ALSO
Analysis and Insights
• Top Security Concerns
• Success Factors
• Confronting Risk
• Vetting Vendors
• Ultimate Responsibility
Results from the 2012 Cloud Computing Security Survey
SURVEY RESULTS
REPORT
Overcoming the Apprehension of
Cloud Computing
Results from the 2012 Cloud Computing Security Survey
Overcoming the Apprehension of
Cloud Computing
2012 CLOUD SECURITY SURVEY
Ask IT security practitioners what’s their No. 1 concern about cloud computing, and their most common answer, by far, is data protection. That concern – along with others such as enforcing security policies, maintaining an audit trail and meeting regulatory requirements – makes many organizations anxious about moving critical information and operations to the cloud.
No wonder many of the respondents to Information Security Media Group’s Cloud Computing Security Survey express hesitation about putting on the cloud credit card, financial, health, personally identifiable and proprietary information, as well as intellectual property and trade and government secrets.
Despite their jitters, many IT security practitioners feel they have little choice but to pursue cloud computing options. Because of the perceived cost savings the cloud provides, their bosses see the cloud as a way to reduce IT expenses. Besides, IT security practitioners recognize that the cloud will play a crucial role in the future of enterprise computing, so they must identify and implement secure cloud computing practices. In fact, it’s already happening.
As you review the 2012 survey results, think about how to turn apprehension into resolve. In reality, many of the practices employed to secure data and systems can be used to provide cloud security. Questions to consider:
• What proven IT security practices can be adapted to work on the cloud?
• With whom should you partner – from within your own enterprise, third parties, industry colleagues and cloud providers – to safeguard your digital assets on the cloud?
• How can you use cloud computing contracts with vendors to protect your interest in safeguarding data on the cloud?
Please let me know how you answer these questions, and share other thoughts you have about the survey and cloud computing security. Your ideas are important in helping all of us at ISMG shape our evolving cloud computing security coverage.
Eric Chabrow
Executive Editor
Information Security Media Group
Eric Chabrow
Executive Editor
Confronting Cloud Computing Anxiety
2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
Contents
Introduction: What’s the Survey About?
Hot Topics
Sponsor’s Perspective
Scrutinizing the Cloud Provider
6 Principles for Effective Cloud Computing
The Agenda
Action Items
Resources
4
7
8
16
19
22
23
24
Implementing cloud
computing effectively
requires protecting
information and preventing
its loss.
Sponsored by
Survey Results
10
13
14
17
21
Fundamental Concerns
The Bottom Line
Vetting the Vendor
Confronting Risk
Ultimate Responsibility
Overcoming the Apprehension of Cloud Computing
Results from the 2012 Cloud Computing Security Survey
CSC (NYSE: CSC), a trusted global leader in cybersecurity solutions, protecting
some of the nation’s – and the world’s – most sensitive government and business systems and networks.
2012 CLOUD SECURITY SURVEY
No longer an emerging
technology, cloud computing is
taking off globally as a way to
gain efficient access to critical
applications, processes and
storage.
Still, as the 2012 Cloud Computing Security Survey – Overcoming the Apprehension of Cloud Computing – shows, cloud initiatives are relatively new for many organizations. Nearly 1 in 3 survey respondents say their organizations are not using the cloud, a strikingly high percentage considering how quickly the computing platform is maturing. Distrust for its ability to secure data remains a high barrier for many organizations.
Types of Clouds
What cloud environments has your organization employed?
(multiple answers allowed)
Security on the cloud is what worries most IT security practitioners. Nearly three-quarters of our respondents cite security as preventing their organizations from adopting cloud services.
Not Very Anxious
Do concerns about security prevent your organization from adopting cloud services?
And, because of their unease with the cloud, the promises the cloud presents in providing efficient and less costly secure IT solutions have fallen short. More than half of our respondents say their organizations have yet to achieve their cloud computing goals.
Introduction: What Is This Survey About?
Private None Public Hybrid Community 0 10 20 30 40 50 60
54%
31%
24%
24%
15%
Yes
No
72%
28%
2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
Achieving Objectives
Have your organization’s cloud goals been met?
Despite jittery responses about the cloud’s security from many of the IT security professionals we questioned, the survey reveals that organizations are beginning to turn to the cloud to do much of what they’ve been doing all along, whether internally or contracting out to vendors using private networks to make the connection. Application hosting and e-mail/ messaging are among the earliest offerings by cloud providers. The demand for data storage will only increase as the amount of data soars.
