ALSOAnalysis and Insights
• Top Security Concerns • Success Factors • Confronting Risk • Vetting Vendors • Ultimate Responsibility
Results from the 2012 Cloud Computing Security Survey
SURVEY RESULTS
REPORT
Overcoming the Apprehension of
Cloud ComputingResults from the 2012 Cloud Computing Security Survey
Overcoming the Apprehension of
Cloud Computing
2 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
Ask IT security practitioners what’s their No. 1 concern about cloud computing, and their most
common answer, by far, is data protection. That concern – along with others such as enforcing security
policies, maintaining an audit trail and meeting regulatory requirements – makes many organizations
anxious about moving critical information and operations to the cloud.
No wonder many of the respondents to Information Security Media Group’s Cloud Computing
Security Survey express hesitation about putting on the cloud credit card, financial, health, personally
identifiable and proprietary information, as well as intellectual property and trade and government
secrets.
Despite their jitters, many IT security practitioners feel they have little choice but to pursue cloud
computing options. Because of the perceived cost savings the cloud provides, their bosses see the
cloud as a way to reduce IT expenses. Besides, IT security practitioners recognize that the cloud will
play a crucial role in the future of enterprise computing, so they must identify and implement secure
cloud computing practices. In fact, it’s already happening.
As you review the 2012 survey results, think about how to turn apprehension into resolve. In reality,
many of the practices employed to secure data and systems can be used to provide cloud security.
Questions to consider:
• What proven IT security practices can be adapted to work on the cloud?
• With whom should you partner – from within your own enterprise, third parties, industry
colleagues and cloud providers – to safeguard your digital assets on the cloud?
• How can you use cloud computing contracts with vendors to protect your interest in safeguarding
data on the cloud?
Please let me know how you answer these questions, and share other thoughts you have about the
survey and cloud computing security. Your ideas are important in helping all of us at ISMG shape our
evolving cloud computing security coverage.
Eric Chabrow
Executive Editor
Information Security Media Group
Eric Chabrow Executive Editor
Confronting Cloud Computing AnxietyFrom the Editor
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
3
Contents
Introduction: What’s the Survey About?
Hot Topics
Sponsor’s Perspective
Scrutinizing the Cloud Provider
6 Principles for Effective Cloud Computing
The Agenda
Action Items
Resources
4
7
8
16
19
22
23
24
Implementing cloud computing effectively requires protecting information and preventing its loss.
Sponsored by
Survey Results1013141721
Fundamental ConcernsThe Bottom LineVetting the VendorConfronting RiskUltimate Responsibility
Overcoming the Apprehension of Cloud ComputingResults from the 2012 Cloud Computing Security Survey
CSC (NYSE: CSC), a trusted global leader in cybersecurity solutions, protecting
some of the nation’s – and the world’s – most sensitive government and business
systems and networks.
www.csc.com/cybersecurity
4 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
No longer an emerging technology, cloud computing is taking off globally as a way to gain efficient access to critical applications, processes and storage.
Still, as the 2012 Cloud Computing Security Survey –
Overcoming the Apprehension of Cloud Computing – shows,
cloud initiatives are relatively new for many organizations.
Nearly 1 in 3 survey respondents say their organizations are
not using the cloud, a strikingly high percentage considering
how quickly the computing platform is maturing. Distrust
for its ability to secure data remains a high barrier for many
organizations.
Types of CloudsWhat cloud environments has your organization employed?
(multiple answers allowed)
Security on the cloud is what worries most IT security
practitioners. Nearly three-quarters of our respondents cite
security as preventing their organizations from adopting cloud
services.
Not Very AnxiousDo concerns about security prevent your organization from
adopting cloud services?
And, because of their unease with the cloud, the promises the
cloud presents in providing efficient and less costly secure IT
solutions have fallen short. More than half of our respondents
say their organizations have yet to achieve their cloud
computing goals.
Introduction: What Is This Survey About?
Private
None
Public
Hybrid
Community
0 10 20 30 40 50 60
54%
31%
24%
24%
15%
Yes
No72%
28%
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
5
Achieving ObjectivesHave your organization’s cloud goals been met?
Despite jittery responses about the cloud’s security from many
of the IT security professionals we questioned, the survey
reveals that organizations are beginning to turn to the cloud
to do much of what they’ve been doing all along, whether
internally or contracting out to vendors using private networks
to make the connection. Application hosting and e-mail/
messaging are among the earliest offerings by cloud providers.
The demand for data storage will only increase as the amount of
data soars.
Popular OfferingsWhat cloud services does your organization have or will
shortly deploy? (only top 5 listed)
Organizations are beginning to turn to the cloud to do much of what they’ve been doing all along.
No
Not much
Yes
Some
Many
0 5 10 15 20 25 30
30%
22%
18%
18%
12%
Application hosting
E-mail/messaging
Data storage
Collaboration software
Applicationdevelopment/testing
0 5 10 15 20 25 30 35
34%
34%
29%
25%
23%
6 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
Cloud computing is revolutionizing the way businesses, not for
profits and governments manage their information technology
assets because of its potential to save organizations a significant
amount of money and enable them to adopt new applications
and scale systems to meet their computing needs.
