Study: Cloud Security Improving But Far From Fixed


Concerns about authentication are also very commonplace. According to the survey, only 29 percent of the respondents expressed confidence in their organizations' ability to identify and authenticate users before granting access to cloud resources or infrastructure. This is a decrease from 34 percent in the 2010 study. Meanwhile, confidence in the authentication procedures related to on-premise networks rated much higher at approximately 60 percent.

"Authentication and access management is a highly complex process under the best of circumstances, and when you introduce the cloud you add even more complexity," explained Ponemon. "Adding the cloud to the mix creates a big mess. Companies are starting to look at different options and one of those options is to have basically one system that regulates both cloud and on premises. These hybrid concepts appear to be very appealing to the respondents."

Overall, Ponemon recommended that solution providers advising cloud customers focus on two critical areas. The first is the relative security of each respective cloud provider, and the second is taking a careful approach to what types of applications and data are used in the cloud.

"The first thing I would do is to try to ascertain whether the cloud provider is certified based on a reasonable security standard, like an ISO27001, or NIST standard or FISMA," he said. "A certification is a good indicator, but it's not a great indicator because certifications can be outdated, or they can target issues that are not relevant to that particular customer. Channel partners should also make sure that there's a clear understanding about who is responsible for security. Lately there has been a lot of security systems built specifically for the cloud, such as various types of encryption technologies, or the ability to switch off ports when some form of anomaly is detected. Beyond that, you should think twice about whether to let sensitive data go to the cloud. But in general each company has to make that decision on their own."

PUBLISHED MARCH 8, 2013