Popular Offerings
What cloud services does your organization have or will shortly deploy? (only top 5 listed)
Organizations are beginning to turn to
the cloud to do much of what they’ve
been doing all along.
No Not much Yes Some Many 0 5 10 15 20 25 30
30%
22%
18%
18%
12%
Application hosting E-mail/messaging Data storage Collaboration software Application development/testing 0 5 10 15 20 25 30 35 34% 34% 29% 25% 23%2012 CLOUD SECURITY SURVEY
Cloud computing is revolutionizing the way businesses, not for profits and governments manage their information technology assets because of its potential to save organizations a significant amount of money and enable them to adopt new applications and scale systems to meet their computing needs.
We report a lot about cloud computing security on all of our editorial websites, and we wanted to examine not only cloud security concerns, but how security leaders addressed these concerns through policy, technology and improved vendor management. We asked survey respondents about their:
• Top Security Concerns: Were they more anxious about where their data are stored or whether a malicious insider might be a threat to it?
• Success Factors: On a scale with cost savings and availability of services, how did security rank among elements critical to a successful cloud computing implementation?
• Protective Measures: What were some of the practices organizations employed, from instituting more stringent contracts to enforcing third-party audits and participating in mock security exercises with cloud service providers? • Ultimate Responsibility for Cloud Security: Lots of
parties have roles in cloud computing: The IT and IT security organizations, business information owners and cloud providers. Who should be in charge to assure security?
The survey also covered cloud computing trends by industry and region, how senior leaders made their cloud decisions and top cloud-service investments projected for the coming year. This survey was developed by the editorial staff of Information Security Media Group with the help of members of our brands’ Boards of Advisers, which include some of the most prominent experts in IT security and risk management. The global survey was fielded during the first quarter of 2012. Our respondents are involved with cloud computing decision-making within their organizations, determining strategies, establishing priorities, evaluating performance and picking providers; many also help determine their organizations’ IT and/or IT security budgets.
Cloud computing is revolutionizing
the way businesses, not for profits
and governments manage their
information technology assets.
2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
Survey results unveil five key
topics that will be explored in
depth in this report:
Fundamental Concerns
Survey respondents cite security (27 percent) and costs (24 percent) as the primary considerations when organizations mull cloud use. We explore IT security practitioners’ greatest reservations as well as the knowledge and expertise most lacking in their organizations regarding the cloud.
The Bottom Line
The upside of cloud computing are cost savings: 76 percent of respondents say the cloud will save their organizations money. The survey reveals other benefits of the cloud, including better scalability and improved computing flexibility.
Vetting the Vendor
More than one-third of survey respondents say they employ a third party to attest to the security a cloud provider offers. As we show, organizations employ other ways to vet cloud providers, including conducting their own assessments.
Confronting Risk
Nearly 80 percent of survey respondents say security is a high priority when evaluating a cloud provider. Other risk factors organizations consider include not only whether, but how cloud providers employ encryption.
Taking Responsibility
Slightly more than half of our survey takers say the end-user organization – either the business-side/data owners or IT or IT security organization – and not cloud providers have ultimate responsibility to ensure the security of cloud resources. We show 37 percent of respondents either have moved or plan to move critical systems to the cloud.
SPONSOR’S PERSPECTIVE
The 2012 Cloud Computing
Security Survey conducted by
Information Security Media
Group reveals persistent concerns
regarding the cybersecurity of
cloud architectures and cloud
adoption.
At the same time, particularly in today’s economic environment, it is becoming increasingly difficult for information technology professionals to deny the cost advantages and avoid completely the use of cloud architectures and infrastructures. Gaining these benefits means that we must understand these security concerns, and we must address them.
For those IT professionals and organization leaders responsible for the security of vital and sensitive information, cloud cybersecurity is an important challenge, serious enough that nearly one third of the survey’s respondents indicated that their organization had not employed any cloud architecture whatsoever, despite the powerful lure of cloud’s economic model. Respondents cited a number of concerns, including worries about data protection, issues related to the enforcement of security policy, and fears about data loss.
Data protection is a particularly important concern. Even data that’s publicly available should be protected if it’s used by companies, individuals, and governments to make daily and, in the case of “big data,” strategic decisions. Imagine the damage if that information suddenly became unreliable. Organizations need to ensure that their cybersecurity policies and protections cover information assurance – particularly as they seek to
unlock the value of information and big data and use it to make high-value decisions regarding customer strategy, public policy, and national security. The survey shows we still have some way to go to allay these types of cybersecurity concerns.
