Professional Documents
Culture Documents
Sponsored by CA
Independently conducted by Ponemon Institute LLC
Publication Date: 12 May 2010
I. Executive Summary
CA and Ponemon Institute are pleased to present the results of the Security of Cloud Computing
Users study. This paper represents the first of a two-part series on security of cloud applications,
infrastructure and platforms. We also have a second study that focuses on cloud computing
providers located in the United States and Europe. This study will be released in the coming
months.
The purpose of the study is to learn from IT and IT security practitioners in the US and Europe the
current state of cloud computing security in their organizations and the most significant changes
anticipated by respondents as computing resources migrate from on-premise to the cloud. As
organizations grapple with how to create a secure cloud computing environment, we believe the
findings from this study can provide guidance on how to address business and technology risks
exacerbated by cloud computing. Specifically, in this study cloud computing users evaluate
security technologies and control practices they believe are best deployed either on-premise or in
the cloud. We also asked cloud computing users to rate the types of sensitive or confidential
information too risky to be moved to the cloud.
Cloud computing has been defined as the use of a collection of distributed services, applications,
information and infrastructure comprised of pools of computer, network, information and storage
resources. These components can be rapidly orchestrated, provisioned, implemented and
1
decommissioned using an on-demand utility-like model of allocation and consumption. Cloud
service delivery models are Software as a Service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS).
We surveyed 642 and 283 IT practitioners (a.k.a. cloud computing users) located in the US and
Europe, respectively. We queried these individuals about the following topics:
How organizations in our study are using SaaS, PaaS and IaaS and how important these
resources are to achieving corporate data processing objectives.
The security technologies that respondents see as most important to securing the cloud.
What respondents see as their organization’s primary cloud computing security risks.
1
See Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Computing Architectural
Framework, Cloud Security Alliance, p. 15, April 2009.
How effective organizations are in achieving a secure IT environment for data, applications
and infrastructure managed on-premise versus obtained from cloud service providers.
What enabling security technologies should continue to be deployed on-premise and what
technologies should be deployed as a service from the cloud.
What system control activities are necessary for organizations to secure information assets
and the IT infrastructure.
What security risks are most salient to organizations as they quickly migrate from on-premise
to cloud computing resources.
How organizations deal with “critical areas of focus” for organizations deploying cloud
2
computing resources as identified by the Cloud Security Alliance (CSA).
Following is a summary of the most salient findings from our study of cloud computing users. We
expand upon each one of these findings in the next section of the paper.
IT practitioners (respondents) lack confidence in their organizations’ ability to secure data and
applications deployed in cloud computing environments (especially public clouds).
Organizations in the US are more likely than those in Europe to deploy business-critical
applications, IT platforms and IT infrastructure services in the cloud.
IT practitioners in both the US and Europe hold similar views on the reasons for using cloud
computing resources as well as a plethora of security issues caused by rapid migration from
on-premise to cloud computing environments.
IT practitioners in both the US and Europe admit they do not have complete knowledge of all
the cloud computing resources deployed within their organizations today. This occurs
because cloud computing deployment decisions are often made by end-users without
conducting a thorough review for security.
IT practitioners in both the US and Europe rate the security posture of on-premise computing
resources as substantially higher than comparable computing resources in the cloud.
IT practitioners believe the security risks most difficult to curtail in the cloud computing
environment include: securing the physical location of data assets and restricting privileged
user access to sensitive data.
IT practitioners believe critical areas of focus as their organizations migrate from on-premise
to cloud computing environments concern access governance, identity and access
management, business continuity and disaster recovery planning, and e-discovery.
2
Ibid, footnote 1.
This section provides the most important findings. Whenever feasible, we provide a simple
graphic to illustrate the result. A tabular presentation may be provided as an alternative
illustration when the result is too complex to graph.
Table 1 reports five attributions concerning respondents’ views about the security of cloud
computing within their organizations. Please note respondents were given a five-point scale
ranging from strongly agree to strongly disagree to rate each statement. The percentages shown
in Table 1 is the combined strongly agree and agree responses (a.k.a. favorable view).
