Study: Cloud Security Improving But Far From Fixed


According to a recent study, organizations have improved their cloud security practices over the past three years, but security continues to be a major concern around cloud adoption.

The research was conducted by the Ponemon Institute, which surveyed 748 professionals in information technology and IT security. All of the respondents resided in the U.S., and most were rated at supervisory level or higher. The research was commissioned by CA Technologies as a follow-up to a similar study conducted in 2010.

The findings suggest that security practices have been improved over the past three years, but there continues to be widespread concern about the effectiveness of those practices. The study also revealed that security is a key criterion in the public cloud provider selection process in only approximately half of the responding organizations.

 

[Related: Gartner: Cloud, CRM To Drive SoftwareSpend Through 2014]

"In general we conclude that there is evidence of improvement from a security point of view, both in terms of Software-as-a-Service and in terms of Infrastructure-as-a-Service," said Dr. Larry Ponemon, founder of the Ponemon Institute. "When we did a comparable study two years ago, security was a somewhat bigger issue and the people in the organization that were doing cloud were actually doing insecure cloud. The main issue to drive cloud is cost-efficiency, which continues to reign supreme, but we see that a lot of organizations are starting to think about and implement better security measures. It's a small improvement overall, but an improvement nonetheless."

Ponemon added that one of the changes most urgently needed would be a move toward a higher role for security personnel in the cloud provider selection process.

"One of the issues that hasn't changed very much since 2010 is the lack of a role for security professionals in selecting the cloud provider," he said. "They're just not being asked very often, which is a mistake because these people should be the first line of defense. It should not be decided by end users who don't really understand security."

Meanwhile, the report cites a lack of agreement regarding who has ultimate responsibility for cloud security, most notably whether it is solely the responsibility of the cloud provider, or if the end user carries the primary burden.

But whether or not a company is more secure operating in the cloud, as opposed to operating on-premise, largely depends on the relative effectiveness of how on-premise security is handled, according to Ponemon.

"Smaller organizations often benefit greatly from cloud security because what they're currently doing in terms of in-house security is really not that great," Ponemon told CRN. Bigger companies have the resources to buy the latest and greatest technologies. Smaller companies also often improve their security profile by moving from on premises to the cloud."

NEXT: Effective Access Control