Cloud computing providers: Clueless about security?

To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.

Recent incidents made me doubt:

  • Amazon not only having significant downtime but in the same time losing customer data.
  • Sony’s game network being significantly compromised.

This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?

If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:

  • The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.
  • The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.
  • Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.
  • Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.
  • The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.
  • Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.
  • While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.

What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:

Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.

If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!

Roger