We report a lot about cloud computing security on all of our
editorial websites, and we wanted to examine not only cloud
security concerns, but how security leaders addressed these
concerns through policy, technology and improved vendor
management. We asked survey respondents about their:
• Top Security Concerns: Were they more anxious about
where their data are stored or whether a malicious insider
might be a threat to it?
• Success Factors: On a scale with cost savings and
availability of services, how did security rank among
elements critical to a successful cloud computing
implementation?
• Protective Measures: What were some of the practices
organizations employed, from instituting more stringent
contracts to enforcing third-party audits and participating
in mock security exercises with cloud service providers?
• Ultimate Responsibility for Cloud Security: Lots of
parties have roles in cloud computing: The IT and IT
security organizations, business information owners
and cloud providers. Who should be in charge to assure
security?
The survey also covered cloud computing trends by industry
and region, how senior leaders made their cloud decisions and
top cloud-service investments projected for the coming year.
This survey was developed by the editorial staff of Information
Security Media Group with the help of members of our brands’
Boards of Advisers, which include some of the most prominent
experts in IT security and risk management. The global survey
was fielded during the first quarter of 2012. Our respondents
are involved with cloud computing decision-making within
their organizations, determining strategies, establishing
priorities, evaluating performance and picking providers; many
also help determine their organizations’ IT and/or IT security
budgets.
Cloud computing is revolutionizing the way businesses, not for profits and governments manage their information technology assets.
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
7
Survey results unveil five key topics that will be explored in depth in this report:
Fundamental Concerns Survey respondents cite security (27 percent) and costs (24
percent) as the primary considerations when organizations
mull cloud use. We explore IT security practitioners’ greatest
reservations as well as the knowledge and expertise most
lacking in their organizations regarding the cloud.
The Bottom LineThe upside of cloud computing are cost savings: 76 percent of
respondents say the cloud will save their organizations money.
The survey reveals other benefits of the cloud, including better
scalability and improved computing flexibility.
Vetting the Vendor More than one-third of survey respondents say they employ
a third party to attest to the security a cloud provider offers.
As we show, organizations employ other ways to vet cloud
providers, including conducting their own assessments.
Confronting RiskNearly 80 percent of survey respondents say security is a high
priority when evaluating a cloud provider. Other risk factors
organizations consider include not only whether, but how
cloud providers employ encryption.
Taking ResponsibilitySlightly more than half of our survey takers say the end-user
organization – either the business-side/data owners or IT or IT
security organization – and not cloud providers have ultimate
responsibility to ensure the security of cloud resources. We
show 37 percent of respondents either have moved or plan to
move critical systems to the cloud.
Hot Topics
8 © 2012 Information Security Media Group
SPONSOR’S PERSPECTIVE
The 2012 Cloud Computing Security Survey conducted by Information Security Media Group reveals persistent concerns regarding the cybersecurity of cloud architectures and cloud adoption.
At the same time, particularly in today’s economic environment,
it is becoming increasingly difficult for information technology
professionals to deny the cost advantages and avoid completely
the use of cloud architectures and infrastructures. Gaining
these benefits means that we must understand these security
concerns, and we must address them.
For those IT professionals and organization leaders responsible
for the security of vital and sensitive information, cloud
cybersecurity is an important challenge, serious enough that
nearly one third of the survey’s respondents indicated that
their organization had not employed any cloud architecture
whatsoever, despite the powerful lure of cloud’s economic
model. Respondents cited a number of concerns, including
worries about data protection, issues related to the enforcement
of security policy, and fears about data loss.
Data protection is a particularly important concern. Even data
that’s publicly available should be protected if it’s used by
companies, individuals, and governments to make daily and, in
the case of “big data,” strategic decisions. Imagine the damage
if that information suddenly became unreliable. Organizations
need to ensure that their cybersecurity policies and protections
cover information assurance – particularly as they seek to
unlock the value of information and big data and use it to make
high-value decisions regarding customer strategy, public policy,
and national security. The survey shows we still have some way
to go to allay these types of cybersecurity concerns.
The challenges cited in this survey are consistent with the
larger need to define cloud architectures capable of dealing
with the security challenges of embedded, industrial control
systems and supervisory control and data acquisition (SCADA)
systems that are the bedrock of utilities such as power, water,
and transportation, as well as manufacturing. It’s noteworthy
that even the Department of Defense Advanced Research
Projects Agency (DARPA) has asked for ideas about how to
securely extend cloud architectures to embedded systems used
in military critical computing.
How can we best address the security concerns of these diverse
organizations and help them gain the wide variety of benefits
(cost, flexibility, scalability, advanced technology, etc.) offered by
cloud? Here are some things to keep in mind:
• First, cloud providers must take a rigorous approach to
cloud cybersecurity. Meeting strict security standards, such
as those associated with the Federal Information Security
Management Act, or FISMA, will take time and careful
work. Providers should commit themselves to a disciplined
and well-documented approach to meeting those controls.
