News Stay informed about the latest enterprise technology news and product updates.

Study on security in cloud computing shows angst, rogue users

Many IT pros don't know the number of cloud-based services used in the enterprise and few are taking chances moving sensitive data to the cloud, a Ponemon Institute survey finds.

IT professionals are fearful that sensitive data will fall into the wrong hands if cloud-based services are used by their organizations, but many acknowledge that the risks are being ignored by some employees who may already be using cloud computing, according to a new survey.

They said ... we're not only not confident in what's really going on, but we're also not sure what the problems are we should be dealing with.


Mike Spinny
senior privacy analystThe Ponemon Institute

The Security of Cloud Computing Users study, conducted by the Ponemon Institute and sponsored by CA Inc., surveyed IT professionals in Europe and the United States. Those surveyed acknowledged that some parts of the organization may be using cloud computing services without their knowledge. More than 50% of respondents in the U.S. said their organization is unaware of all the cloud services deployed in their enterprise.

"The [survey respondents] said, 'Yes, in fact, we're not confident what applications out there are being used within policy and we're not only not confident in what's really going on, but we're also not sure what the problems are we should be dealing with,'" said Mike Spinny, a senior privacy analyst at the Ponemon Institute. "It's a very concerning situation in that we're talking to people who are tasked with the responsibility of protecting information."

In addition, the IT professionals surveyed by Ponemon found general angst over data security in the cloud with 68% noting that financial information and intellectual property were too risky to store outside the company data center. Those surveyed also said health records (55%) and credit card information (43%) should not be moved to cloud-based services.

"There is a lack of confidence that has been uncovered by this study," Spinny said. "IT practitioners said they weren't sure a specific vendor went through the proper vetting process and if they don't know what's being used they're going to lack confidence and feel like they don't have control of their environment."

The survey found that many organizations had a lack of understanding of who is ultimately responsible for ensuring security of data in cloud computing environments. Twenty-seven percent of U.S. respondents and 38% of European respondents believe their organization's security leaders are most responsible for ensuring safety. Only 38% of U.S. IT professionals said their organization was proactive in assessing whether information is too sensitive to be stored in the cloud.

While IT pros at organizations in Europe generally held a more favorable perception about the state of cloud computing security than their U.S. counterparts, the percentages of organizations fully utilizing cloud-based services is low.

The survey found that few organizations are using Infrastructure as a Service or Platform as a Service (PaaS), hosting providers that generally share infrastructure and computing power outside the company walls. The survey found that most of the cloud-based services were Software as a Service (SaaS) providers. Of those surveyed, 67% of U.S.-based IT pros said SaaS was in use in their organization. Meanwhile, only 35% were using PaaS. IT pros in Europe gave similar responses.

Over time, both Spinny and Lina Liberti, vice president of marketing for CA security management, said they expected organizations to migrate to more cloud-based resources to reduce cost and boost efficiencies. Organizations need to become more familiar with cloud-based services and eventually they will determine that many of the same security technologies used in physical environments can be used in the cloud, Liberti said. In many cases, the identity management, log management, data encryption and network security systems currently being used can be applied to mitigate increased risks, she said.

"I think we're seeing a natural evolution take place within organizations," Liberti said. "Years ago IT practitioners wouldn't have thought to move sensitive data from the mainframe to the distributed server environment. It happened over time and today we're seeing a similar progression with the cloud."

Dig Deeper on Secure SaaS: Cloud application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.