The challenges cited in this survey are consistent with the larger need to define cloud architectures capable of dealing with the security challenges of embedded, industrial control systems and supervisory control and data acquisition (SCADA) systems that are the bedrock of utilities such as power, water, and transportation, as well as manufacturing. It’s noteworthy that even the Department of Defense Advanced Research Projects Agency (DARPA) has asked for ideas about how to securely extend cloud architectures to embedded systems used in military critical computing.
How can we best address the security concerns of these diverse organizations and help them gain the wide variety of benefits (cost, flexibility, scalability, advanced technology, etc.) offered by cloud? Here are some things to keep in mind:
• First, cloud providers must take a rigorous approach to cloud cybersecurity. Meeting strict security standards, such as those associated with the Federal Information Security Management Act, or FISMA, will take time and careful work. Providers should commit themselves to a disciplined and well-documented approach to meeting those controls. • Second, information technology professionals in general,
and CIOs in particular, need to be informed about the controls necessary to protect their operations and the providers’ approach to meeting those controls. One way to be well informed regarding the controls required is to conduct a risk-based analysis of the value of critical information and systems, as well as the threats that exist to
A Perspective on the 2012 Cloud
Computing Security Survey
SPONSOR’S PERSPECTIVE
2012 CLOUD SECURITY SURVEY
that information and those systems. Those contemplating the acquisition of cloud services should look carefully at how security certification or attestation is being performed, and who is performing it. Remember, too, that while security standards will likely stay consistent, security
challenges change frequently. Look for a cloud provider, therefore, that keeps up to speed regarding these challenges and has the means in place to adapt and address them. • And, finally, have a long-term strategy that encompasses
using the cloud incrementally. While the use of cloud for applications associated traditionally with the desktop is a good starting point, eventually organizations should look to cloud less as a way of saving money and more as a way of unlocking value. Consider things like what cloud can do – over time – to make it easier to aggregate, analyze, and exploit big data. Think about how cloud can enable enterprise integration of global supply chains. In other words, think of cloud in combination with other emerging needs and opportunities. While the protection of IP is today’s biggest concern, don’t overlook your organization’s other potential uses of cloud and the need to protect those uses.
The ISMG survey shows that information technology providers want to claim the cloud’s benefits, but they are aware of the cybersecurity challenges that must be met to meet those benefits, even in the private cloud context. Organizations should couple this awareness with strategies that are carefully considered and with the selection of cloud and cybersecurity partners who will share and support an enterprise’s strategy.
Sam Visner
Organizations should look to cloud
less as a way of saving money and
more as a way of unlocking value.
2012 CLOUD SECURITY SURVEY
Survey Results
Fundamental Concerns
Organizations must weigh
the benefits against the risks
when determining whether to
implement a cloud computing
solution.
Under Deployment
What are the top 5 factors mulled when deciding to develop/deploy a cloud solution?
When exploring a cloud initiative, security is the No. 1 concern. If the data or system can’t be secured, then why do it? It’s a logical question, and one that must be addressed before organizations employ a cloud solution.
All organizations are under considerable pressure to rein in costs, so seeking a solution that could save money is being pushed by the bosses of those responsible for securing IT. Resources are costly. Getting additional IT resources on the cheap is an objective everyone seeks. But it’s also a matter of
time. Often, computing resources are needed now, and getting them quickly is a significant reason to turn to a cloud provider.
Second Thoughts
What is your greatest reservation about secure cloud computing?
The survey confirms that data protection is the No. 1 reservation about cloud computing. That’s understandable in an era where data are vital assets for many organizations. As IT security lawyer Françoise Gilbert points out, if a cloud provider loses an organization’s data, compensation would likely be based on the amount the client paid for the service, not the value of the information to the enterprise. “What you’re going to get back is very small … it’s dollars, tens of dollars, but it’s not millions of dollars,” she says. “You get what you pay for. You pay a small amount to hold your data, but in exchange you have to be aware of the risk. … Be prepared to be a victim.” The other survey responses here reflect a major problem with having someone else house your data – knowing how it’s being protected. How to enforce security policies and/or meet regulators’ requirements just adds more complexity to the use of cloud services. There are ways to address these concerns, but they often involve time, money and a good lawyer.