• Second, information technology professionals in general,
and CIOs in particular, need to be informed about the
controls necessary to protect their operations and the
providers’ approach to meeting those controls. One way
to be well informed regarding the controls required is
to conduct a risk-based analysis of the value of critical
information and systems, as well as the threats that exist to
A Perspective on the 2012 Cloud Computing Security SurveySamuel Sanders Visner, Vice President and Cyber Lead Executive, CSC
SPONSOR’S PERSPECTIVE 2012 CLOUD SECURITY SURVEY
9
that information and those systems. Those contemplating
the acquisition of cloud services should look carefully at
how security certification or attestation is being performed,
and who is performing it. Remember, too, that while
security standards will likely stay consistent, security
challenges change frequently. Look for a cloud provider,
therefore, that keeps up to speed regarding these challenges
and has the means in place to adapt and address them.
• And, finally, have a long-term strategy that encompasses
using the cloud incrementally. While the use of cloud for
applications associated traditionally with the desktop is a
good starting point, eventually organizations should look
to cloud less as a way of saving money and more as a way
of unlocking value. Consider things like what cloud can
do – over time – to make it easier to aggregate, analyze,
and exploit big data. Think about how cloud can enable
enterprise integration of global supply chains. In other
words, think of cloud in combination with other emerging
needs and opportunities. While the protection of IP is
today’s biggest concern, don’t overlook your organization’s
other potential uses of cloud and the need to protect those
uses.
The ISMG survey shows that information technology providers
want to claim the cloud’s benefits, but they are aware of the
cybersecurity challenges that must be met to meet those
benefits, even in the private cloud context. Organizations
should couple this awareness with strategies that are carefully
considered and with the selection of cloud and cybersecurity
partners who will share and support an enterprise’s strategy.
Sam Visner
Organizations should look to cloud less as a way of saving money and more as a way of unlocking value.
10 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
Survey Results
Fundamental ConcernsOrganizations must weigh the benefits against the risks when determining whether to implement a cloud computing solution.
Under DeploymentWhat are the top 5 factors mulled when deciding to
develop/deploy a cloud solution?
When exploring a cloud initiative, security is the No. 1 concern.
If the data or system can’t be secured, then why do it? It’s
a logical question, and one that must be addressed before
organizations employ a cloud solution.
All organizations are under considerable pressure to rein in
costs, so seeking a solution that could save money is being
pushed by the bosses of those responsible for securing IT.
Resources are costly. Getting additional IT resources on the
cheap is an objective everyone seeks. But it’s also a matter of
time. Often, computing resources are needed now, and getting
them quickly is a significant reason to turn to a cloud provider.
Second ThoughtsWhat is your greatest reservation about secure cloud
computing?
The survey confirms that data protection is the No. 1
reservation about cloud computing. That’s understandable in
an era where data are vital assets for many organizations.
As IT security lawyer Françoise Gilbert points out, if a cloud
provider loses an organization’s data, compensation would
likely be based on the amount the client paid for the service,
not the value of the information to the enterprise. “What you’re
going to get back is very small … it’s dollars, tens of dollars, but
it’s not millions of dollars,” she says. “You get what you pay for.
You pay a small amount to hold your data, but in exchange you
have to be aware of the risk. … Be prepared to be a victim.”
The other survey responses here reflect a major problem
with having someone else house your data – knowing how it’s
being protected. How to enforce security policies and/or meet
regulators’ requirements just adds more complexity to the use
of cloud services. There are ways to address these concerns, but
they often involve time, money and a good lawyer.
Security
Cost
Ability to share data
Resources
Need computing resources quickly
0 5 10 15 20 25 30
27%
24%
12%
9%
8%
Data protection
Enforcing security policies
Data loss
Audit trail
Meeting regulatory requirements
0 5 10 15 20 25
22%
14%
9%
8%
7%
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
11
No ShowsWhat data are too risky to put on a private cloud?
This question focuses on the private cloud, an offering that’s
perceived as being more secure than public, community and
hybrid clouds. Even with extra security, either a majority or a
sizeable plurality of our respondents feel it is too risky to put
some very common data on a private cloud. This attitude must
change if the cloud is to become a critical platform for IT.
Another reason organizations have shown a reluctance to
adopt the cloud at a faster pace is the lack of staff expertise and
knowledge about the technology on their own staffs. About
three-quarters of the respondents say their technical staffs
lack the know-how to deploy cloud solutions. Only 1 in 20
respondents feel his or her staffs are totally versed on the cloud.
Another reason organizations have shown a reluctance to adopt the cloud at a faster pace is the lack of staff expertise and knowledge about the technology on their own staffs.
Credit card
Intellectual property/trade secrets
Financial
Health
State/government secrets
Proprietary/sensitive
Personally identifiable
0 10 20 30 40 50 60
54%
51%
49%
49%
46%
45%
45%
12 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
Missing LinksWhat types of knowledge or expertise is most lacking in
your organization regarding secure cloud computing?
(top five answers shown)
What knowledge is most absent? Security, technology and
implementation, compliance, legal and standards, respondents
replied. This list of varying skills illustrates why the cloud
needs buy-in, not just from the technical staff, but from various
parts of the enterprise. Plus, it also shows how complex proper
execution of a cloud initiative is.
