Cloud Storage Security Isn't as Solid as Vendors Want You to Believe

NEWS ANALYSIS: Recent surveys show that businesses are feeling confident about cloud security. Anyone care for a grain of salt?

In cloud storage land, it's all roses, sunny skies and rock-solid security with fewer employees frittering away less time on securing data€”that is, if you trust vendor-funded studies.

For example, Microsoft released on May 14 a study that shows that 35 percent of small and midsize businesses have experienced higher levels of security in the cloud. (Whatever that means; I requested the full study to seek more granular detail, but neither Microsoft nor study preparer comScore had answered by the time this was published.)

Security management time for these lucky organizations is also reduced by 18 hours a week, according to comScore's report summary. However, does that mean per information security professional or per company? This isn€™t explained.

But how does that compare to noncloud SMBs? The surveyed SMBs told comScore that they spent an average of 19 hours per week managing IT security, compared with noncloud SMBs, which on average spent 25 hours.

So that means that before they move storage into the cloud these SMBs spent a whopping 37 hours per week (19 plus the reported savings of 18 hours = 37 hours total) managing security, compared with the 25 hours that noncloud SMBs spend.

Does that mean that cloud users are in the habit of spending so much more time managing security than their noncloud peers? Does it mean they're more frequently victimized by cyber-threats? Does it mean they're somehow not doing security right?

These results might point to a large number of SMBs turning to cloud because they're simply overwhelmed by the task of security management€”small wonder, given the amount of time it's sucking up for them.

This hypothesis is backed up by the fact that 41 percent of the surveyed cloud users felt that their cloud service provider was "entirely responsible for information security," according to the report summary.

The numbers paint an image of overburdened SMBs, desperate to offload their entire security burden to somebody else. Fortunately, a larger number, 57 percent, felt they shared responsibility with their cloud provider.

And that's exactly where organizations' heads should be when it comes to cloud storage security, because you just can't wipe your hands clean of certain elements of cloud security. As the report notes, organizations that turn to cloud still need to retain, for example, responsibility for client security.

It's in cloud service providers' interest, of course, to spin the data to show that security worries about embracing cloud storage are easing. Left out of the service providers' rosy picture, of course, are situations such as the MegaUpload debacle, in which millions of users who stored data on the file-sharing service faced losing their documents forever when the law shut the site down for copyright infringement.

Interestingly enough, when Sophos polled conference attendees about cloud storage riskiness at Infosec Europe in April, 64 percent of the respondents said they thought that cloud storage is risky, but 45 percent said they still went right ahead and used it.