Security Cloud Computing Users 235659

Security of Cloud Computing Users
A Study of Practitioners in the US & Europe
Sponsored by CA
Independently conducted by Ponemon Institute LLC
Publication Date: 12 May 2010
Ponemon Institute© Research Report

Security of Cloud Computing Users
Prepared by Dr. Larry Ponemon, 12 May 2010
I. Executive Summary
CA and Ponemon Institute are pleased to present the results of the Security of Cloud Computing
Users study. This paper represents the first of a two-part series on security of cloud applications,
infrastructure and platforms. We also have a second study that focuses on cloud computing
providers located in the United States and Europe. This study will be released in the coming
months.
Cloud computing is being heralded as an important trend in information technology throughout

the world. Benefits for business and IT include reducing costs and increasing productivity. The
downside is that many organizations are moving swiftly to the cloud without making sure that the
information they put in the cloud is secure.
The purpose of the study is to learn from IT and IT security practitioners in the US and Europe the
current state of cloud computing security in their organizations and the most significant changes
anticipated by respondents as computing resources migrate from on-premise to the cloud. As
organizations grapple with how to create a secure cloud computing environment, we believe the
findings from this study can provide guidance on how to address business and technology risks
exacerbated by cloud computing. Specifically, in this study cloud computing users evaluate
security technologies and control practices they believe are best deployed either on-premise or in
the cloud. We also asked cloud computing users to rate the types of sensitive or confidential
information too risky to be moved to the cloud.
Cloud computing has been defined as the use of a collection of distributed services, applications,
information and infrastructure comprised of pools of computer, network, information and storage
resources. These components can be rapidly orchestrated, provisioned, implemented and
1
decommissioned using an on-demand utility-like model of allocation and consumption. Cloud
service delivery models are Software as a Service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS).
We surveyed 642 and 283 IT practitioners (a.k.a. cloud computing users) located in the US and
Europe, respectively. We queried these individuals about the following topics:
 The perceptions about the security of cloud computing within organizations.
 How organizations in our study are using SaaS, PaaS and IaaS and how important these
resources are to achieving corporate data processing objectives.
 The reasons for using cloud computing resources.
 Who is responsible for ensuring a secure cloud computing environment.
 How the security posture of cloud computing compares to on-premise.
 The security technologies that respondents see as most important to securing the cloud.
 What respondents see as their organization’s primary cloud computing security risks.
 Types of sensitive or confidential information too risky to be moved to the cloud.
1
See Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Computing Architectural
Framework, Cloud Security Alliance, p. 15, April 2009.
Ponemon Institute© Research Report Page 1

 Most significant changes anticipated as computing resources migrate from on-premise to the
cloud.
 How effective organizations are in achieving a secure IT environment for data, applications
and infrastructure managed on-premise versus obtained from cloud service providers.
 What enabling security technologies should continue to be deployed on-premise and what
technologies should be deployed as a service from the cloud.
 What system control activities are necessary for organizations to secure information assets
and the IT infrastructure.
 What security risks are most salient to organizations as they quickly migrate from on-premise
to cloud computing resources.
 How organizations deal with “critical areas of focus” for organizations deploying cloud
2
computing resources as identified by the Cloud Security Alliance (CSA).
Following is a summary of the most salient findings from our study of cloud computing users. We
expand upon each one of these findings in the next section of the paper.
 IT practitioners (respondents) lack confidence in their organizations’ ability to secure data and
applications deployed in cloud computing environments (especially public clouds).
 Organizations in the US are more likely than those in Europe to deploy business-critical
applications, IT platforms and IT infrastructure services in the cloud.
 IT practitioners in both the US and Europe hold similar views on the reasons for using cloud
computing resources as well as a plethora of security issues caused by rapid migration from
on-premise to cloud computing environments.
 IT practitioners in both the US and Europe admit they do not have complete knowledge of all
the cloud computing resources deployed within their organizations today. This occurs
because cloud computing deployment decisions are often made by end-users without
conducting a thorough review for security.
 Because cloud computing deployment decisions are decentralized (especially SaaS),

respondents see end-users (or business management) as more responsible for ensuring a
safe cloud computing environment than corporate IT.
 IT practitioners in both the US and Europe rate the security posture of on-premise computing
resources as substantially higher than comparable computing resources in the cloud.
 IT practitioners believe the security risks most difficult to curtail in the cloud computing
environment include: securing the physical location of data assets and restricting privileged
user access to sensitive data.
 IT practitioners believe critical areas of focus as their organizations migrate from on-premise
to cloud computing environments concern access governance, identity and access
management, business continuity and disaster recovery planning, and e-discovery.
2
Ibid, footnote 1.

II. Key Findings
This section provides the most important findings. Whenever feasible, we provide a simple
graphic to illustrate the result. A tabular presentation may be provided as an alternative
illustration when the result is too complex to graph.
1. Attributions about cloud computing security
Table 1 reports five attributions concerning respondents’ views about the security of cloud
computing within their organizations. Please note respondents were given a five-point scale
ranging from strongly agree to strongly disagree to rate each statement. The percentages shown
in Table 1 is the combined strongly agree and agree responses (a.k.a. favorable view).
Table 1
Attributions about cloud computing security (strongly agree and agree
combined) US Europe Combined
My organization assesses the impact cloud computing has on the
ability to protect and secure confidential or sensitive information. 44% 56% 50%
My organization does not use cloud computing applications that are
not thoroughly vetted for security risks. 41% 60% 51%
My organization is vigilant in conducting audits or assessments of
cloud computing resources before deployment. 36% 57% 47%
My organization is proactive in assessing information that is too
sensitive be stored in the cloud. 38% 64% 51%
My organization’s security leaders are most responsible for securing
our organization’s safe use of cloud computing resources. 27% 38% 32%
Bar Chart 1 provides a graphical representation of the favorable views for respondents in the US
and Europe. Results clearly show respondents in Europe hold more favorable perceptions about
the state of cloud computing security than their US counterparts. Several of the average
percentages are below the 50 percent (scale midpoint), thus suggesting many respondents hold
unfavorable views about cloud computing security in their organizations.
Bar Chart 1
Five attributions about cloud computing security
My organization is proactive in assessing

information that is too sensitive to be stored in 38% 64%
the cloud.
My organization does not use cloud computing

applications unless they are thoroughly vetted for 41% 60%
security risks.
My organization assesses the impact cloud US

computing has on the ability to protect and 44% 56%
secure confidential or sensitive information. Europe
My organization is vigilant in conducting audits or

assessments of cloud computing resources 36% 57%
before deployment.
My organization’s security leaders are most

responsible for securing our organization’s safe 27% 38%
use of cloud computing resources.

