Study: Cloud Security Improving But Far From Fixed

According to a recent study, organizations have improved their cloud security practices over the past three years, but security continues to be a major concern around cloud adoption.

The research was conducted by the Ponemon Institute, which surveyed 748 professionals in information technology and IT security. All of the respondents resided in the U.S., and most were rated at supervisory level or higher. The research was commissioned by CA Technologies as a follow-up to a similar study conducted in 2010.

The findings suggest that security practices have been improved over the past three years, but there continues to be widespread concern about the effectiveness of those practices. The study also revealed that security is a key criterion in the public cloud provider selection process in only approximately half of the responding organizations.

[Related: Gartner: Cloud, CRM To Drive SoftwareSpend Through 2014 ]

"In general we conclude that there is evidence of improvement from a security point of view, both in terms of Software-as-a-Service and in terms of Infrastructure-as-a-Service," said Dr. Larry Ponemon, founder of the Ponemon Institute. "When we did a comparable study two years ago, security was a somewhat bigger issue and the people in the organization that were doing cloud were actually doing insecure cloud. The main issue to drive cloud is cost-efficiency, which continues to reign supreme, but we see that a lot of organizations are starting to think about and implement better security measures. It's a small improvement overall, but an improvement nonetheless."

Ponemon added that one of the changes most urgently needed would be a move toward a higher role for security personnel in the cloud provider selection process.

"One of the issues that hasn't changed very much since 2010 is the lack of a role for security professionals in selecting the cloud provider," he said. "They're just not being asked very often, which is a mistake because these people should be the first line of defense. It should not be decided by end users who don't really understand security."

Meanwhile, the report cites a lack of agreement regarding who has ultimate responsibility for cloud security, most notably whether it is solely the responsibility of the cloud provider, or if the end user carries the primary burden.

But whether or not a company is more secure operating in the cloud, as opposed to operating on-premise, largely depends on the relative effectiveness of how on-premise security is handled, according to Ponemon.

"Smaller organizations often benefit greatly from cloud security because what they're currently doing in terms of in-house security is really not that great," Ponemon told CRN. Bigger companies have the resources to buy the latest and greatest technologies. Smaller companies also often improve their security profile by moving from on premises to the cloud."

NEXT: Effective Access Control

Concerns about authentication are also very commonplace. According to the survey, only 29 percent of the respondents expressed confidence in their organizations' ability to identify and authenticate users before granting access to cloud resources or infrastructure. This is a decrease from 34 percent in the 2010 study. Meanwhile, confidence in the authentication procedures related to on-premise networks rated much higher at approximately 60 percent.

"Authentication and access management is a highly complex process under the best of circumstances, and when you introduce the cloud you add even more complexity," explained Ponemon. "Adding the cloud to the mix creates a big mess. Companies are starting to look at different options and one of those options is to have basically one system that regulates both cloud and on premises. These hybrid concepts appear to be very appealing to the respondents."

Overall, Ponemon recommended that solution providers advising cloud customers focus on two critical areas. The first is the relative security of each respective cloud provider, and the second is taking a careful approach to what types of applications and data are used in the cloud.

"The first thing I would do is to try to ascertain whether the cloud provider is certified based on a reasonable security standard, like an ISO27001, or NIST standard or FISMA," he said. "A certification is a good indicator, but it's not a great indicator because certifications can be outdated, or they can target issues that are not relevant to that particular customer. Channel partners should also make sure that there's a clear understanding about who is responsible for security. Lately there has been a lot of security systems built specifically for the cloud, such as various types of encryption technologies, or the ability to switch off ports when some form of anomaly is detected. Beyond that, you should think twice about whether to let sensitive data go to the cloud. But in general each company has to make that decision on their own."

PUBLISHED MARCH 8, 2013