Table 1
Attributions about cloud computing security (strongly agree and agree
combined) US Europe Combined
My organization assesses the impact cloud computing has on the
ability to protect and secure confidential or sensitive information. 44% 56% 50%
My organization does not use cloud computing applications that are
not thoroughly vetted for security risks. 41% 60% 51%
My organization is vigilant in conducting audits or assessments of
cloud computing resources before deployment. 36% 57% 47%
My organization is proactive in assessing information that is too
sensitive be stored in the cloud. 38% 64% 51%
My organization’s security leaders are most responsible for securing
our organization’s safe use of cloud computing resources. 27% 38% 32%
Bar Chart 1 provides a graphical representation of the favorable views for respondents in the US
and Europe. Results clearly show respondents in Europe hold more favorable perceptions about
the state of cloud computing security than their US counterparts. Several of the average
percentages are below the 50 percent (scale midpoint), thus suggesting many respondents hold
unfavorable views about cloud computing security in their organizations.
Bar Chart 1
Five attributions about cloud computing security
Only 36 percent of US respondents believe their organizations are vigilant in conducting audits or
assessments of cloud computing resources before deployment. Fifty-seven percent of European
respondents hold this favorable perception. While not shown in the above chart, 55 percent of US
respondents and 44 percent of European respondents are not confident that they know all cloud
computing applications, platforms or infrastructure services in use today. This finding suggests
the consumerization of IT creates a void in the organization’s ability to evaluate cloud computing
security.
This section compares US and European experience deploying SaaS, PaaS and IaaS cloud
computing resources. Bar Chart 2 shows that US organizations have a higher usage rate for
software, platform and infrastructure services than organizations in Europe.
Bar Chart 2
Use rates for SaaS, IaaS and PaaS cloud computing resources
62%
46%
Europe
33% US
67%
53%
35%
As shown in Bar Chart 3, respondents’ organizations in the US and Europe use cloud computing
resources to accomplish business-critical IT or data processing activities.
Bar Chart 3
Percentage of business-critical applications or services from the cloud
16%
11% Europe
9%
US
22%
13% 14%
A majority of respondents believe the responsibility for security rests within their organizations.
However, as shown in Bar Chart 4, there is a percentage of respondents who say the cloud
computing vendor is “most responsible” for ensuring security. This perceived responsibility of
cloud providers varies considerably with SaaS at the highest percentage and PaaS at the lowest
percentage.
Bar Chart 4
The cloud computing provider is most responsible for ensuring security
Combined US and Europe results
50%
42%
40% 34%
30%
21%
20%
10%
0%
PaaS resources IaaS resources SaaS resources
As noted in Bar Chart 5, about half of all respondents acknowledge that SaaS, IaaS and PaaS
resources are not evaluated for security prior to deployment within their organizations.
Bar Chart 5
Are cloud computing resources evaluated for security prior to deployment?
Percentage Yes response
52%
49%
46%
PaaS resources
66%
59% IaaS resources
51%
SaaS resources
61% 53%
45%
Respondents in the US and Europe generally agree on the reasons why their organizations are
deploying cloud computing resources. For respondents in the US (top four reasons) are: 78
percent to reduce cost, 56 percent to achieve faster deployment time, 50 percent to increased
efficiency, and 45 percent to increase flexibility and choice.
Bar Chart 6
Reasons for migrating corporate IT to the cloud computing environment
Combined US and Europe results
Bar Chart 7 reports the frequency of respondents who say they are not aware of all cloud
computing resources deployed within their organizations today, showing about half are not
confident about their level of knowledge.
Bar Chart 7
How confident are you that your organization knows all cloud computing resources in use today?
100%
80% 44% 50%
55%
60%
40%
45% 56% 50%
20%
0%
US Europe Combined
The “consumerization of IT” causes security experts to be excluded from the evaluation and
vetting process and this in turn causes a lack of confidence among IT practitioners. Hence, we
believe this is a main reason why they believe end-users or business unit management (rather
than IT security) are most responsible for ensuring a safe and secure cloud computing
environment.
Thus, for respondents in the US, the functions believed to be most responsible for ensuring a
safe and secure cloud computing environment are: end-users (75 percent), business unit
Bar Chart 8 provides the combined results for US and Europe, showing that most respondents
generally agree end-users, business unit management, and IT (which includes information
security) need to take a proactive role in ensuring cloud computing security. In contrast, 25
percent believe no one person has primary responsibility.
Bar Chart 8
Job functions most responsible for ensuring a safe and secure cloud computing environment
Combined US and Europe results
End-users 69%
Compliance 11%
Legal 10%
*Please note that the Information technology (IT) category combines corporate IT and information security.