Security Cost Ability to share data Resources Need computing resources quickly 0 5 10 15 20 25 30 27% 24% 12% 9% 8% Data protection Enforcing security policies Data loss Audit trail Meeting regulatory requirements 0 5 10 15 20 25 22% 14% 9% 8% 7%
2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
No Shows
What data are too risky to put on a private cloud?
This question focuses on the private cloud, an offering that’s perceived as being more secure than public, community and hybrid clouds. Even with extra security, either a majority or a sizeable plurality of our respondents feel it is too risky to put some very common data on a private cloud. This attitude must change if the cloud is to become a critical platform for IT.
Another reason organizations have shown a reluctance to adopt the cloud at a faster pace is the lack of staff expertise and knowledge about the technology on their own staffs. About three-quarters of the respondents say their technical staffs lack the know-how to deploy cloud solutions. Only 1 in 20 respondents feel his or her staffs are totally versed on the cloud.
Another reason organizations have
shown a reluctance to adopt the
cloud at a faster pace is the lack of
staff expertise and knowledge about
the technology on their own staffs.
Credit card Intellectual property/ trade secrets Financial Health State/government secrets Proprietary/sensitive Personally identifiable 0 10 20 30 40 50 60 54% 51% 49% 49% 46% 45% 45%
2012 CLOUD SECURITY SURVEY
Missing Links
What types of knowledge or expertise is most lacking in your organization regarding secure cloud computing?
(top five answers shown)
What knowledge is most absent? Security, technology and implementation, compliance, legal and standards, respondents replied. This list of varying skills illustrates why the cloud needs buy-in, not just from the technical staff, but from various parts of the enterprise. Plus, it also shows how complex proper execution of a cloud initiative is.
The cloud needs buy-in, not just
from the technical staff, but from
various parts of the enterprise.
Security Technology/ Implementation Compliance Legal Standards 0 5 10 15 20 25 30 28% 17% 14% 10% 10%
2012 Cloud Security Agenda: Expert Insights on
Security and Privacy in the Cloud
Register now ≥
Join a distinguished panel of cloud computing experts for the first look at the findings of this perceptive study and how organizations can improve the security of their cloud computing initiatives, including:
• Understanding risks cloud computing presents; • Mitigating these risks;
• Steps to take to employ cloud computing securely and effectively.
2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
The Bottom Line
Cloud computing investments remain a very small percentage of most organizations’ IT budgets. Our survey shows that just over 40 percent of respondents’ organizations divvied 10 percent or less of their IT budgets on public, community and hybrid clouds, with just over one-third earmarking money for private clouds. Nearly 40 percent of respondents say their organizations didn’t allocate any money for public/community/hybrid clouds; less than a quarter didn’t apportion any funds for the private cloud. Still, cloud computing is perceived to lower costs and provide other benefits to the organization.
Wrong Impression
Will cloud computing save your organization money?
It’s not just that the cloud is seen as a money saver; it provides opportunities to try out new solutions without a hefty investment, or buy storage or processing time, when needed, without a significant investment.
The Upside
Why the cloud? Ask anyone involved in cloud computing, and they’ll say cost is the primary reason to adopt the technology. Indeed, three-quarters of our respondents say cloud computing will save their organizations money.
But there are many other benefits, some that could have a profound impact on how organizations fund IT initiatives.
Advantages
What are the benefits of cloud computing?
Though only 5 percent of our respondents identified the switch from capital expenditure to operational expenditure as the prime benefit of cloud computing, it’s a factor that will change the way enterprises approach the funding of IT and IT security. The cloud provides organizations with IT without significant upfront costs. And, as some of our respondents note, the cloud gives organizations access to advanced technology, also without a significant initial outlay.
76%
24%
Yes
No
Cost savings Better scalability Improved flexibility Switch from CapEx to OpEx Advanced technology Compliance Faster development time0 5 10 15 20 25 23% 16% 10% 5% 5% 5% 5%
2012 CLOUD SECURITY SURVEY
Vetting the Vendor
Checking Out Cloud Providers
What are the primary ways your organization verifies the security your cloud provider offers? (top six answers shown)
IT security managers don’t agree on the best ways to verify cloud security providers, but a majority of them agree that some type of formal assessment must be done, whether provided by a third party, done themselves or jointly with the cloud provider.
Getting Outside Help
Does your organization employ a third-party organization to certify or attest the security of the cloud provider?
