Does anyone care about cloud security? Actually, no.

Survey finds most providers don't protect data, because they don't think it's their job

Cloud computing vendors and customers may not be paying enough attention to security issues, according to a recent study by the Ponemon Institute, sponsored by CA Technologies.

The study, “Security of Cloud Computing Providers,” found security to be a low priority for cloud service providers – and, apparently, their customers. A whopping 73 percent of U.S. service providers and 75 percent of European providers responding to the survey said their cloud services did not substantially protect and secure confidential or sensitive information. Two-thirds of U.S. providers and 61 percent of European providers were unsure whether their solutions are meeting customers’ security requirements.

According to polled vendors, the primary reason customers purchased their solution was cost reduction (91 percent), ease of deployment (79 percent) and improved customer service (37 percent). Vendors believed improving security and complying with agreements and policies to be low priorities for customers.

Related story:

How standards could get cloud out of the 1970s

NIST guide tackles security challenges of public cloud computing

Another big reason for low security: the majority of cloud providers (69 percent) don’t believe it’s their responsibility. Even more worrisome: polled vendors said their systems and applications are not always evaluated for security threats prior to deployment to customers. In addition, a majority admitted they do not have dedicated security personnel to oversee the security of their cloud applications, infrastructure or platforms. On average, providers allocate 10 percent or less of their operational resources to security.

Last year, Ponemon released a similar study on cloud users. Comparing results from the two studies the firm concluded in the recent report that “neither the company that provides the services nor the company that uses cloud computing seem willing to assume responsibility for security in the cloud. In addition, cloud computing users admit they are not vigilant in conducting audits or assessments of cloud computing providers before deployment.”

Many federal, state and local government entities have already moved or are in the process of moving to a cloud environment. GCN reported May 5 on a resource that could help government IT with cloud security: the Distributed Management Task Force is working on developing specifications to help organizations audit their cloud systems, regardless of the provider.

About the Author

Kathleen Hickey is a freelance writer for GCN.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Mon, May 9, 2011

This is misleading. CA Technologies sponsored this research by Ponemon Institute. They should list the companies that they researched. Any top tier cloud computing provider that intends on gaining the trust and respect of their customers is going to provide best in class security. In a true multitenant cloud offering, the company is also protecting is own data on the same infrastructure. So the premise of the article does not hold weight against serious scrutiny. Just as all on premise security is different when it comes to people, processes, and technology, so is cloud security. It depends on the provider. Customers should do their due diligence for both options.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group