Cloud Security Improving, but Still an Issue for Businesses: Ponemon

The report indicated there are conflicting views on who is most responsible for cloud security.

While businesses have improved their practices around cloud computing security, there are continued concerns about organizations’ use of security best practices and their awareness of the cloud services used within their organizations, according to the "Security of Cloud Computing Users 2013" study commissioned by CA Technologies and research firm Ponemon Institute.

When compared to a previous study from 2010, the latest study, based on survey of 748 IT and IT security practitioners in the United States, indicated progress. However, the report pointed to conflicting views on who is most responsible for cloud security, with a bias toward end users and IT security “getting a pass.”

The study also cited conflicting views in the case of best practices, such as vetting services for security risk, engaging the security team in determining cloud service use and assessing how a cloud service could affect data security.

The report indicated that while some organizations expect their cloud service providers to ensure the security of software as a service (SaaS) and infrastructure as a service (IaaS) applications (36 percent and 22 percent), a significant amount of the responsibility is assigned to companies’ end users (31 percent for SaaS and 21 percent for IaaS), and very little responsibility was assigned to IT security (8 percent for SaaS and 10 percent for IaaS).

"The survey shows a concerning lack of agreement remains regarding who has responsibility for cloud security," the report noted. "This relinquishment of responsibility points to a lack of clarity around ownership, which may lead to gaps in security processes and governance."

Although organizations today are more confident in the security of cloud computing and have put in place better security practices related to cloud use, the affirmative responses were only around half (50 percent) for questions involving cloud security best practices, confidence in cloud services and knowledge of the cloud services in use within an organization.

"While cloud computing is still one of the most disruptive and promising trends of the past decade, our study shows that cloud security struggles to get past a grade of 50 percent when it comes to best practices, including the percentage of organizations that say they engage their security teams in determining the use of cloud services," Mike Denning, CA Technologies general manager of security, said in a statement. "We believe that organizations can do better and gain the benefits of cloud computing by reducing risk and achieving that desired balance of protection and business enablement."

Only 29 percent of respondents have confidence in their organizations’ ability to identify and authenticate users before granting access to cloud resources or infrastructure, down from 34 percent of respondents in 2010. In contrast, there is much more confidence (60 percent of respondents) in the ability to identify and authenticate users in an on-premise environment.

"Confidence in and best practices for the security of cloud computing is improving but not as significantly as one might have expected since our 2010 study," Larry Ponemon, Ponemon Institute chairman and founder, said in a statement. "Our latest study offers organizations new data that should spark them to examine their own internal practices which could result in improvements in how they adopt and secure cloud services and applications."