Trusting a cloud provider is crucial.
In its guidance, the National Institute of Standards and Technology observes that a lack of visibility of the cloud makes it difficult for users to be confident that providers are in compliance with regulations unless the provider obtains an independent audit from a trusted third party. Even here, the frequency of third-party audits may limit the overall assurance offered, since a cloud system could quietly drift out of compliance.
Due Diligence
Who Does the Vetting in Government?
(Asked of government respondents only)
In the U.S. federal government, a new initiative called FedRAMP – it stands for the Federal Risk and Authorization Management Program – provides for a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The idea is that if one agency vets a cloud provider, other agencies can use that evaluation for their own provider assessment, saving time and money.
Under FedRAMP, third-party assessment organizations perform initial and periodic assessments of cloud provider systems, provide evidence of compliance and play a continuing role in ensuring cloud providers meet requirements.
The federal government won’t allow agencies to employ a cloud service unless it passes an audit by a third-party assessor to validate and verify it meets FedRAMP requirements. Third-party attestation
Conduct own assessment Joint vulnerability testing with provider Accept word of provider We don’t verify Follow lead of another company similar to yours
0 5 10 15 20 25 30 35 35% 28% 16% 7% 7% 5% 66% 34% Yes No Third-party provider Own agency Another agency 0 10 20 30 40 50 60 57% 22% 20%
2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
Trustworthiness
Would external certification of a cloud provider increase trust in cloud computing?
It all comes down to trust. External certification of a cloud provider is seen as crucial by more than 85 percent of our respondents. Yet, for about half of the IT security practitioners we surveyed, external certification works only if the certification data can be reviewed and validated, that the certifying body can show it’s accredited and/or if the certificate is based on an agreed standard.
It all comes down to trust.
External certification of a cloud
provider is seen as crucial by
more than
85 percent
of our
respondents.
Yes, but only if certification data can be reviewed and verified Yes, but only if this certificate is
based upon an agreed standard Yes, but only if the certifying body can show accreditation No Yes, in any case
38%
25%
16% 13%
2012 CLOUD SECURITY SURVEY
In a roundtable discussion on the Cloud Computing Security Survey,
Seattle Deputy Chief Information Security Officer David Matthews and NASA’s Jet Propulsion Laboratory Chief Technology Officer/IT Tomas Soderstrom address how their organizations go about vetting their cloud computing providers. What follows is an edited version of that conversation.
DAVID MATTHEWS:
We have a series of questions that we go through in a procurement process. We ask cloud providers to either provide us with a third-party certification and/or allow us to do our own assessment of their site. We ask them about what their uptime promises are; we ask for warranties on their uptime. We ask for information on their records management and recovery issues and business continuity and disaster recovery. We also use a lot of community connections, too. We talk to other local and state and even federal government partners to try to find out what they’re doing and improve their findings if they’ve got big solutions that are working. “We [also get information from] other states through the MS-ISAC (Multi-State Information Sharing and Analysis Center). We are very much a community-oriented group. In the Pacific Northwest here, we look at who’s finding good solutions, who’s finding people that they feel like they can trust and that are doing a good job. We do that as well as ask the technical sort of questions and the contract questions.
TOMAS SODERSTROM:
We vet ourselves first. We don’t put everything in one cloud because different clouds are good at different things. If we, for instance, picked one cloud and it was a super, super secure cloud, then we’d be paying too much for security, for content that didn’t really need to be secured, whereas if we did the other one, we’d picked some cloud vendor that’s wide open, then we couldn’t put secure content in it. The key is to put the appropriate computing and the appropriate storage in the appropriate cloud.
We ask a lot of questions from our end users. In fact, we coded it so that when they select a cloud vendor, it does it automatically based on the answers to those questions. It picks it from a short list of cloud vendors. So far we have data in 10 different clouds, and we let the users dictate which one is the stronger.
This is fairly new; we created a Cloud Computing Commodity Board. The board consists of people from IT security, the IT department, legal, procurement, acquisition department, billing and invoicing and a lot from the missions – the people who actually use the clouds. They vet it. We have some mandatory questions, and then some would-be-nice-to-have questions. That’s how we get the cloud providers into the JPL marketplace to be picked from the subservice software. By doing that, we can have them come on or off the short list without having to issue an RFP (request for proposal) each and every time. We can put the appropriate content in the appropriate place.