From the above chart, only 27 percent of US respondents and 38 percent of European
respondents believe their organization’s security leaders are most responsible for ensuring safety
in cloud computing environments. Thirty-eight percent of US respondents say their organizations
are proactive in assessing information too sensitive to be stored in the cloud. In contrast, 64
percent of European respondents hold a more favorable impression.
Only 36 percent of US respondents believe their organizations are vigilant in conducting audits or
assessments of cloud computing resources before deployment. Fifty-seven percent of European
respondents hold this favorable perception. While not shown in the above chart, 55 percent of US
respondents and 44 percent of European respondents are not confident that they know all cloud
computing applications, platforms or infrastructure services in use today. This finding suggests
the consumerization of IT creates a void in the organization’s ability to evaluate cloud computing
security.
2. Cloud computing experience
This section compares US and European experience deploying SaaS, PaaS and IaaS cloud
computing resources. Bar Chart 2 shows that US organizations have a higher usage rate for
software, platform and infrastructure services than organizations in Europe.
Bar Chart 2
Use rates for SaaS, IaaS and PaaS cloud computing resources
62%
46%
Europe
33% US
67%
53%
35%
PaaS resources IaaS resources SaaS resources
As shown in Bar Chart 3, respondents’ organizations in the US and Europe use cloud computing
resources to accomplish business-critical IT or data processing activities.
Bar Chart 3
Percentage of business-critical applications or services from the cloud
16%
11% Europe
9%
US
22%
13% 14%

As noted in both Bar Charts 2 and 3, SaaS resources are the most frequently used cloud
computing resources for respondents in the US and Europe. According to respondents, the
dependency on cloud computing resources to meet business-critical needs is expected to
increase significantly over the next two years in the US and Europe.
A majority of respondents believe the responsibility for security rests within their organizations.
However, as shown in Bar Chart 4, there is a percentage of respondents who say the cloud
computing vendor is “most responsible” for ensuring security. This perceived responsibility of
cloud providers varies considerably with SaaS at the highest percentage and PaaS at the lowest
percentage.
Bar Chart 4
The cloud computing provider is most responsible for ensuring security
Combined US and Europe results
50%
42%
40% 34%
30%
21%
20%
10%
0%
As noted in Bar Chart 5, about half of all respondents acknowledge that SaaS, IaaS and PaaS
resources are not evaluated for security prior to deployment within their organizations.
Bar Chart 5
Are cloud computing resources evaluated for security prior to deployment?
Percentage Yes response
52%
49%
46%
PaaS resources
66%
59% IaaS resources
51%
SaaS resources
61% 53%
45%
U.S. Europe Combined
3. Reasons for using cloud computing resources
Respondents in the US and Europe generally agree on the reasons why their organizations are
deploying cloud computing resources. For respondents in the US (top four reasons) are: 78
percent to reduce cost, 56 percent to achieve faster deployment time, 50 percent to increased
efficiency, and 45 percent to increase flexibility and choice.

For respondents in Europe, the top four reasons are: 67 percent to reduce cost, 62 percent to
increase efficiency, 58 percent to achieve faster deployment time, and 31 percent to increase
flexibility and choice. Bar Chart 6 provides the combined US and European results. As shown,
only 14 percent believe that cloud computing will actually improve security.
Bar Chart 6
Reasons for migrating corporate IT to the cloud computing environment
Reduce cost 73%
Faster deployment time 57%
Increase efficiency 56%
Increase flexibility and choice 38%
Improve security 14%
Improve customer service 13%
0% 10% 20% 30% 40% 50% 60% 70% 80%
4. Who is responsible for ensuring a secure cloud computing environment
Bar Chart 7 reports the frequency of respondents who say they are not aware of all cloud
computing resources deployed within their organizations today, showing about half are not
confident about their level of knowledge.
Bar Chart 7
How confident are you that your organization knows all cloud computing resources in use today?
100%
80% 44% 50%
55%
60%
40%
45% 56% 50%
20%
0%
US Europe Combined
Confident & very confident Not confident
The “consumerization of IT” causes security experts to be excluded from the evaluation and
vetting process and this in turn causes a lack of confidence among IT practitioners. Hence, we
believe this is a main reason why they believe end-users or business unit management (rather
than IT security) are most responsible for ensuring a safe and secure cloud computing
environment.
Thus, for respondents in the US, the functions believed to be most responsible for ensuring a
safe and secure cloud computing environment are: end-users (75 percent), business unit

management (69 percent), information security (29 percent), and corporate IT (23 percent). For
Europe, the most responsible functions include: end-users (62 percent), business unit
management (58 percent), corporate IT (35 percent), and information security (31 percent).
Bar Chart 8 provides the combined results for US and Europe, showing that most respondents
generally agree end-users, business unit management, and IT (which includes information
security) need to take a proactive role in ensuring cloud computing security. In contrast, 25
percent believe no one person has primary responsibility.
Bar Chart 8
Job functions most responsible for ensuring a safe and secure cloud computing environment
End-users 69%
Business unit management 64%
Information technology* 59%
No one person is responsible 25%
Compliance 11%
Legal 10%
0% 10% 20% 30% 40% 50% 60% 70% 80%
*Please note that the Information technology (IT) category combines corporate IT and information security.
5. The security posture of cloud computing is perceived by US and European respondents

as lower than on-premise computing
In this section, we conducted a rating of the organizations’ security posture using 25 attributes or
features of a typical security program or initiative. For respondents in the US, the issues identified
as having the most serious impact on their organization’s security posture as a result of cloud
computing are as follows in ascending order of importance:
 Not knowing where information assets are physically located

 Inability to limit physical access to IT infrastructure
 Inability to enforce security policies
 Inability to identify and properly authenticate users before granting access rights
 Inability to secure sensitive or confidential information at rest
For respondents in Europe, the most important issues affecting their organizations security
posture as a result of cloud computing are in ascending order of importance:
 Inability to limit physical access to IT infrastructure

 Inability to conduct independent audits
 Inability to identify and properly authenticate users before granting access rights
 Inability to enforce security policies
 Inability to prevent data loss or theft

Based on prior research, we utilized a list of 25 feature that are known to affect the security
3
posture of private and public sector organizations. As shown in Table 2, these 25 security
features are used to determine differences between on-premise and cloud computing resources.
The percentages within the columns “on-premise” and “in the cloud” are the ratings from
respondents who are say they are confident or very confident that their organizations can achieve
this security feature in either environment.
The difference column is simply on-premise minus the cloud for each one of the 25 attributes. A
positive difference mean respondents, on average, have a higher confidence level for on-premise
than in the cloud. A negative difference means the opposite. Finally, these 25 differences are
ranked and ordered from the largest positive difference to the largest negative difference.
Table 2 Confident and very confident responses for

