Enterprise IT and compliance groups agree on one thing for certain: their cloud environments could use some work on the security front. Less than half of the 1,018 IT security practitioners and enterprise compliance officers surveyed by the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, believe their organizations have adequate technologies to secure their infrastructure-as-a-service (IaaS) environments (35 percent of IT practitioners and 42 percent of compliance officers). Beyond that, the two groups differed wildly on issues of IaaS security—from whether the cloud is as secure as on-premise data centers to who is responsible for cloud data security to what security measures should be put in place to prevent unauthorized access to data.
Just one-third of IT security practitioners said that cloud infrastructure environments are as secure as their own on-site data centers, while half of compliance officers rated IaaS as secure as on-premise infrastructure. There was also significant disagreement about whether their organizations had sufficient processes in place to enable the secure use of cloud infrastructure. Only 34 percent of IT respondents believed that there were sufficient procedures in place, while 52 percent of compliance respondents were satisfied with their security policies.
Both groups thought encryption was important to protect against unauthorized data access, although they differed on who they were trying to keep out of the systems. IT practitioners said encrypting data to make it unreadable by cloud service providers was the most important IaaS security measure to take, while compliance officers said encryption should be used to prevent IT administrators from accessing data they do not need to perform their jobs. Yet, according to the study, few cloud vendors offer encryption to their customers. Only 31 percent of respondents said their organization’s major cloud providers use encryption to protect data from insider threats. The majority of respondents were more likely to employ firewalls, anti- virus and anti-malware software, and identity and access management technologies to protect sensitive or confidential information exposed to the cloud.
On the subject of vendor due diligence, 59 percent of IT respondents say that security was either a low priority or not considered at all when evaluating IaaS providers, while 56 percent of compliance officers said it was a very high or high priority.
As for who is in charge of cloud security, the greatest number of compliance officers (21 percent) said that they are responsible for defining security requirements in the cloud, while the greatest number of IT security respondents (22 percent) believed business unit leaders are responsible for defining security requirements in the cloud. Both groups did agree, however, that business unit leaders are responsible for enforcing cloud security and no single person or group maintains responsibility for the actual implementation of security measures.
That, says Ponemon Institute chairman and founder Larry Ponemon, gets to the heart of the matter: ownership for security in the cloud is dispersed throughout organizations, further clouding the security issues surrounding as-a-service offerings. As a result, enterprise-wide cloud security strategies are difficult to implement.
And while IT and compliance haggle over security strategies, tactics, and ownership, internal audit groups are sitting on the sidelines. More than half of respondents said their organization’s internal audit review does not provide any feedback on the security of cloud infrastructures.
Security concerns do not seem to be slowing down cloud adoption, however. More than half (56 percent) of IT practitioners surveyed stated that security concerns would not prevent their organizations from implementing cloud services. Companies were most likely to store unstructured data, such as emails, files, and documents, in IaaS environments, according to the study. In addition, cloud services accounted for approximately 20 percent of the IT budget of those responding to the survey, and their cloud budgets are expected to increase approximately 31 percent in the next one to two years.
Not surprisingly, however, the two groups quarreled over the real benefits of cloud computing initiatives. IT respondents cited business agility, speed to roll out new services, and fewer personnel and management requirements as their biggest cloud drivers. Compliance respondents said cloud adoption lowered operating costs, improved compliance, and provided better quality infrastructure.