The cloud needs buy-in, not just from the technical staff, but from various parts of the enterprise.
Security
Technology/Implementation
Compliance
Legal
Standards0 5 10 15 20 25 30
28%
17%
14%
10%
10%
2012 Cloud Security Agenda: Expert Insights on Security and Privacy in the Cloud
Register now ≥
Join a distinguished panel of cloud computing experts for the first look at the findings of this perceptive study and how organizations can improve the security of their cloud computing initiatives, including:
• Understanding risks cloud computing presents;
• Mitigating these risks;
• Steps to take to employ cloud computing securely and effectively.
http://www.inforisktoday.com/webinars.php?webinarID=276
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
13
The Bottom Line
Cloud computing investments remain a very small percentage of
most organizations’ IT budgets. Our survey shows that just over
40 percent of respondents’ organizations divvied 10 percent or
less of their IT budgets on public, community and hybrid clouds,
with just over one-third earmarking money for private clouds.
Nearly 40 percent of respondents say their organizations didn’t
allocate any money for public/community/hybrid clouds; less
than a quarter didn’t apportion any funds for the private cloud.
Still, cloud computing is perceived to lower costs and provide
other benefits to the organization.
Wrong ImpressionWill cloud computing save your organization money?
It’s not just that the cloud is seen as a money saver; it provides
opportunities to try out new solutions without a hefty
investment, or buy storage or processing time, when needed,
without a significant investment.
The UpsideWhy the cloud? Ask anyone involved in cloud computing, and
they’ll say cost is the primary reason to adopt the technology.
Indeed, three-quarters of our respondents say cloud computing
will save their organizations money.
But there are many other benefits, some that could have a
profound impact on how organizations fund IT initiatives.
AdvantagesWhat are the benefits of cloud computing?
Though only 5 percent of our respondents identified the switch
from capital expenditure to operational expenditure as the
prime benefit of cloud computing, it’s a factor that will change
the way enterprises approach the funding of IT and IT security.
The cloud provides organizations with IT without significant
upfront costs. And, as some of our respondents note, the cloud
gives organizations access to advanced technology, also without
a significant initial outlay.
76%
24%Yes
No
Cost savings
Better scalability
Improved flexibility
Switch from CapEx to OpEx
Advanced technology
Compliance
Faster development time
0 5 10 15 20 25
23%
16%
10%
5%
5%
5%
5%
14 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
Vetting the Vendor
Checking Out Cloud ProvidersWhat are the primary ways your organization verifies the
security your cloud provider offers? (top six answers shown)
IT security managers don’t agree on the best ways to verify
cloud security providers, but a majority of them agree that some
type of formal assessment must be done, whether provided by a
third party, done themselves or jointly with the cloud provider.
Getting Outside HelpDoes your organization employ a third-party organization
to certify or attest the security of the cloud provider?
Trusting a cloud provider is crucial.
In its guidance, the National Institute of Standards and
Technology observes that a lack of visibility of the cloud
makes it difficult for users to be confident that providers are
in compliance with regulations unless the provider obtains
an independent audit from a trusted third party. Even here,
the frequency of third-party audits may limit the overall
assurance offered, since a cloud system could quietly drift out of
compliance.
Due Diligence Who Does the Vetting in Government?
(Asked of government respondents only)
In the U.S. federal government, a new initiative called FedRAMP
– it stands for the Federal Risk and Authorization Management
Program – provides for a standardized approach to security
assessment, authorization and continuous monitoring for cloud
products and services. The idea is that if one agency vets a cloud
provider, other agencies can use that evaluation for their own
provider assessment, saving time and money.
Under FedRAMP, third-party assessment organizations perform
initial and periodic assessments of cloud provider systems,
provide evidence of compliance and play a continuing role in
ensuring cloud providers meet requirements.
The federal government won’t allow agencies to employ a cloud
service unless it passes an audit by a third-party assessor to
validate and verify it meets FedRAMP requirements.
Third-party attestation
Conduct own assessment
Joint vulnerability testingwith provider
Accept word of provider
We don’t verify
Follow lead of anothercompany similar to yours
0 5 10 15 20 25 30 35
35%
28%
16%
7%
7%
5%
66%
34%Yes
No
Third-party provider
Own agency
Another agency
0 10 20 30 40 50 60
57%
22%
20%
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
15
TrustworthinessWould external certification of a cloud provider increase
trust in cloud computing?
It all comes down to trust. External certification of a
cloud provider is seen as crucial by more than 85 percent
of our respondents. Yet, for about half of the IT security
practitioners we surveyed, external certification works only
if the certification data can be reviewed and validated, that
the certifying body can show it’s accredited and/or if the
certificate is based on an agreed standard.
It all comes down to trust. External certification of a cloud provider is seen as crucial by more than 85 percent of our respondents.