Attributions that define an effective IT security posture US and Europe samples
Confident and very confident responses for US and Europe On- In the
samples premise cloud Difference Rank
Limit physical access to IT infrastructure 84% 48% 36% 1
Know where information assets are physically located 73% 48% 25% 2
Identify and authenticate users before granting access to
information assets or IT infrastructure 59% 37% 22% 3
Conduct independent audits 65% 43% 22% 4
Enforce security policies 73% 53% 20% 5
Secure sensitive or confidential information at rest 50% 33% 17% 6
Prevent or curtail system-level connections from insecure
endpoints 62% 49% 14% 7
Prevent or curtail data loss or theft 64% 50% 13% 8
Ensure security program is adequately managed 64% 52% 12% 9
Prevent or curtail external attacks 45% 36% 9% 10
Ensure security governance processes are effective 76% 68% 8% 11
Secure vendor relationships before sharing information
assets 43% 36% 7% 12
Encrypt sensitive or confidential information assets whenever
feasible 48% 43% 6% 13
Achieve compliance with leading self-regulatory frameworks
including PCI DSS, ISO, NIST and others 69% 63% 5% 14
Comply with all legal requirements 77% 72% 5% 15
Prevent or curtail viruses and malware infection 85% 79% 5% 16
Perform patches to software promptly 56% 51% 5% 17
Monitor network/traffic intelligence 69% 64% 5% 18
Conduct training and awareness for all system users 64% 60% 3% 19
Secure sensitive or confidential information in motion 70% 66% 3% 20
Control all live data used in development and testing 52% 49% 3% 21
Secure endpoints to the network 62% 59% 3% 22
Access to highly qualified IT security personnel 83% 81% 2% 23
Determine the root cause of cyber attacks 47% 51% -4% 24
Prevent or curtail system downtime and business interruption 60% 66% -6% 25
Average 64% 54% 10%
3
These 25 attributes have been developed by PGP Corporation and Ponemon Institute in its annual
encryption trends survey to define the security posture of responding organizations. These features have
been validated from more than 20 independent studies conducted since June 2005. For more information,
please contact Ponemon Institute at research@ponemon.org.

As noted in Table 2, only two attributes – namely, determining the root cause of cyber attacks and
preventing or curtailing system downtime – enjoy higher confidence ratings in the cloud than on-
premise. The fact that 23 out of 25 attributes yield positive differences suggest respondents view
the on-premise computing environment as more secure than in the cloud.
Bar Chart 9 summarizes our analysis by providing a comparison of the average confidence level
response for all 25 attributes for US and European respondents. As shown, both US and
European respondents express a higher level of confidence for on-premise versus cloud.
Bar Chart 9
Overall security posture differences between on-premise and cloud computing environments
Percentage reflects the average percentage confidence level for all 25 security features listed in Table 2
63%
56%
Europe
US
63%
52%
On premise In the cloud
Bar Chart 10 provides a summary of the five security features yielding the most significant
differences between on premise versus cloud computing environments.
Bar Chart 10
Security features with the most significant differences between on-premise and cloud computing
Limit physical access to IT infrastructure 84% 48%
Enforce security policies 73% 53%
Know where information assets are physically located 73% 48%
Conduct independent audits 65% 43%
Identify and authenticate users before granting access

59% 37%
to information assets or IT infrastructure

6. Security technologies respondents see as most important for securing the cloud
Respondents were asked to rate 25 enabling security technologies in terms of whether a

particular solution is important to achieving security in the cloud computing environment. As can
be seen, respondents rate network intelligence systems and virtual private networks as their top
choices, followed by log management, identity federation, encryption for data at rest and user
management and provisioning as the most important technologies.
Bar Chart 11
Technologies believed to be most important in securing the cloud computing environment
Important & very important response for US and Europe combined
Network intelligence systems 64%
Virtual private network (VPN) 64%
Log management 62%
Identity federation 51%
Encryption for data at rest 45%
User management and provisioning 45%
0% 10% 20% 30% 40% 50% 60% 70%
Bar Chart 12 provides a summary of the technologies that respondents see as least important to
securing cloud computing resources. Here we see database scanning, wireless encryption,
endpoint solutions, access governance systems, encryption for data in motion and whitelisting as
more appropriately being deployed on-premise.
Bar Chart 12
Technologies best deployed on-premise
US and Europe results combined
Database scanning and monitoring 7%
Encryption for wireless communication 8%
Endpoint solutions 9%
Access governance systems 12%
Encryption for data in motion 13%
Whitelisting solutions 20%
0% 5% 10% 15% 20% 25%
Similar to the above analysis for enabling technologies, we examined the control procedures that
respondents believe can be deployed by cloud providers as a service. For respondents in the
US, the top five security control activities that should be deployed from the cloud are (in
ascending order of importance): certifications such as PCI DSS, ISO, and NIST, training of data
handlers, surveillance of data center operations, quality assurances and help desk activities.

For respondents in Europe, the top five security control activities as a possible service from cloud
providers include (in ascending order of importance): certification such as PCI DSS, ISO, NIST
and others, help desk activities, external audit, surveillance of data center operations, and quality
assurances.
7. What respondents see as their organizations’ primary cloud computing security risks
Table 3 summarizes the combined US and European results for seven known security risk areas
in the cloud computing environment as predicted by leading IT analysts. We once again compute
the difference between on-premise and cloud to determine if these risk areas are more salient in
the cloud environment. Clearly, the differences for all seven attributes are positive, suggesting
that respondents believe these security risk areas are more salient in the cloud environment.
Table 3
Seven cloud computing security risks. Each cell represents respondents’ confidence level for IT operations
(1) on-premise and (2) in the cloud.
Confident & very confident (combined) that risk area is properly On- In the
managed premise cloud Difference
Ensure the physical location of data assets are in secure
environments 56% 33% 22%
Restrict privileged user access to sensitive data 48% 29% 19%
Ensure compliance with all applicable privacy and data protection
regulations and laws 67% 54% 13%
Ensure long-term viability and availability of IT resources 51% 40% 12%
Ensure recovery from significant IT failures 60% 50% 10%
Ensure proper data segregation requirements are met 53% 45% 8%
Investigate inappropriate or illegal activity 55% 48% 8%
Average 56% 43% 13%
Bar Chart 13 illustrates the difference in confidence levels for US and European respondents in
terms of their organizations’ ability to effectively respond to each security risk.
Bar Chart 13
Seven known security risks in the cloud computing environment
Confident and very confident responses for US and Europe combined
Compliance with all applicable regulations and laws 67% 54%
Recovery from significant IT failures 60% 50%
Inappropriate or illegal activity 55% 48%
Proper data segregation requirements are met 53% 45%
Long-term viability and availability of IT resources 51% 40%
Data assets are in secure physical environments 56% 33%
Privileged user access to sensitive data 48% 29%

For respondents in the US, the top three risk areas with the largest differences between on-
premise and cloud computing (in ascending order):
 Ensuring the physical location of data assets are in secure environments

