There is a gap between information security manager and compliance professionals in how they perceive cloud security issues and necessary controls, according to a Ponemon study.
IT staff and compliance officials don't see eye-to-eye on cloud
security issues and on their organization's policies, according to a
recent report from Ponemon Institute.
In a survey of more than 1,000 professionals in the areas of
IT, information security, compliance and privacy, there was some
disagreement over who was responsible for defining, implementing and
enforcing cloud security requirements for the organization, researchers
from Ponemon Institute wrote in a report released Oct. 31. The survey
included 613 IT and information security professionals and 405
compliance and privacy professionals.
The report revealed a "gulf" between the two groups about
service provider controls, top security measures and roles and
responsibilities within the organization to ensure cloud security.
Approximately 21 percent of compliance professionals in the survey said
they were responsible for defining the requirements for their
organization, while 22 percent of IT staff felt the responsibility
should fall on the business unit leaders. Both groups said that
business unit leaders are responsible for enforcing the requirements
and no one group was responsible for implementing cloud security.
Ownership for cloud security is often "splintered," according
to Richard Gorman, CEO of encryption provider Vormetric, who sponsored
the study. "This makes it extremely difficult for organizations to
implement an enterprisewide data security strategy that incorporates
protection for sensitive information in the cloud," Gorman said.
Organizations still assume that cloud services are less secure
than on-premise computing, especially when it comes to data stored in
the infrastructure-as-a-service environment, the report found. However,
both groups perceived software as a service as being more secure.
Nearly half, or 49 percent, of the compliance professionals in the
survey said infrastructure-as-a-service providers were as secure as the
organization's internal, on-premise data centers, but only 33 percent
of the IT professionals felt the same way. While 42 percent of
compliance experts felt their organizations had sufficient policies and
procedures to enable IaaS security, only 34 percent of the IT staff
IT respondents were "more concerned" about security in the
cloud than compliance respondents, the researchers found. Despite
concerns about security, evaluating the cloud provider's security
measures were considered a low priority, or not at all, for 59 percent
of IT professionals in the report. In contrast, 56 percent of
compliance officials said it was very high, or high, priority.
Organizations are "at risk" because of the lack of vetting and
monitoring of cloud providers, the report found. More than half of the
respondents said their organizations' internal audit review processes
did not provide feedback on the cloud infrastructure's security.
Researchers were "surprised" by the different attitudes toward
cloud security among IT practitioners and compliance officers,
according to Larry Ponemon, chairman and founder of the Ponemon
The two groups also disagreed on the types of security measures
organizations should use to protect data stored in the cloud. IT
practitioners said data should be encrypted to make sure the
information was unreadable by cloud service providers. Compliance
officers felt the primary goal of encryption should be to enforce a
separation of duties to prevent IT administrators from accessing data
they do not need.
Regardless of the purpose, it doesn't seem as if organizations are
following through, since less than one-third of respondents said their
organizations encrypt data and files in the cloud. Most of the
organizations in the survey used firewalls, antivirus software and
identity and access management tools to protect information in the
cloud environment, according to the report.