Study: Cloud Provider Confidence Still Lacking12:00 PM EST Wed. Mar. 06, 2013
While the use of Software-as-a-Service and Infrastructure-as-a-Service cloud providers has increased since 2010, firms are still not fully confident in the security of those services, according to a new study conducted by The Ponemon Institute. The survey of 748 U.S.-based IT and IT security practitioners found that only half of those using SaaS or IaaS are confident in the security of those services. In fact, 46 percent of IT professionals in the study said security concerns stopped or slowed cloud adoption in their organization. The study was commissioned by CA Technologies.
Seventy-nine percent of those surveyed said end users were the No. 1 group responsible for the security of cloud service providers. Only 8 percent of those surveyed said their IT or IT security teams are engaged to analyze the security of SaaS applications, and only 10 percent said it was the case for IaaS. Ponemon said relying on end users for security could result in practices that are inconsistent with the overall security posture of the organization.
Organizations are concerned about the security of applications and the protection of data stored in the cloud, but only about half are doing anything about it, the study found. About 51 percent of those surveyed said cloud-computing applications are vetted for risks before being used. About half said they assessed the impact of cloud computing on the ability to protect confidential information.
The most mature form of cloud-computing services, Software-as-a- Service, is seeing an increase. Seventy-nine percent of those surveyed said their organizations use SaaS, up from 67 percent in 2010. Respondents said SaaS was important in meeting their IT and data-processing goals. More organizations are evaluating SaaS applications than ever before, with more than half indicating that they are being evaluated for security prior to deployment. About 45 percent of those surveyed indicated that their organizations use IaaS.
The survey based confidence level on 25 attributes and found a 12 percent cloud security "confidence gap" in favor of on-premises computing for all attributes. On-premises applications and infrastructures were viewed as better for performing patches to software promptly, controlling data used in development and securing vendor relationships before sharing information.
Survey respondents said they were increasingly confident that data in the cloud is protected from loss and theft and that encryption is employed. Increasing confidence levels were documented for traffic monitoring and the control of data in development and testing.
Those surveyed indicated a declining confidence level for the effectiveness of cloud-computing providers to ensure compliance with self-regulatory frameworks and access to qualified IT security personnel. Declining confidence was also seen for cloud-computing providers to authenticate users properly and for knowing where information was physically located.
Smaller organizations are less likely than large organizations to view their on-premises computing as more secure than cloud-computing providers. Larger organizations have the resources for IT security professionals and are more likely than smaller firms to have increased confidence in on-premises computing than the security posture of cloud providers, the Ponemon report found.