Who Is Responsible for Cloud Security?

Grazed from IT Business Edge.  Author: Sue Marquette Poremba.

On the tails of the Sony and Amazon breaches, a recent Ponemon Institute report had some very sobering news.

 

The study, “Security of Cloud Computing Providers," was sponsored by CA Technologies and found the following issues involving cloud security:

 

• The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.
• The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.
• Buyer beware — on average providers of cloud computing technologies allocate 10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.
• Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.

 

It doesn’t appear that anyone wants to take responsibility for security in the cloud and, hence, we end up with breaches like the kinds that happened with Sony and Amazon.

 

The lack of responsibility in cloud computing security is not new. As GCN reported:

Last year, Ponemon released a similar study on cloud users. Comparing results from the two studies the firm concluded in the recent report that “neither the company that provides the services nor the company that uses cloud computing seem willing to assume responsibility for security in the cloud. In addition, cloud computing users admit they are not vigilant in conducting audits or assessments of cloud computing providers before deployment."

What is a first step to improve cloud security? Encryption, said an article at OneStopClick.com. The article stated:

According to Francis deSouza, president of the Enterprise Security Group at Symantec, data security is the critical concern for all companies who want to leverage cloud computing and storage virtualization solutions to their advantage.

Responding to questions on a Washington Post question and answer forum, the cloud security expert said: "Encryption is the most important technology used to protect data stored in the cloud. Many cloud storage platforms provide some encryption as part of their solution."