In this section, we conducted a rating of the organizations’ security posture using 25 attributes or
features of a typical security program or initiative. For respondents in the US, the issues identified
as having the most serious impact on their organization’s security posture as a result of cloud
computing are as follows in ascending order of importance:
For respondents in Europe, the most important issues affecting their organizations security
posture as a result of cloud computing are in ascending order of importance:
The difference column is simply on-premise minus the cloud for each one of the 25 attributes. A
positive difference mean respondents, on average, have a higher confidence level for on-premise
than in the cloud. A negative difference means the opposite. Finally, these 25 differences are
ranked and ordered from the largest positive difference to the largest negative difference.
3
These 25 attributes have been developed by PGP Corporation and Ponemon Institute in its annual
encryption trends survey to define the security posture of responding organizations. These features have
been validated from more than 20 independent studies conducted since June 2005. For more information,
please contact Ponemon Institute at research@ponemon.org.
Bar Chart 9 summarizes our analysis by providing a comparison of the average confidence level
response for all 25 attributes for US and European respondents. As shown, both US and
European respondents express a higher level of confidence for on-premise versus cloud.
Bar Chart 9
Overall security posture differences between on-premise and cloud computing environments
Percentage reflects the average percentage confidence level for all 25 security features listed in Table 2
63%
56%
Europe
US
63%
52%
Bar Chart 10 provides a summary of the five security features yielding the most significant
differences between on premise versus cloud computing environments.
Bar Chart 10
Security features with the most significant differences between on-premise and cloud computing
Combined US and Europe results
Bar Chart 11
Technologies believed to be most important in securing the cloud computing environment
Important & very important response for US and Europe combined
Bar Chart 12 provides a summary of the technologies that respondents see as least important to
securing cloud computing resources. Here we see database scanning, wireless encryption,
endpoint solutions, access governance systems, encryption for data in motion and whitelisting as
more appropriately being deployed on-premise.
Bar Chart 12
Technologies best deployed on-premise
US and Europe results combined
Endpoint solutions 9%
Similar to the above analysis for enabling technologies, we examined the control procedures that
respondents believe can be deployed by cloud providers as a service. For respondents in the
US, the top five security control activities that should be deployed from the cloud are (in
ascending order of importance): certifications such as PCI DSS, ISO, and NIST, training of data
handlers, surveillance of data center operations, quality assurances and help desk activities.
7. What respondents see as their organizations’ primary cloud computing security risks
Table 3 summarizes the combined US and European results for seven known security risk areas
in the cloud computing environment as predicted by leading IT analysts. We once again compute
the difference between on-premise and cloud to determine if these risk areas are more salient in
the cloud environment. Clearly, the differences for all seven attributes are positive, suggesting
that respondents believe these security risk areas are more salient in the cloud environment.
Table 3
Seven cloud computing security risks. Each cell represents respondents’ confidence level for IT operations
(1) on-premise and (2) in the cloud.
Confident & very confident (combined) that risk area is properly On- In the
managed premise cloud Difference
Ensure the physical location of data assets are in secure
environments 56% 33% 22%
Restrict privileged user access to sensitive data 48% 29% 19%
Ensure compliance with all applicable privacy and data protection
regulations and laws 67% 54% 13%
Ensure long-term viability and availability of IT resources 51% 40% 12%
Ensure recovery from significant IT failures 60% 50% 10%
Ensure proper data segregation requirements are met 53% 45% 8%
Investigate inappropriate or illegal activity 55% 48% 8%
Average 56% 43% 13%
Bar Chart 13 illustrates the difference in confidence levels for US and European respondents in
terms of their organizations’ ability to effectively respond to each security risk.
Bar Chart 13
Seven known security risks in the cloud computing environment
Confident and very confident responses for US and Europe combined
For respondents in Europe, the top three risk areas with the largest differences between on-
premise and cloud computing (in ascending order):
8. What types of sensitive or confidential information are too risky for the cloud
We asked respondents to rate different information or data types in terms of risk to their
organizations. For respondents in the US, following are data assets that respondents believe are
too risky for the cloud computing environment.
For Europe, following are data assets that respondents believe are too risky for the cloud.
It is interesting to note that employee records are deemed more risky for respondents in Europe
and financial information is deemed more risky for respondents in the US. Sixty-eight percent of
respondents in the US and Europe view intellectual property such as source code as too risky for
the cloud. Bar Chart 14 lists the most risky data types for the combined US and Europe samples.