Yes, but only if certification datacan be reviewed and verified
Yes, but only if this certificate is based upon an agreed standard
Yes, but only if the certifyingbody can show accreditation
No
Yes, in any case
38%
25%
16%
13%
8%
16 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
In a roundtable discussion on the Cloud
Computing Security Survey,
Seattle Deputy Chief Information Security
Officer David Matthews and NASA’s Jet
Propulsion Laboratory Chief Technology
Officer/IT Tomas Soderstrom address how
their organizations go about vetting their cloud
computing providers. What follows is an edited
version of that conversation.
DAVID MATTHEWS:
We have a series of
questions that we go
through in a procurement
process. We ask cloud
providers to either provide
us with a third-party certification and/or allow
us to do our own assessment of their site. We
ask them about what their uptime promises are;
we ask for warranties on their uptime. We ask
for information on their records management
and recovery issues and business continuity and
disaster recovery. We also use a lot of community
connections, too. We talk to other local and
state and even federal government partners to
try to find out what they’re doing and improve
their findings if they’ve got big solutions that
are working. “We [also get information from]
other states through the MS-ISAC (Multi-State
Information Sharing and Analysis Center). We
are very much a community-oriented group. In
the Pacific Northwest here, we look at who’s
finding good solutions, who’s finding people that
they feel like they can trust and that are doing a
good job. We do that as well as ask the technical
sort of questions and the contract questions.
TOMAS SODERSTROM:
We vet ourselves first. We
don’t put everything in one
cloud because different
clouds are good at different
things. If we, for instance,
picked one cloud and it was a super, super secure
cloud, then we’d be paying too much for security,
for content that didn’t really need to be secured,
whereas if we did the other one, we’d picked
some cloud vendor that’s wide open, then we
couldn’t put secure content in it. The key is to put
the appropriate computing and the appropriate
storage in the appropriate cloud.
We ask a lot of questions from our end users.
In fact, we coded it so that when they select a
cloud vendor, it does it automatically based on
the answers to those questions. It picks it from a
short list of cloud vendors. So far we have data in
10 different clouds, and we let the users dictate
which one is the stronger.
This is fairly new; we created a Cloud Computing
Commodity Board. The board consists of people
from IT security, the IT department, legal,
procurement, acquisition department, billing and
invoicing and a lot from the missions – the people
who actually use the clouds. They vet it. We
have some mandatory questions, and then some
would-be-nice-to-have questions. That’s how we
get the cloud providers into the JPL marketplace
to be picked from the subservice software. By
doing that, we can have them come on or off the
short list without having to issue an RFP (request
for proposal) each and every time. We can put the
appropriate content in the appropriate place.
The appropriateness really comes down to cost.
If we have two choices for every function, then
we make sure we don’t get locked into any one
vendor and that we pay the least we can possibly
do. We also spend a lot of time talking to other
entities in the federal government and outside to
find out what cloud vendors are doing.
Service-level agreements are not a really big
thing for us because we collect science data. If
we lost that science data from space and we get
a few cents back for compute hours, that would
not be meaningful. Instead, we look at three
strikes and that cloud vendor is out and we’ll go
somewhere else. We think in terms of service-
level understanding because the compute costs
are really quite low compared to other normal
ways of doing it.
Perhaps most importantly, we talk to the cloud
vendors themselves and set up a lot of face-to-
face discussions. That’s usually through video
conference so that our legal people can talk to
their legal people, our IT security people can talk
to their IT security people and understand how,
if we need to do a forensics investigation, how
we would do that. We showed them how we get
audited and different audits for different types of
data and said, “How would you help us pass this
audit?” n
Scrutinizing the Cloud ProviderA look at how the City of Seattle and Jet Propulsion Laboratory Vet Their Cloud Providers
VENDOR RELATIONS
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
17
Confronting RiskAs you examine the next three graphs, you’ll come away with
the impression that many organizations are relatively immature
in regards to cloud computing deployment.
The response to the security question of whether internal audits
provide appropriate feedback to improve cloud security suggests
that internal audits have yet to provide suitable insights into
cloud computing.
Audit LessonsDo internal audit reviews provide appropriate feedback to
improve cloud security?
For many organizations, cloud use is nascent, and not many
security audits have been conducted. In addition, auditors in
some organizations need to get educated about cloud security in
order to provide valuable insight. Look for the “yes” response to
grow in the coming years.
It’s More than ProcessDoes your organization have adequate policies/procedures
to enable safe and secure cloud use?
The fact that a majority of our respondents say their
organizations don’t have adequate policies and procedures
to enable safe and secure cloud use suggests a lack of
sophistication in many organizations’ cloud initiatives. As
organizations rely more on the cloud for applications and as a
platform, look for more enterprises to develop processes for
how they should address secure cloud computing.
Prioritizing SecurityHow much of a priority is security when evaluating a cloud
provider?
Cost may be the principal driver for organizations to
adopt cloud computing, but until it’s deemed secure, most
organizations will approach the cloud with extreme caution.
Auditors in some organizations need to get educated about cloud security in order to provide valuable insight.
High priority
Neither high nor low priority
No/low priority
0 10 20 30 40 50 60
79%
11%
10%
70 80
50%50%
Yes
No
Yes
No
0 10 20 30 40 50 60
41%
59%
18 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
Location, Location, LocationHow important is the physical location of cloud servers?