 Restricting privileged user access to sensitive data
 Ensuring proper data segregation requirements are met
For respondents in Europe, the top three risk areas with the largest differences between on-
premise and cloud computing (in ascending order):
 Ensuring the physical location of data assets are in secure environments

 Restricting privileged user access to sensitive data
 Ensuring compliance with all applicable privacy and data protection regulations and laws
8. What types of sensitive or confidential information are too risky for the cloud
We asked respondents to rate different information or data types in terms of risk to their
organizations. For respondents in the US, following are data assets that respondents believe are
too risky for the cloud computing environment.
 68% financial information

 68% intellectual property
 55% health information
 50% non-financial business confidential information
 43% credit card information
For Europe, following are data assets that respondents believe are too risky for the cloud.
 68% intellectual property

 66% health information
 65% employee records
 55% financial information
 50% non-financial business confidential information
It is interesting to note that employee records are deemed more risky for respondents in Europe
and financial information is deemed more risky for respondents in the US. Sixty-eight percent of
respondents in the US and Europe view intellectual property such as source code as too risky for
the cloud. Bar Chart 14 lists the most risky data types for the combined US and Europe samples.
Bar Chart 14
The types of confidential or sensitive information too risky for the cloud
US and Europe results combined
Intellectual property 68%
Financial business information 62%
Health information 61%
Employee records 53%
Non-financial business information 51%
Credit card information 44%
0% 10% 20% 30% 40% 50% 60% 70% 80%

9. Most significant changes anticipated by US and European respondents as computing
resources migrate from on-premise to the cloud
The Cloud Security Alliance (CSA) has established 14 “areas of focus” that organizations need to
manage as IT and data processing operations migrate from on-premise to the cloud computing
4
environment. Respondents were asked to rate the importance of each area of focus based on
their extant experiences in the cloud environment.
Bar Chart 15 provides the top five most critical areas of focus for respondents in the US and
Europe. The percentage shown in each bar represents the average important or very important
response of respondents. As can be seen, identity and access management and business
continuity and disaster recovery are viewed as the top most important security issues.
Bar Chart 15
The top five critical areas of focus for organizations migrating to the cloud environment
Important & very important response for US and Europe combined
Identity and access management 50%
Business continuity and disaster recovery 47%
Procedures for electronic discovery 46%
Compliance and audit 40%
Encryption and key management 39%
0% 10% 20% 30% 40% 50% 60%
The top five critical areas of focus for US respondents are: identity and access management,
business continuity and disaster recovery, compliance and audit, procedures for e-discovery, and
encryption and key management. Similarly, for respondents in Europe, the top five critical areas
of focus are procedures for e-discovery, identity and access management, business continuity
and disaster recovery, encryption and key management, and data center operations
4
Ibid, footnote 1.

III. Methods
Our study involved two independent sampling frames consisting of IT and IT security practitioners
located in the United States and Europe. In total, more than 11,000 individuals in the US and
4,700 individuals in certain European countries were asked to participate in a web-based survey.
As noted in Table 3, our final samples for respondents in the US and Europe are 642 and 283,
respectively. One screening question was used to terminate respondents who did not have the
requisite knowledge or experience in cloud computing domains.
Table 4: Sample response US Europe Total

Sample frame 11,015 4,718 15,733
Invitations sent 10,450 4,298 14,748
Returned surveys 713 329 1,042
Rejections for reliability 71 46 117
Final sample (after screening) 642 283 925
Response rates 5.8% 6.0% 5.9%
Pie Chart 1 reports the percentage frequencies of countries where European respondents are
located. As can be seen, the UK (34 percent) and Germany (22 percent) represent the two
largest segments for the European sample.
Pie Chart 1
Country locations of respondents in the European sample
7% 2%
United Kingdom
8%
Germany
34%
6% France
Netherlands
8% Switzerland
Spain
Italy
13%
Other
22%
Table 5 reports the organizational level of respondents in both the US and European samples. As
shown, a majority of respondents are at or above the supervisory level in their organizations.
Table 5
Respondents’ organizational level best US Europe Combined
Vice President or executive 1% 2% 2%
Director 18% 17% 18%
Manager 25% 19% 22%
Supervisor 19% 23% 21%
Staff or technician 32% 34% 33%
Contractor 3% 2% 3%
Other 2% 3% 3%
Total 100% 100% 100%

Table 6 reports the respondents’ reporting channel or chain of command. As can be seen, a
majority of respondents report through their organization’s CIO (54 percent), CISO (14 percent)
or CTO (10 percent).
Table 6: Respondents’ reporting channel US Europe Combined

Chief Information Officer 53% 54% 54%
Chief Information Security Officer 16% 12% 14%
Chief Technology Officer 9% 11% 10%
Chief Risk Officer 6% 7% 7%
General Counsel 4% 0% 2%
Compliance Officer 3% 5% 4%
Chief Financial Officer 2% 4% 3%
Director of Internal Audit 2% 2% 2%
Chief Security Officer 2% 2% 2%
Other 2% 0% 1%
Total 100% 100% 100%
Pie Chart 2 reports 14 industry distribution of respondents’ organizations. Financial services (19
percent), government (15 percent), retail (9 percent) and healthcare and pharmaceuticals (8
percent) represented the largest industry segments.
Pie Chart 2
Industry distribution of respondents’ organizations
2%
3%
4% 19% Financial services Government
5%
Retail Health & pharma
6%
Technology Communications
Industrial Transportation
6% 15%
Transportation Education
7%
Services Research
7% 9% Defense Media
7% 8%
In total, US respondents have, on average, 12.5 years of overall experience and 12 years in
either IT or IT security. Respondents in Europe had, on average 14.2 years of experience and
13.1 years in IT or IT security.
Table 7 reports the worldwide headcount of respondent organizations, which is used as a

surrogate for organizational size. As reported, a majority of respondents work in larger-sized
organizations with more than 10,000 employees.

Table 7
Worldwide headcount of respondents’ organization US Europe Combined
Less than 500 people 5% 9% 7%
500 to 1,000 people 9% 12% 11%
1,001 to 5,000 people 13% 18% 16%
5,001 to 10,000 people 25% 23% 24%
10,001 to 25,000 people 21% 20% 21%
25,001 to 75,000 people 15% 15% 15%
More than 75,000 people 12% 3% 8%
Total 100% 100% 100%
IV. Caveats
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most Web-based surveys.
 Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable
returned responses. Despite non-response tests, it is always possible that individuals who did
not participate are substantially different in terms of underlying beliefs from those who
completed the instrument.
 Sampling-frame bias: The accuracy is based on contact information and the degree to which
the list is representative of individuals who are IT or IT security practitioners. We also
acknowledge that the results may be biased by external events such as media coverage. We
also acknowledge bias caused by compensating subjects to complete this research within a
holdout period. Finally, because we used a Web-based collection method, it is possible that
non-Web responses by mailed survey or telephone call would result in a different pattern of
findings.
 Self-reported results: The quality of survey research is based on the integrity of confidential
0B
responses received from subjects. While certain checks and balances can be incorporated
into the survey process, there is always the possibility that a subject did not provide a truthful
response.

