Who’s using cloud more — the U.S. or Europe? What are the biggest concerns when it comes to security on both sides of the Atlantic? Should you be developing a cloud strategy now, or should you wait until next year?
These are some of the questions that the Ponemon Institute and CA Technologies posed in a recent survey of IT professionals.
Today we talk with Larry Ponemon, chairman and founder of the Ponemon Institute, and Lena Leverti, vice president of products at CA Technologies, who explain their results for us.
LP: In our experience, there are a whole bunch of interesting security topics, but what seems to rise to the top of the security heap in terms of risk and potential problems is, in fact, the cloud computing environment, which is very quickly becoming the standard for organizations — not just small and medium sized companies — but much, much larger companies, as well.
LL: One of the key things is that, as companies start adopting cloud, they’re basically giving up some of the control that they have. When they technology is within their own organization, they control it directly, so one of the biggest hurdles that’s viewed around cloud adoption is definitely security.
FCB: Who did you survey and why did you pick that group or groups?
LP: Well, the appropriate groups for this study are folks in the IT community and, more specifically, people who know something about information security. When you do a study like this, you quickly find that people wear many hats, and so many of the respondents were IT practitioners, but every respondent at least touched some aspect of information security, including network security systems, and a whole bunch of other related areas of expertise. This study is not just the U.S. only; [it] was also conducted in tandem with a group of practitioners in Europe, as well. I think that actually generated some interesting differences between the two groups.
LL: There were about 600 folks that responded to the survey.
FCB: What were some of the key findings?
LP: Probably one of the most interesting and important findings is that the respondents — these IT practitioners in both the U.S. and Europe — basically don’t have confidence that their organization has the ability to secure data and applications that are presently deployed to the cloud. So, they basically see some very significant security risks that exist today and maybe loom large on the horizon. We also found that IT practitioners in the U.S. and Europe hold relatively similar views on the reasons why cloud computing is so fashionable and so popular and so important, because it’s really about cost savings, and it’s also about speed to deploying new applications. So, even though we may say, ‘gosh, there’s a huge security risk,’ the reality is that cost and speed to deployment are probably much more important to end users.
LL: And one of the biggest challenges that came out in the survey results was that half of the respondents basically said that they’re not aware of all of the computing resources deployed via the cloud in their organization today. So, if you’re not aware of it, you really can’t secure it.
FCB: One of the things that I noticed first and foremost is the fact that you define cloud computing. When you were talking to people in the U.S. and Europe, did you notice that there was maybe a difference in the definition of cloud computing?
LP: We expected that there would be differences, and, in fact, the perception of cloud computing and what a cloud computing environment is was pretty consistent — more consistent than our . . . expectation. But I will say that, in both the U.S. and Europe, there’s confusion about private clouds and what these really mean. Is a private cloud a more secure version of a public cloud? Or, is it just simply on-premise computing where you’re using extensive virtualization? So, if there is any confusion in the marketplace, it’s probably around the private cloud environment. But, public clouds are generally well understood and the definitions are generally agreed upon.
FCB: Speaking of differences across the pond, did you find any differences between who’s using cloud in the U.S. versus who’s using cloud in Europe, especially in terms of government entities?
LL: We did. Some of the [respondents] are, in fact from the public sector and public organizations, and it is clear that public sector organizations are using cloud computing resources, perhaps not to the same extent as commercial organizations, but definitely the trend is that the government is, in fact, a very large — and potentially larger — user of cloud computing resources, because obviously it’s about cost, and governments . . . are trying to control them. One way to do that is to make sure that [they are] using the most efficient technology. But, it does create that security risk. We did see some differences in the rates of deployment between the U.S. and Europe and, in fact, the rates of deployment in the U.S. are higher than Europe, generally speaking. That’s not just for software-as-a-service, but it’s also for platform services and infrastructure services.
LP: We tried to figure out why there were some differences between U.S. and European companies in terms of their deployment patterns. We think that, in the U.S., probably, cloud computing is just slightly more popular, and some of the providers — especially software-as-a-service — the big providers like Amazon, Google and SalesForce.com — they probably have a larger base of customers in the U.S. But, I think that difference is small and will probably be non-existent within the next 18 to 24 months.
FCB: Let’s talk a little bit more about security, because I noticed that you not only talked about cloud security and public cloud versus private cloud, but the responsibility for security — did you find any differences between who’s responsible for IT security in a U.S. organization versus in Europe? Or, is it kind of the same?
LL: With regards to the study results, it’s definitely shared, and the reality is, it has to be shared. Basically, when you look at the responsibilities for this type of an environment, there’s the provider themselves that has some level of responsibility and accountability, [and] the owner of the information is going to be held accountable regardless of any SLA in any type of agreement with the provider. At the end of the day, if a credit card provider puts their data in the hands of a partner, they’re still going to be held accountable, and history shows that’s definitely happened. So, the shared responsibility with IT, with the security folks, as well as the business line owner, which I think was a definite key finding in the study itself. The business owner also has a stake in this — and then, of course, the cloud provider.
FCB: What’s next? Is a report coming coming out of this study? What should we take from all of this data that you’ve put together?
LL: The study that we did was two-fold: it was for the consumers of cloud services, as well as the providers of cloud services. So, the study that we released was the first portion of that — for the consumers. We’ll be releasing the results of the study from the providers’ perspective, and then identifying some of the contrasts and so forth between the two.
FCB: Any wrap-up comments?
LP: We actually do believe that this issue of cloud computing from a security perspective is certainly not going away. The good news is that there are security technologies that are being developed and deployed that do reduce risk pretty substantially, caused by the change from on premises to cloud computing environments. So, it’s not all that bleak. There may be solutions in the future that will make that risk really negligible.
LL: Cloud security is definitely one of the areas that is viewed as high priority and, today, is viewed as a high risk area. I believe that technologies over the next year or so will definitely close the gaps [and] reduce the risks. One of the key things that organizations can do today and agencies can do today is clearly define a cloud security policy, whether it’s part of the security policy, I think it’s very important to just specify, from a cloud perspective, whether this policy applies in full or — here are the additional requirements and mandates for cloud security. That will help close that gap faster and reduce the risk significantly — just by creating awareness.