Specifically, we asked how important is it that your cloud
provider’s servers be situated in the country where your
organization is based.
We all know that data can be moved around the globe at
lightning speed. Data on the cloud can be stored anywhere. That
doesn’t sit well with most of our respondents. Not knowing
where critical assets are stored can be nerve racking. And,
there could be legal reasons, too. Each country has its own laws
defining who can have access to data, and having data scattered
around the world can give an IT manager a headache.
Encryption, Of CourseDoes your cloud provider use encryption to protect data?
Encryption, these days, is one of the fundamental ways
organizations safeguard their data, whether on laptops, mobile
devices, servers and, of course, on the cloud. Employing a cloud
provider that offers encryption is a must for the large number of
IT security practitioners.
To Encrypt or Not to Encrypt?What unencrypted data would your organization put on a
cloud provider’s server? (Multiple answers allowed)
Nearly half of our respondents can’t conceive of putting any data
on the cloud without the information being encrypted.
Organizations must make sure that their legal contracts with
cloud providers assure encryption when appropriate. “The best
way to mitigate those risks is to really understand who’s got
what responsibility and what it’s going to cost us to have the
right kind of security in place,” says Seattle Deputy CISO David
Matthews, “and what kind of data actually belongs in the cloud,
what kind of encryption processes we’re going to use. The best
way to avoid nervousness is really have a good contract up front
so everybody knows where everybody else stands.”
Important
Unimportant
0 10 20 30 40 50 60
54%
12%
78%
22%Yes
No
None
Non-regulated
Regulated
Employee
Proprietary
0 10 20 30 40 50
43%
33%
14%
12%
11%
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
19
Taking Responsibility
Shared ResponsibilitiesWho should manage encryption keys?
A majority of our respondents understand that regardless of the
provider they choose, ultimately they’re accountable – whether
by themselves or jointly with the provider – to assure their data
are encrypted on the cloud.
Getting over the BumpWould you move critical systems to the cloud?
The takeaway from this question is that if not now, a majority
of organizations either have or will move critical systems to the
cloud soon. That bodes well for the future of cloud computing.
It suggests a can-do attitude among organizations that they will
find a way to employ the cloud for all types of applications and
systems.
6 Principles for Effective Cloud ComputingISACA Guide Aims to Minimize Cloud Computing Risks
ISACA, the professional association focused on IT governance, counsels
that organizations adopting cloud computing should adhere to six
principles. Doing so will help enterprises avoid the perils of transferring IT
decision-making away from technology specialists to business unit leaders.
Here are ISACA’s definitions of the six principles:
• Enablement: Plan for cloud computing as a strategic enabler, rather
than as an outsourcing arrangement or technical platform.
• Cost/benefit: Evaluate the benefits of cloud acquisition based on a
full understanding of the costs of cloud compared with the costs of
other technology platform business solutions.
• Enterprise risk: Take an enterprise risk management perspective to
manage the adoption and use of cloud.
• Capability: Integrate the full extent of capabilities that cloud
providers offer with internal resources to provide a comprehensive
technical support and delivery solution.
• Accountability: Manage accountabilities by clearly defining internal
and provider responsibilities.
• Trust: Make trust an essential part of cloud solutions, building trust
into all business processes that depend on cloud computing.
Ramsés Gallego, the Quest Software security strategist who serves
on ISACA’s Guidance and Practices Committee, characterizes cloud
computing as a game changer, especially for the small and midsize
enterprise.
“Its availability means that technology infrastructure is not the market
differentiator it has been in the past,” Gallego says. “These principles will
enable enterprises to experience the value that cloud can provide and help
ensure that internal and external users can trust cloud solutions.”
Trust is key because many people, including IT security experts, lack
confidence in the cloud as a platform that assures security and privacy.
“The cloud’s availability means the technology infrastructure is not the market differentiator it has been in the past.”– RAMSÉS GALLEGO
No, we don’t have plans to do so
Perhaps, but not within 12 months
Yes, we plan to move one or more of our business critical systems to the
cloud in the coming months
Yes, one or more of our businesscritical systems are in the cloud
0 5 10 15 20 25 30 35
34%
29%
19%
18%
User Organization
Both
Don’t know
Cloud Provider
47%
34%
12%
7%
20 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
Allaying ConcernsWhat controls do you implement to mitigate risks?
(multiple answers allowed)
Other controls respondents cite included increased contract
management, onsite inspection, adjusted incident management,
third-party testing, financial penalties and increased liability for
providers.
Among the steps organizations already are taking to secure
cloud data are tried-and-true IT security tools and processes,
including encryption, strong identity and access management
controls and more audits.
The GuardiansWho’s responsible for ensuring security of cloud resources?
In the end, it’s the users’ responsibilities to ensure the security
of their cloud implementations.
Tomas Soderstrom, chief technology officer/IT at NASA’s
Jet Propulsion Laboratory, sees the end-user organization as
ultimately responsible for securing their organization’s IT.