V. Recommendations & Conclusion
The findings of our study suggest users of cloud computing resources may be putting their
organizations in peril as a consequence of insecure cloud computing applications, infrastructure
and platforms. As noted in this research, cloud computing deployment decisions are frequently
made by end-users who may not have the knowledge or expertise to properly evaluate security
risks. Without vetting procedures that involve IT security practitioners or other learned experts,
organizations may find that mission-critical applications are operating in insecure environments.
Despite this finding, we believe security should not be entirely the responsibility of the end-user.
Instead, IT should embrace the inevitability of cloud computing. Security in the cloud is a shared
responsibility between the cloud provider and the enterprise. IT security vendors, cloud users,
and cloud providers need to collaborate to build security into cloud environments. To make this
work, transparency is needed to ensure that cloud providers have accountability in ensuring a
safe IT environment for cloud users.
Admittedly, enhancing security practices will likely increase the cost of cloud computing
resources, which diminishes one of the main reasons for choosing the cloud. Despite this
concern, we believe many organizations will pay a premium to cloud providers that are known to
be secure. When it is difficult to ascertain the cloud provider’s level of security, organizations will
seek alternative solutions to help minimize security risks. To minimize this possibility, we propose
a four-pronged approach to mitigating security risk, as follows:
 First, take an inventory of all cloud computing resources in use today and assess the risk
they pose to the organization’s security posture. This assessment process should involve a
core team led by corporate IT or security (depending on the expertise required).
 Second, for all high risk cloud applications, make a decision about whether to discontinue
their use to allocate more resources to make them more secure.
 Third, develop policies and procedures that require knowledgeable people such as the
company’s IT security function to evaluate the security posture of all future cloud computing
providers.
 Fourth, to avoid bottlenecks in the process, procedures should enable mission-critical

applications to be vetted as a priority before moving to a secure cloud environment.
Our research shows that IT and IT security practitioners generally agree on the areas of focus
that organizations need to consider before migrating to the cloud. These include:
 Ensuring access rights, especially for privileged users, are effectively managed in the cloud
computing environment.
 Taking steps to locate sensitive or confidential data after deployment to the cloud.
 Establishing oversight and control practices to ensure mission-critical applications and

sensitive data too risky to move to the cloud are kept on-premise.
 Modifying plans for business continuity, disaster recovery and e-discovery as information
assets and critical infrastructure moves to the cloud.
 Building control practices to thoroughly vet cloud providers before deploying their services.
 Educating end-users on the security risks associated with cloud computing.

 Establishing the right mix of enabling technologies and control practices to ensure that the
migration from on-premise to cloud environments is executed safely and securely.
In our study, only 14 percent of respondents believe that cloud computing will actually improve
their organization’s security posture. This low percentage means that there is a significant
opportunity for cloud computing providers to refute this perception and demonstrate that their IT
infrastructure is equal or superior to on-premise computing environments. The shift to cloud
computing provides an opportunity to increase security for the varied applications, platforms and
infrastructure offerings.
While on-premise computing is not without inherent security risks, cloud computing poses new
threats and challenges that need to be seriously considered before adoption. In conclusion, our
next study on providers of cloud computing software, platforms and infrastructure will examine
how the community of users and providers can best work together to establish practices that
enable safety and security in the cloud.

Appendix 1: Survey Details
Fieldwork for the US and Europe concluded on March 26, 2010. All work was independently
conducted by Ponemon Institute.
Cloud user study

Sample response US Europe
Sample frame 11,015 4,718
Invitations sent 10,450 4,298
Returned surveys 713 329
Rejections for reliability 71 46
Final sample 642 283
Response rates 5.8% 6.0%
I. Screening
Q1. Does your organization use cloud computing resources? US Europe
Yes 551 250
No (stop) 91 33
Total 642 283
Q2. What best describes your organization’s cloud computing

deployment approach? Please check one US Europe
Use mostly public clouds 419 198
Use mostly private clouds 56 42
Use a combination of public and privacy clouds (hybrid) 76 10
Total 551 250
II. Attributions about cloud computing security (strongly agree &

agree combined) US Europe
Q3a. My organization assesses the impact cloud computing has on
the ability to protect and secure confidential or sensitive information. 44% 56%
Q3b. My organization does not use cloud computing applications
that are not thoroughly vetted for security risks. 41% 60%
Q3c. My organization is vigilant in conducting audits or assessments
of cloud computing resources before deployment. 36% 57%
Q3d. My organization is proactive in assessing information that is too
sensitive be stored in the cloud. 38% 64%
Q3e. My organization’s security leaders are most responsible for
securing our organization’s safe use of cloud computing resources. 27% 38%
III. Cloud computing experience

Q4a. Does your organization use SaaS resources from cloud
computing providers? US Europe
Yes 67% 62%
No 23% 31%
Unsure 10% 7%
Total 100% 100%

Q4b. If yes, what percent of your organization’s business-critical
applications utilizes SaaS versus conventional software
applications? US Europe
Less than 10% 17% 15%
Between 11 to 20% 21% 32%
Between 21 to 30% 18% 11%
Between 31 to 40% 10% 6%
Between 40 to 50% 8% 5%
Between 50 to 75% 6% 3%
Between 76 to 90% 1% 0%
More than 90% 1% 1%
Don’t know 18% 27%
Total 100% 100%
Extrapolated value 22% 16%
Q4c. In your opinion, who is most responsible for ensuring the

security of SaaS applications used within your organization? US Europe
My company’s end-users are most responsible 23% 9%
My company’s IT function is most responsible 14% 28%
My company’s IT security function is most responsible 9% 10%
The cloud computing provider is most responsible 40% 43%
Responsibility is shared between my company and the cloud
computing provider 12% 8%
Don’t know 2% 3%
Total 100% 100%
Q4d. How important is the use of SaaS in meeting your

organization’s IT and data processing objectives? US Europe
Today (important & very important combined) 40% 34%
Over the next two years (important & very important combined) 67% 62%
Q4e. How confident are you that SaaS applications used within your
organization are secure? US Europe
Confident & very confident response (combined) 49% 60%
Q4f. Are SaaS applications evaluated for security prior to

deployment within your organization? US Europe
Yes 45% 61%
No 37% 28%
Total 100% 100%
Q5a. Does your organization use IaaS resources from cloud