Bar Chart 14
The types of confidential or sensitive information too risky for the cloud
US and Europe results combined
The Cloud Security Alliance (CSA) has established 14 “areas of focus” that organizations need to
manage as IT and data processing operations migrate from on-premise to the cloud computing
4
environment. Respondents were asked to rate the importance of each area of focus based on
their extant experiences in the cloud environment.
Bar Chart 15 provides the top five most critical areas of focus for respondents in the US and
Europe. The percentage shown in each bar represents the average important or very important
response of respondents. As can be seen, identity and access management and business
continuity and disaster recovery are viewed as the top most important security issues.
Bar Chart 15
The top five critical areas of focus for organizations migrating to the cloud environment
Important & very important response for US and Europe combined
The top five critical areas of focus for US respondents are: identity and access management,
business continuity and disaster recovery, compliance and audit, procedures for e-discovery, and
encryption and key management. Similarly, for respondents in Europe, the top five critical areas
of focus are procedures for e-discovery, identity and access management, business continuity
and disaster recovery, encryption and key management, and data center operations
4
Ibid, footnote 1.
Our study involved two independent sampling frames consisting of IT and IT security practitioners
located in the United States and Europe. In total, more than 11,000 individuals in the US and
4,700 individuals in certain European countries were asked to participate in a web-based survey.
As noted in Table 3, our final samples for respondents in the US and Europe are 642 and 283,
respectively. One screening question was used to terminate respondents who did not have the
requisite knowledge or experience in cloud computing domains.
Pie Chart 1 reports the percentage frequencies of countries where European respondents are
located. As can be seen, the UK (34 percent) and Germany (22 percent) represent the two
largest segments for the European sample.
Pie Chart 1
Country locations of respondents in the European sample
7% 2%
United Kingdom
8%
Germany
34%
6% France
Netherlands
8% Switzerland
Spain
Italy
13%
Other
22%
Table 5 reports the organizational level of respondents in both the US and European samples. As
shown, a majority of respondents are at or above the supervisory level in their organizations.
Table 5
Respondents’ organizational level best US Europe Combined
Vice President or executive 1% 2% 2%
Director 18% 17% 18%
Manager 25% 19% 22%
Supervisor 19% 23% 21%
Staff or technician 32% 34% 33%
Contractor 3% 2% 3%
Other 2% 3% 3%
Total 100% 100% 100%
Pie Chart 2 reports 14 industry distribution of respondents’ organizations. Financial services (19
percent), government (15 percent), retail (9 percent) and healthcare and pharmaceuticals (8
percent) represented the largest industry segments.
Pie Chart 2
Industry distribution of respondents’ organizations
Combined US and Europe results
2%
3%
4% 19% Financial services Government
5%
Retail Health & pharma
6%
Technology Communications
Industrial Transportation
6% 15%
Transportation Education
7%
Services Research
7% 9% Defense Media
7% 8%
In total, US respondents have, on average, 12.5 years of overall experience and 12 years in
either IT or IT security. Respondents in Europe had, on average 14.2 years of experience and
13.1 years in IT or IT security.
IV. Caveats
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most Web-based surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable
returned responses. Despite non-response tests, it is always possible that individuals who did
not participate are substantially different in terms of underlying beliefs from those who
completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which
the list is representative of individuals who are IT or IT security practitioners. We also
acknowledge that the results may be biased by external events such as media coverage. We
also acknowledge bias caused by compensating subjects to complete this research within a
holdout period. Finally, because we used a Web-based collection method, it is possible that
non-Web responses by mailed survey or telephone call would result in a different pattern of
findings.
Self-reported results: The quality of survey research is based on the integrity of confidential
0B
responses received from subjects. While certain checks and balances can be incorporated
into the survey process, there is always the possibility that a subject did not provide a truthful
response.
The findings of our study suggest users of cloud computing resources may be putting their
organizations in peril as a consequence of insecure cloud computing applications, infrastructure
and platforms. As noted in this research, cloud computing deployment decisions are frequently
made by end-users who may not have the knowledge or expertise to properly evaluate security
risks. Without vetting procedures that involve IT security practitioners or other learned experts,
organizations may find that mission-critical applications are operating in insecure environments.
Despite this finding, we believe security should not be entirely the responsibility of the end-user.