But, he points out, an end-user organization consists of many
different entities – IT, information security, business units,
operations and so on – thus, they must collaborate. “The real
enabler here becomes the IT security people,” Soderstrom says.
“They need to become consultants to show the business how
to secure the data and be able to put it securely in the cloud.
Because if they don’t, all of a sudden there could be a security
breach, and it could shut down the whole organization’s use of
the cloud.”
A slim majority of respondents say it’s their organization, not
the provider, who’s responsible for ensuring the security of
cloud resources. It’s your data and systems, and it wouldn’t be
wise to outsource the responsibility for IT security to someone
else, even if they are the ones who are hosting your IT assets.
The fact that more of our respondents feel the IT or IT security
organization rather than the business or data owners should
assume that responsibility reflects the fact that there isn’t just
one business-side organization employing the cloud in most
enterprises, and that it’s not unusual for enterprises to employ
more than one cloud provider. Someone must be in charge.
Encryption techniques
Stronger ID/accessmanagement controls
Increased due diligenceof provider
More auditing of cloud-service provision
0 10 20 30 40 50 60
60%
43%
42%
37%
Cloud Provider
IT or IT security organization
Business side/ data owner
48%
38%
14%
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
21
“You could put in a cloud the secret to the atomic bomb and the cloud provider wouldn’t know because that’s not their business.”
– FRANÇOISE GILBERT
ISMG: What are the responsibilities of
the end-user organization, regardless of
the contract, to make sure that its data is
secure?
DAVID MATTHEWS: The
responsibility that you have for securing
your data doesn’t change because you
move into a cloud environment; they’re
exactly the same. You have to treat it that
way from the very beginning. You have
to look at everything that you could do to
classify your information, protect your
information, to be able to have access
to your information. You have to find a
way to do those exact same things and
move into the cloud through contract or
through the vetting processes. The legal
issues have to be well understood as well.
So they really don’t change. One of the
things that people thought [was], “Maybe
we could get out from under some of
this risk if we move things to the cloud.”
We just have to assume that we’ve got, if
anything, maybe more risk, or a different
kind anyway.
FRANÇOISE GILBERT: I would agree
with that. It’s your data, and you’re
responsible for it and it’s irrelevant what
you do with it. Whether you put it in
the cloud or in the trunk of your car,
it’s your responsibility. It may be even
more responsibility than before because
there are situations where the cloud
provider does not have a clue about the
data that you have. You could put in a
cloud the secret to the atomic bomb
and the cloud provider wouldn’t know
because that’s not their business. Their
business is to provide you with, if you
want, a big safe deposit box where you
put your information. What you put in
that safe deposit box they don’t know. If
you have very important information, it’s
your responsibility to make the decision
whether or not you put it there, how
you protect it and what kind of security
measures you can use to protect that
information because the cloud provider
would not know the nature of the
information.
David Matthews is deputy chief
information officer for the City of Seattle.
Françoise Gilbert, a lawyer specializing in
IT security and privacy, is a founder and
managing director of the IT Law Group.
Ultimate Responsibility
Accountability for securing data doesn’t change because of a move into the cloud.
EXPERT INSIGHTS
22 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
The AgendaTop officials at businesses, not for profits and governments around the world are pressuring their IT and IT security organizations to adopt cloud computing because of the potential savings it offers.
Technologists know of the security challenges that make
widespread adoption of cloud services difficult, but in many
instances, employing this new technology is doable; the
vulnerabilities can be addressed.
Understanding the current state of cloud computing – whether
at your organization or those of others – will help you address
the evolving challenges of secure cloud computing.
But these challenges can’t be mitigated until enterprises –
including internal business operations as well as IT and IT
security organizations – figure out what they have and how to
improve on it. Cloud will evolve into something much different
in the coming years.
Fundamental ConcernsClues to how organizations will use cloud computing securely in
the coming months and years can be found in the research.
Cutting costs is a major reason why organizations migrate to
the cloud, but other factors are likely to surface, including the
need to quickly obtain additional computer resources. This
will require processes to assure that the adoption of cloud
computing can be done efficiently and securely.
In the end, implementing cloud computing effectively requires
protecting information and preventing its loss. Traditional
means to safeguard data – such as encryption – work in the
cloud environment as well, and should not be ignored.
The Bottom LineCloud computing provides organizations with a lot of flexibility
in how they fund and deploy information technology securely.
The cloud allows organizations to introduce new technologies
with far less upfront costs, as they switch from capital
expenditures to operational expenditures. This will not
only allow organizations to be more flexible with limited
financial resources, but with introducing new applications and
products. The cloud also gives organizations entry to advanced
technologies without considerable initial costs.
Vetting the VendorMost organizations cannot move to the cloud alone. They need
a third-party vendor to help them scrutinize the reliability of
cloud providers.
Trust is a fundamental trait of information risk and IT security,
and that’s amplified in the cloud. And as the vast majority of our
respondents say, external certification of cloud providers builds
trust in them.
Before you get a third-party to vet your cloud providers, make
sure you can trust the organization you retain to conduct
the evaluation. Look to the federal government’s FedRAMP
program, which certifies third-party evaluators, for pre-
approved vetters.