Yes 53% 46%
No 40% 41%
Unsure 7% 13%
Total 100% 100%

computing utilizes IaaS versus on-premise infrastructure services? US Europe
Less than 10% 35% 45%
Between 11 to 20% 18% 13%
Between 21 to 30% 7% 9%
Between 31 to 40% 5% 4%
Between 40 to 50% 3% 2%
Between 50 to 75% 5% 1%
Between 76 to 90% 0% 0%
More than 90% 1% 0%
Total 100% 100%

security of IaaS resources used within your organization? US Europe
Don’t know 5% 2%
Total 100% 100%
Q5d. How important is the use of IaaS in meeting your organization’s

IT and data processing objectives? US Europe
Q5e. How confident are you that IaaS resources used within your
organization are secure? (very confident & confident combined). US Europe
Q5f. Are IaaS resources evaluated for security prior to deployment

within your organization? US Europe
Yes 51% 66%
No 29% 23%
Total 100% 100%
Q6a. Does your organization use PaaS resources from cloud

Yes 35% 33%
No 50% 59%
Unsure 15% 8%
Total 100% 100%

resources utilizes PaaS versus on-premise platform services? US Europe
Less than 10% 40% 61%
Between 11 to 20% 21% 9%
Between 21 to 30% 10% 2%
Between 31 to 40% 5% 4%
Between 40 to 50% 0% 0%
Between 50 to 75% 2% 1%
Between 76 to 90% 0% 0%
More than 90% 1% 0%
Total 100% 100%

security of PaaS resources used within your organization? US Europe
Total 100% 100%
Q6d. How important is the use of PaaS in meeting your

organization’s IT and data processing objectives? US Europe
Q6e. How confident are you that PaaS resources used within your
organization are secure? (confident & very confident combined) US Europe
Q6f. Are PaaS resources evaluated for security prior to deployment

within in you organization? US Europe
Yes 46% 52%
No 31% 26%
Total 100% 100%

Q7. What are the primary reasons why cloud computing resources
are used within your organization? Please select only three choices. US Europe
Reduce cost 78% 67%
Increase efficiency 50% 62%
Improve security 12% 15%
Faster deployment time 56% 58%
Increase flexibility and choice 45% 31%
Improve customer service 12% 14%
Comply with contractual agreements or policies 9% 11%
Other 2% 0%
Total 264% 258%
Q8. How confident are you that your IT organization knows all cloud
computing applications, platform or infrastructure services in use
today? US Europe
Q9. Which individuals or functions within your organization are

responsible for ensuring cloud computing providers are safe and
secure? Please select no more than three choices. US Europe
End-users 75% 62%
Business unit management 69% 58%
Corporate IT 23% 35%
Compliance 9% 12%
Legal 10% 9%
Procurement 5% 2%
Internal audit 2% 0%
Information security 29% 31%
Physical security 2% 5%
No one person is responsible 23% 27%
Other 2% 3%
Total 249% 244%

IV. Security posture
The following matrix lists 25 attributions that define an effective IT
security environment. Please assess the effectiveness of your
organization’s IT security environment for: (1) on-premises and (2)
in-cloud applications, platforms and infrastructure. The four-point
scale provided to the right of each attribute should be used to define
your level of confidence in being able to accomplish the stated
security requirement.
US security objectives (confident & very confident combined) On-premise In the cloud
Determine the root cause of cyber attacks 49% 47%
Secure sensitive or confidential information at rest 54% 32%
Secure sensitive or confidential information in motion 74% 72%
Secure endpoints to the network 64% 58%
Identify and authenticate users before granting access to information
assets or IT infrastructure 58% 34%
Secure vendor relationships before sharing information assets 41% 36%
Prevent or curtail data loss or theft 62% 51%
Prevent or curtail external attacks 43% 39%
Ensure security governance processes are effective 79% 66%
Prevent or curtail system downtime and business interruption 61% 65%
Prevent or curtail system-level connections from insecure endpoints 63% 46%
Comply with all legal requirements 75% 64%
including PCI DSS, ISO, NIST and others 70% 66%
Prevent or curtail viruses and malware infection 83% 78%
Perform patches to software promptly 54% 49%
Control all live data used in development and testing 55% 48%
Access to highly qualified IT security personnel 85% 81%
Conduct training and awareness for all system users 67% 61%
Ensure security program is adequately managed 63% 41%
Monitor network/traffic intelligence 67% 52%
feasible 50% 40%
Average 65% 52%

The following matrix lists 25 attributions that define an effective IT
security environment. Please assess the effectiveness of your
organization’s IT security environment for: (1) on-premises and (2)
in-cloud applications, platforms and infrastructure. The four-point
scale provided to the right of each attribute should be used to define
your level of confidence in being able to accomplish the stated
security requirement.
Europe security objectives (confident & very confident combined) On-premise In the cloud
Determine the root cause of cyber attacks 46% 55%
Secure sensitive or confidential information at rest 45% 33%
Secure sensitive or confidential information in motion 66% 61%
Secure endpoints to the network 59% 59%
Identify and authenticate users before granting access to information
assets or IT infrastructure 59% 39%
Secure vendor relationships before sharing information assets 46% 37%
Prevent or curtail data loss or theft 65% 49%
Prevent or curtail external attacks 47% 33%
Ensure security governance processes are effective 73% 69%
Prevent or curtail system downtime and business interruption 59% 67%
Prevent or curtail system-level connections from insecure endpoints 62% 52%
Comply with all legal requirements 79% 79%
including PCI DSS, ISO, NIST and others 67% 61%
Prevent or curtail viruses and malware infection 87% 81%
Perform patches to software promptly 57% 52%
Control all live data used in development and testing 50% 50%
Access to highly qualified IT security personnel 81% 80%
Conduct training and awareness for all system users 60% 60%
Ensure security program is adequately managed 65% 64%
Monitor network/traffic intelligence 71% 76%
feasible 47% 46%
Average 63% 56%
Q10b. In my organization, cloud computing presents a more secure

environment than on-premise computing. US Europe
Strongly agree & agree (combined) 29% 33%

Q11a. US Sample: Please review the following list of 25 enabling
security technologies that may be deployed by your organization to
secure information assets and the IT infrastructure. For each
technology, please indicate whether it should be deployed: (1) on-
premise, (2) in the cloud, or (3) a combination of both. On-premise In the cloud Combination
Access governance systems 65% 12% 23%
Anti-virus & anti-malware 43% 42% 15%
Correlation or event management 50% 43% 7%
Data loss prevention (DLP) 56% 8% 36%
Database scanning and monitoring 45% 45% 10%
Encryption for data at rest 45% 17% 38%
Encryption for data in motion 30% 38% 32%
Encryption for wireless communication 49% 47% 4%
Endpoint solutions 75% 11% 14%
Firewalls 43% 45% 12%
Identity federation 34% 35% 31%
ID & credentialing system 62% 35% 3%
Identity & access management (IAM) 45% 8% 47%
Intrusion detection or prevention 30% 62% 8%
Log management 42% 17% 41%
Network intelligence systems 36% 59% 5%
Patch management 25% 52% 24%
Perimeter or location surveillance 16% 67% 17%
Privileged password management 62% 28% 10%
Service oriented architecture (SOA) security 27% 58% 15%
Single sign-on (SSO) 24% 33% 42%
User management and provisioning 50% 33% 17%
Virtual private network (VPN) 37% 35% 28%
Whitelisting solutions 58% 17% 25%
Web application firewalls (WAF) 32% 31% 37%
Average 43% 35% 22%

