Cloud computing providers: Clueless about security?
To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.
Recent incidents made me doubt:
- Amazon not only having significant downtime but in the same time losing customer data.
- Sony’s game network being significantly compromised.
This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?
If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:
- The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.
- The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.
- Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.
- Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.
- The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.
- Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.
- While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.
What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:
Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.
If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!
Roger
Comments
Anonymous
January 01, 2003
thank youAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The comment has been removedAnonymous
May 06, 2011
The comment has been removedAnonymous
May 08, 2011
I'm not sure I follow. Antimalware comparative testing rates antimalware software against each other by testing them all by the same criteria. It's not perfect, but it does give you an idea on how much better one solution is over another, and thus, which one is a smarter buy. Many security solution puchasers will buy their products based on these ratings. Now if you do a similar type of standardized hacking and intrusion tests against online service providers at regular intervals, you can get a similar outcome. Obviously when a provider gets a bad grade, they'll want to try harder to raise the level of trust with customers. This is akin to the grading system that restaurants around here obtain during a health inspection, and must post in their front window. No restaurant owner wants a "yellow" or "red" sign, as they'll lose the trust of their patrons, but not posting the results will also lead to fines. If they pass, they get a green sign. This is a simplified system though. I'd rather have some kind of percentage of attacks blocked in the case of online service providers. The goal of this is not to say that one solution can block every type of attack, but of how serious each provider is at securing their systems. As more and more testing authorities offer their various certifications, the solutions with the highest overall "score" would be the most secure. Quantitative security does count for something, after all.Anonymous
May 09, 2012
Nice discussion regarding cloud computing providers. I was not aware of it before.. Keep it up.