks.”

It concludes:
“Different perceptions between Cloud providers and Cloud users about who is responsible or securing the Cloud means organisations may be over relying on their Cloud vendors to ensure safe Cloud Computing. ”

The longer term implications of this mutual neglect could be highly damaging. Mike Denning, Computer Associates’ general manager for security, warned:
“If the risk of breach outweighs potential cost savings and agility, we may reach a point of ‘Cloud stall’ where Cloud adoption slows or stops until organisations believe Cloud security is as good as or better than enterprise security. ”

Source The sorry state of Cloud Security

Please visit us at http://www.gosecure.com soon

%d bloggers like this: