How organizations manage cloud computing security risks
A Ponemon Institut survey of 1,000 IT security practitioners and enterprise compliance officers revealed that less than half of all respondents believe their organizations have adequate technologies to secure their cloud infrastructures.
Meanwhile, the two groups sharply disagreed on whether the cloud is as secure as on-premise datacenters, who is responsible for cloud data security, and what security measures should be used.
According to the report, only one third of IT security practitioners believe cloud infrastructure (IaaS) environments are as secure as on premise datacenters, while half of compliance officers think IaaS is as secure.
Regarding cloud security roles, most (21 percent) compliance officers said they are responsible for defining security requirements, but the majority (22 percent) of IT respondents think this responsibility belongs to business unit leaders.
When asked about the most important cloud security measure, IT practitioners cited the use of encryption to make data unreadable by cloud service providers, yet compliance officers said encryption should be used to enforce separation of duties to prevent IT administrators from accessing data they do not need to perform their jobs.
“While we were surprised by the different attitudes towards cloud security among IT practitioners and compliance officers, the findings did reveal that security in the cloud is a concern for both groups, especially in IaaS environments,” said Larry Ponemon, Chairman and Founder of the Ponemon Institute. “What is most troubling is the fact that while respondents feel they lack adequate technologies to secure their IaaS environments, ownership for security in the cloud is dispersed throughout the organization.”
Ponemon Institute also identified the following key findings on data security in the cloud:
- Less than half of IT practitioners (35%) and compliance officers (42%) believe their organizations have adequate technologies to secure their IaaS environments
- Less than one third of respondents said their organizations encrypt data and/or files in the cloud
- Data in IaaS (Infrastructure as a Service) cloud environments is perceived as a greater security risk. SaaS (Software as a Service) is considered by both groups to be more secure.
- More than half of respondents said their organization’s internal audit review does NOT provide feedback on the security in cloud infrastructures.