Also, conduct your own due diligence of third-party certifiers
and the cloud providers. The data you protect belong to
you; ultimately, it’s your responsibility, as well as your legal
obligation, to assure the security of information and systems.
2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY
23
Confronting RiskThe anxiety many IT security pros express about adopting cloud
services is understandable. But you don’t need Valium to calm
those nerves, just best practices.
And among the best practices to employ is the encryption of
crucial data to be housed on the cloud. Other steps to take
to mitigate risk include employing stronger identity and
access management controls, auditing the cloud provider and
conducting onsite inspections.
In some respects, cloud computing isn’t new. Organizations
have been outsourcing computing services for decades. So use
proven IT security tools and processes to assure the security of
your cloud ventures.
Ultimate ResponsibilityTake responsibility. It’s your data, your systems that are at stake,
and in the end, the buck stops with you.
Ultimately, as IT security professionals, security is your
responsibility. But that doesn’t mean you should do it alone.
Partner with your organization’s IT and business organizations
as well as the cloud provider.
The cloud offers many benefits, and as you become more
comfortable with its security, be the evangelist in your
organization for the technology. Though cloud computing is not
a panacea, at least not yet, enterprise computing is heading to
the cloud. Implemented properly and securely, cloud computing
will add value to your organization’s growing need for safe
computing.
Action Items
1. Create a Team
Organize stakeholders within and outside your organization to
address the security concerns of cloud computing. No single
individual or group owns cloud computing, but the IT and IT
security organizations are best situated for getting all participants
together.
2. Employ What You Know
In many respects, cloud computing isn’t new; it’s just another
version of outsourcing that organizations have employed for
decades. The same tools and processes you used to secure your
systems in the past can be employed to protect your digital assets
in the cloud: encryption, stronger identity and access management
controls, audits and onsite inspections.
3. Network
Talk to other organizations in your field as well as industry groups,
such as information sharing and analysis centers, to determine
how they approach secure cloud computing.
4. Perform Due Diligence
Whether you use a third party, piggyback on other trusted
organizations, such as the U.S. federal government’s FedRAMP
initiative, do it yourself or a combination of all three, it’s essential
that you vet the security your cloud provider furnishes. Ultimately,
it’s your responsibility to protect your information and systems.
5. Just Do It
Pilot cloud initiatives that contain non-sensitive information. In
doing so, you’ll learn ways to secure data that will prove useful
when you seek to safeguard sensitive data in the cloud. You’ll also
learn to deal with cloud computing vendors.
24 © 2012 Information Security Media Group
2012 CLOUD SECURITY SURVEY
NIST Issues Long-Awaited Cloud GuidanceNIST has published its long-awaited cloud computing guidance,
Special Publication 800-146: Cloud Computing Synopsis and
Recommendations, which addresses risk management and other
security matters.
http://www.inforisktoday.com/
nist-issues-long-awaited-cloud-guidance-a-4810
Tips for Contracting Cloud ServicesCloud services contracts often provide little to no wiggle room
for organizations. In planning to use cloud computing services,
what steps do organizations need to take before signing any
contract? IT security lawyer Françoise Gilbert offers some key
strategies.
http://www.inforisktoday.com/
tips-for-contracting-cloud-services-a-4797
Linking the Cloud to Continuous MonitoringNIST information risk management evangelist Ron Ross sees
continuous monitoring playing a vital role in securing cloud
computing.
http://www.inforisktoday.com/
linking-cloud-to-continuous-monitoring-a-4520
FedRAMP Security Controls UnveiledThe federal government has issued some 170 controls for
FedRAMP, the program designed to vet cloud computing
providers for federal government agencies.
http://www.inforisktoday.com/
fedramp-security-controls-unveiled-a-4391
5 Essential Characteristics of Cloud ComputingTo employ new technologies effectively, such as cloud
computing, organizations must understand what exactly they’re
getting. With this in mind, the National Institute of Standards
and Technology has issued its 16th and final version of The NIST
Definition of Cloud Computing.
http://www.inforisktoday.com/5-essential-characteristics-
cloud-computing-a-4189
10 Realms of Cloud Security ServicesSecurity poses a major challenge to the widespread adoption of
cloud computing, yet an association of cloud users and vendors
sees the cloud as a provider of information security services.
http://www.inforisktoday.com/10-realms-cloud-
security-services-a-4097
Cloud Computing: 5 Topics for the BossHere are the top five cloud computing security risks and
concerns CISOs must discuss with their managers.
http://www.inforisktoday.com/cloud-computing-5-
topics-for-boss-a-3554
Cryptography in the CloudThere’s no better way to secure critical data than through
cryptography, especially when that data is stored in the cloud,
says cryptography expert Ralph Spencer Poore.
http://www.inforisktoday.com/cryptography-in-cloud-a-3305
Learn more about the key issues driving secure cloud computing
InfoRiskToday features extensive coverage of cloud security. Here’s a sampling:
Resources
2012 CLOUD SECURITY SURVEY
4IndependenceWay•Princeton,NJ•08540•www.ismgcorp.com
© 2012 Information Security Media Group, Corp.