Q11a. Europe Sample: Please review the following list of 25
enabling security technologies that may be deployed by your
organization to secure information assets and the IT infrastructure.
For each technology, please indicate whether it should be
deployed: (1) on-premise, (2) in the cloud, or (3) a combination of
both. On-premise In the cloud Combination
Access governance systems 61% 5% 34%
Anti-virus & anti-malware 39% 24% 37%
Correlation or event management 35% 27% 38%
Data loss prevention (DLP) 75% 15% 10%
Database scanning and monitoring 40% 42% 18%
Encryption for data at rest 65% 23% 12%
Encryption for data in motion 20% 51% 29%
Encryption for wireless communication 50% 42% 8%
Endpoint solutions 78% 5% 18%
Firewalls 48% 17% 35%
Identity federation 30% 35% 34%
ID & credentialing system 70% 11% 19%
Identity & access management (IAM) 54% 7% 40%
Intrusion detection or prevention 20% 63% 17%
Log management 40% 27% 32%
Network intelligence systems 23% 68% 9%
Patch management 29% 50% 21%
Perimeter or location surveillance 22% 60% 19%
Privileged password management 58% 27% 15%
Service oriented architecture (SOA) security 31% 25% 44%
Single sign-on (SSO) 29% 25% 46%
User management and provisioning 59% 33% 8%
Virtual private network (VPN) 31% 24% 45%
Whitelisting solutions 59% 10% 31%
Web application firewalls (WAF) 25% 23% 52%
Average 44% 30% 27%
Q11b. In general, the above enabling security technologies should

be provided as a service from the cloud. U.S. Europe
Strongly agree and agree combined 54% 50%

Q12. US Sample: Please review the following list of 17 system
control activities that may be deployed by your organization to
Background checks of privileged users 76% 6% 18%
Certifications (such as PCI DSS, ISO, NIST and others) 36% 51% 13%
Communications 81% 16% 3%
Controls assessment 58% 17% 25%
External audit 59% 29% 12%
Helpdesk activities 43% 30% 27%
IT audit 9% 10% 81%
Monitoring changes in regulatory requirements 90% 3% 7%
Policies and procedures 78% 3% 19%
Quality assurances 44% 31% 25%
Redress and enforcement 75% 12% 13%
Surveillance 37% 34% 29%
Training of data handlers 31% 36% 33%
Training of end users 57% 30% 12%
Training of security practitioners 90% 3% 7%
Vetting and monitoring of third parties 50% 7% 42%
Average 57% 20% 23%
Q12. Europe Sample: Please review the following list of 17 system

control activities that may be deployed by your organization to
Background checks of privileged users 56% 7% 37%
Certifications (such as PCI DSS, ISO, NIST and others) 34% 54% 11%
Communications 90% 5% 5%
Controls assessment 55% 10% 35%
External audit 53% 32% 15%
Helpdesk activities 25% 49% 26%
IT audit 72% 13% 15%
Monitoring changes in regulatory requirements 90% 5% 6%
Policies and procedures 91% 5% 4%
Quality assurances 50% 22% 27%
Redress and enforcement 89% 5% 6%
Surveillance 32% 30% 38%
Training of data handlers 80% 12% 8%
Training of end users 86% 3% 11%
Training of security practitioners 96% 2% 2%
Vetting and monitoring of third parties 75% 13% 12%
Average 67% 17% 16%

Q13. Please rate your organization’s ability to mitigate or
significantly curtail this risk for IT operations (1) on-premises and (2)
in the cloud. The four-point scale provided to the right of each
attribute should be used to define your level of confidence in being
able to mitigate or curtail each risk area from 1 = very confident, 2 =
confident, 3 = somewhat confident, 4 = not confident
Q13. US Sample. Seven cloud computing security risks On

Confident & very confident (combined) premises In the cloud
Restrict privileged user access to sensitive data 45% 28%
regulations and laws 63% 56%
environments 58% 37%
Ensure proper data segregation requirements are met 56% 45%
Ensure recovery from significant IT failures 57% 55%
Investigate inappropriate or illegal activity 55% 52%
Ensure long-term viability and availability of IT resources 53% 48%
Average 55% 46%
Q13. Europe Sample. Seven cloud computing security risks On

Confident & very confident (combined) premises In the cloud
Restrict privileged user access to sensitive data 50% 29%
regulations and laws 72% 52%
environments 53% 29%
Ensure proper data segregation requirements are met 50% 46%
Ensure recovery from significant IT failures 63% 46%
Investigate inappropriate or illegal activity 55% 43%
Ensure long-term viability and availability of IT resources 49% 31%
Average 56% 39%
Q14. What types of confidential or sensitive information does your

organization consider too risky to be stored in the cloud? US Europe
Consumer data 21% 30%
Customer information 34% 45%
Credit card information 43% 44%
Employee records 41% 65%
Health information 55% 66%
Non-financial confidential business information 50% 52%
Financial business information 68% 55%
Intellectual property such as source code, design plans, architectural
renderings 68% 71%
Research data 36% 39%
Other (please specify) 2% 0%
None of the above 31% 15%
Average 41% 44%

Q15. What types of business applications does your organization
consider too risky to be processed and housed in the cloud? US Europe
Sales and CRM applications 21% 33%
ERP applications 23% 30%
Human resource and payroll applications 30% 54%
Financial and accounting applications 41% 52%
Engineering applications 20% 40%
Manufacturing applications 32% 39%
Logistics applications 11% 25%
Scheduling and time management applications 9% 36%
Communication applications 14% 35%
Other 3% 5%
Average 20% 35%
Q16. Are members of your security team involved in determining the

use of certain cloud applications or platforms? US Europe
Always & most of the time combined. 31% 35%
Q17. The Cloud Security Alliance (CSA) has advanced the following
14 areas as “critical areas of focus” for organizations deploying cloud
computing resources. For each critical area of focus listed below,
please rate the significance of change to your IT operations as your
organization migrates from on-premises IT to cloud computing
environments.
Change on IT operations (significant and very significant combined) US Europe
Governance and enterprise risk management 34% 33%
Legal and contracting issues 12% 20%
Procedures for electronic discovery 40% 51%
Compliance and audit 45% 35%
Information lifecycle management 21% 19%
Portability and interoperability 20% 15%
Business continuity and disaster recovery 50% 43%
Data center operations 10% 35%
Incident response, notification and remediation 12% 30%
Application security 21% 15%
Encryption and key management 35% 43%
Identity and access management 51% 49%
Storage operations 12% 15%
Virtualization operations 16% 22%
Average 27% 30%
Q18. IT leaders of my organization are concerned about the security