Instead, IT should embrace the inevitability of cloud computing. Security in the cloud is a shared
responsibility between the cloud provider and the enterprise. IT security vendors, cloud users,
and cloud providers need to collaborate to build security into cloud environments. To make this
work, transparency is needed to ensure that cloud providers have accountability in ensuring a
safe IT environment for cloud users.
Admittedly, enhancing security practices will likely increase the cost of cloud computing
resources, which diminishes one of the main reasons for choosing the cloud. Despite this
concern, we believe many organizations will pay a premium to cloud providers that are known to
be secure. When it is difficult to ascertain the cloud provider’s level of security, organizations will
seek alternative solutions to help minimize security risks. To minimize this possibility, we propose
a four-pronged approach to mitigating security risk, as follows:
First, take an inventory of all cloud computing resources in use today and assess the risk
they pose to the organization’s security posture. This assessment process should involve a
core team led by corporate IT or security (depending on the expertise required).
Second, for all high risk cloud applications, make a decision about whether to discontinue
their use to allocate more resources to make them more secure.
Third, develop policies and procedures that require knowledgeable people such as the
company’s IT security function to evaluate the security posture of all future cloud computing
providers.
Our research shows that IT and IT security practitioners generally agree on the areas of focus
that organizations need to consider before migrating to the cloud. These include:
Ensuring access rights, especially for privileged users, are effectively managed in the cloud
computing environment.
Taking steps to locate sensitive or confidential data after deployment to the cloud.
Modifying plans for business continuity, disaster recovery and e-discovery as information
assets and critical infrastructure moves to the cloud.
Building control practices to thoroughly vet cloud providers before deploying their services.
In our study, only 14 percent of respondents believe that cloud computing will actually improve
their organization’s security posture. This low percentage means that there is a significant
opportunity for cloud computing providers to refute this perception and demonstrate that their IT
infrastructure is equal or superior to on-premise computing environments. The shift to cloud
computing provides an opportunity to increase security for the varied applications, platforms and
infrastructure offerings.
While on-premise computing is not without inherent security risks, cloud computing poses new
threats and challenges that need to be seriously considered before adoption. In conclusion, our
next study on providers of cloud computing software, platforms and infrastructure will examine
how the community of users and providers can best work together to establish practices that
enable safety and security in the cloud.
Fieldwork for the US and Europe concluded on March 26, 2010. All work was independently
conducted by Ponemon Institute.
I. Screening
Q1. Does your organization use cloud computing resources? US Europe
Yes 551 250
No (stop) 91 33
Total 642 283
Q4e. How confident are you that SaaS applications used within your
organization are secure? US Europe
Confident & very confident response (combined) 49% 60%
Q5e. How confident are you that IaaS resources used within your
organization are secure? (very confident & confident combined). US Europe
Confident & very confident response (combined) 50% 56%
Q6e. How confident are you that PaaS resources used within your
organization are secure? (confident & very confident combined) US Europe
Confident & very confident response (combined) 48% 51%
Q8. How confident are you that your IT organization knows all cloud
computing applications, platform or infrastructure services in use
today? US Europe
Confident & very confident response (combined) 45% 56%
Q17. The Cloud Security Alliance (CSA) has advanced the following
14 areas as “critical areas of focus” for organizations deploying cloud
computing resources. For each critical area of focus listed below,
please rate the significance of change to your IT operations as your
organization migrates from on-premises IT to cloud computing
environments.
Change on IT operations (significant and very significant combined) US Europe
Governance and enterprise risk management 34% 33%
Legal and contracting issues 12% 20%
Procedures for electronic discovery 40% 51%
Compliance and audit 45% 35%
Information lifecycle management 21% 19%
Portability and interoperability 20% 15%
Business continuity and disaster recovery 50% 43%
Data center operations 10% 35%
Incident response, notification and remediation 12% 30%
Application security 21% 15%
Encryption and key management 35% 43%
Identity and access management 51% 49%
Storage operations 12% 15%
Virtualization operations 16% 22%
Average 27% 30%
Experience US Europe
D5a. Total years of business experience 12.53 14.15
D5b. Total years in IT or data security 11.9 13.06
D5c. Total years in current position 4.5 5.1
D8. What best describes your role in managing data protection and
security risk in your organization? Check all that apply. US Europe
Setting priorities 59% 62%
Managing budgets 56% 55%
Selecting vendors and contractors 51% 48%
Determining privacy and data protection strategy 48% 50%
Evaluating program performance 46% 51%
Average 52% 53%
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or organization identifiable information in our business research). Furthermore,
we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.