of cloud computing resources. US Europe
Strongly agree & agree combined 51% 55%

V. Organization characteristics and respondent demographics
D1. What organizational level best describes your current position? US Europe
Senior Executive 0% 2%
Vice President 1% 0%
Director 18% 17%
Manager 25% 19%
Supervisor 19% 23%
Staff or technician 32% 34%
Contractor 3% 2%
Other 2% 3%
Total 100% 100%
D2. Check the Primary Person you or your supervisor reports to

within your organization. US Europe
CEO/Executive Committee 0% 0%
Chief Financial Officer 2% 4%
Chief Information Officer 53% 54%
Chief Information Security Officer 16% 12%
Compliance Officer 3% 5%
Chief Privacy Officer 1% 0%
Director of Internal Audit 2% 2%
General Counsel 4% 0%
Chief Technology Officer 9% 11%
Human Resources Leader 0% 3%
Chief Security Officer 2% 2%
Chief Risk Officer 6% 7%
Other 2% 0%
Total 100% 100%
D3. Geographic region (location of respondent) US Europe

United States 69% 0%
United Kingdom 0% 11%
Germany 0% 7%
France 0% 4%
Netherlands 0% 3%
Switzerland 0% 2%
Spain 0% 2%
Italy 0% 2%
Other 0% 1%
Total 69% 31%

D4. Age of respondent US Europe
Less than 25 years 5% 5%
26 to 35 years 34% 28%
36 to 45 years 30% 31%
46 to 55 years 19% 20%
56 to 65 years 9% 11%
More than 65 years 3% 5%
Total 100% 100%
Experience US Europe
D5a. Total years of business experience 12.53 14.15
D5b. Total years in IT or data security 11.9 13.06
D5c. Total years in current position 4.5 5.1
D6. Educational and career background: US Europe

Compliance (auditing, accountant, legal) 11% 14%
IT (systems, software, computer science) 56% 52%
Security (law enforcement, military, intelligence) 14% 20%
Other non-technical field 6% 10%
Other technical field 13% 4%
Total 100% 100%
D7. What industry best describes your organization’s industry

concentration or focus? US Europe
Airlines 3% 4%
Automotive 5% 2%
Agriculture 0% 0%
Brokerage 3% 2%
Cable 2% 0%
Chemicals 3% 2%
Credit Cards 3% 3%
Defense 3% 1%
Education 4% 5%
Entertainment 1% 3%
Services 1% 2%
Health Care 5% 1%
Hospitality & Leisure 2% 3%
Manufacturing 4% 1%
Insurance 5% 3%
Internet & ISPs 1% 1%
Government 10% 14%
Pharmaceutical 4% 5%
Professional Services 1% 5%
Research 1% 5%
Retail 8% 9%
Banking 13% 11%
Energy 1% 3%

Telecommunications 4% 5%
Technology & Software 2% 5%
Transportation 4% 1%
Wireless 5% 4%
Total 100% 100%
D8. What best describes your role in managing data protection and
security risk in your organization? Check all that apply. US Europe
Setting priorities 59% 62%
Managing budgets 56% 55%
Selecting vendors and contractors 51% 48%
Determining privacy and data protection strategy 48% 50%
Evaluating program performance 46% 51%
Average 52% 53%
D9. What is the worldwide headcount of your organization? US Europe

Less than 500 people 5% 9%
500 to 1,000 people 9% 12%
1,001 to 5,000 people 13% 18%
5,001 to 10,000 people 25% 23%
10,001 to 25,000 people 21% 20%
25,001 to 75,000 people 15% 15%
More than 75,000 people 12% 3%
Total 100% 100%
Please contact Ponemon Institute at research@ponemon.org if you have any questions or

concerns about this research. Thank you for your interest in our work.
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or organization identifiable information in our business research). Furthermore,
we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.

Security Cloud Computing Users 235659

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Cloud Computing Users 235659

Uploaded by

Copyright:

Available Formats

Security of Cloud Computing Users

A Study of Practitioners in the US & Europe

Ponemon Institute© Research Report

Cloud computing is being heralded as an important trend in information technology throughout

 The perceptions about the security of cloud computing within organizations.

 The reasons for using cloud computing resources.

 Who is responsible for ensuring a secure cloud computing environment.

 How the security posture of cloud computing compares to on-premise.

 Types of sensitive or confidential information too risky to be moved to the cloud.

Ponemon Institute© Research Report Page 1

 Because cloud computing deployment decisions are decentralized (especially SaaS),

Ponemon Institute© Research Report Page 2

1. Attributions about cloud computing security

My organization is proactive in assessing

My organization does not use cloud computing

My organization assesses the impact cloud US

My organization is vigilant in conducting audits or

My organization’s security leaders are most

Ponemon Institute© Research Report Page 3

2. Cloud computing experience

PaaS resources IaaS resources SaaS resources

PaaS resources IaaS resources SaaS resources

Ponemon Institute© Research Report Page 4

U.S. Europe Combined

3. Reasons for using cloud computing resources

Ponemon Institute© Research Report Page 5

Reduce cost 73%

Faster deployment time 57%

Increase efficiency 56%

Increase flexibility and choice 38%

Improve security 14%

Improve customer service 13%

0% 10% 20% 30% 40% 50% 60% 70% 80%

4. Who is responsible for ensuring a secure cloud computing environment

Confident & very confident Not confident

Ponemon Institute© Research Report Page 6

Business unit management 64%

Information technology* 59%

No one person is responsible 25%

0% 10% 20% 30% 40% 50% 60% 70% 80%

5. The security posture of cloud computing is perceived by US and European respondents

 Not knowing where information assets are physically located

 Inability to limit physical access to IT infrastructure

Ponemon Institute© Research Report Page 7

Table 2 Confident and very confident responses for

Ponemon Institute© Research Report Page 8

On premise In the cloud

On premise In the cloud

Limit physical access to IT infrastructure 84% 48%

Enforce security policies 73% 53%

Know where information assets are physically located 73% 48%

Conduct independent audits 65% 43%

Identify and authenticate users before granting access

Ponemon Institute© Research Report Page 9

Respondents were asked to rate 25 enabling security technologies in terms of whether a

Network intelligence systems 64%

Virtual private network (VPN) 64%

Log management 62%

Identity federation 51%

Encryption for data at rest 45%

User management and provisioning 45%

0% 10% 20% 30% 40% 50% 60% 70%

Database scanning and monitoring 7%