The appropriateness really comes down to cost. If we have two choices for every function, then we make sure we don’t get locked into any one vendor and that we pay the least we can possibly do. We also spend a lot of time talking to other entities in the federal government and outside to find out what cloud vendors are doing.
Service-level agreements are not a really big thing for us because we collect science data. If we lost that science data from space and we get a few cents back for compute hours, that would not be meaningful. Instead, we look at three strikes and that cloud vendor is out and we’ll go somewhere else. We think in terms of service-level understanding because the compute costs are really quite low compared to other normal ways of doing it.
Perhaps most importantly, we talk to the cloud vendors themselves and set up a lot of face-to-face discussions. That’s usually through video conference so that our legal people can talk to their legal people, our IT security people can talk to their IT security people and understand how, if we need to do a forensics investigation, how we would do that. We showed them how we get audited and different audits for different types of data and said, “How would you help us pass this audit?” n
Scrutinizing the Cloud Provider
A look at how the City of Seattle and Jet Propulsion Laboratory Vet Their Cloud Providers
2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
Confronting Risk
As you examine the next three graphs, you’ll come away with the impression that many organizations are relatively immature in regards to cloud computing deployment.
The response to the security question of whether internal audits provide appropriate feedback to improve cloud security suggests that internal audits have yet to provide suitable insights into cloud computing.
Audit Lessons
Do internal audit reviews provide appropriate feedback to improve cloud security?
For many organizations, cloud use is nascent, and not many security audits have been conducted. In addition, auditors in some organizations need to get educated about cloud security in order to provide valuable insight. Look for the “yes” response to grow in the coming years.
It’s More than Process
Does your organization have adequate policies/procedures to enable safe and secure cloud use?
The fact that a majority of our respondents say their organizations don’t have adequate policies and procedures to enable safe and secure cloud use suggests a lack of sophistication in many organizations’ cloud initiatives. As organizations rely more on the cloud for applications and as a platform, look for more enterprises to develop processes for how they should address secure cloud computing.
Prioritizing Security
How much of a priority is security when evaluating a cloud provider?
Cost may be the principal driver for organizations to adopt cloud computing, but until it’s deemed secure, most organizations will approach the cloud with extreme caution.
Auditors in some organizations
need to get educated about
cloud security in order to provide
valuable insight.
High priority Neither high nor
low priority No/low priority 0 10 20 30 40 50 60
79%
11%
10%
70 8050%
50%
Yes NoYes
No
0 10 20 30 40 50 6041%
59%
2012 CLOUD SECURITY SURVEY
Location, Location, Location
How important is the physical location of cloud servers?
Specifically, we asked how important is it that your cloud provider’s servers be situated in the country where your organization is based.
We all know that data can be moved around the globe at lightning speed. Data on the cloud can be stored anywhere. That doesn’t sit well with most of our respondents. Not knowing where critical assets are stored can be nerve racking. And, there could be legal reasons, too. Each country has its own laws defining who can have access to data, and having data scattered around the world can give an IT manager a headache.
Encryption, Of Course
Does your cloud provider use encryption to protect data?
Encryption, these days, is one of the fundamental ways organizations safeguard their data, whether on laptops, mobile devices, servers and, of course, on the cloud. Employing a cloud provider that offers encryption is a must for the large number of IT security practitioners.
To Encrypt or Not to Encrypt?
What unencrypted data would your organization put on a cloud provider’s server? (Multiple answers allowed)
Nearly half of our respondents can’t conceive of putting any data on the cloud without the information being encrypted.
Organizations must make sure that their legal contracts with cloud providers assure encryption when appropriate. “The best way to mitigate those risks is to really understand who’s got what responsibility and what it’s going to cost us to have the right kind of security in place,” says Seattle Deputy CISO David Matthews, “and what kind of data actually belongs in the cloud, what kind of encryption processes we’re going to use. The best way to avoid nervousness is really have a good contract up front so everybody knows where everybody else stands.”
Important Unimportant 0 10 20 30 40 50 60
54%
12%
78%
22%
Yes
No
None Non-regulated Regulated Employee Proprietary 0 10 20 30 40 50 43% 33% 14% 12% 11%2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
Taking Responsibility
Shared Responsibilities
Who should manage encryption keys?
A majority of our respondents understand that regardless of the provider they choose, ultimately they’re accountable – whether by themselves or jointly with the provider – to assure their data are encrypted on the cloud.
Getting over the Bump
Would you move critical systems to the cloud?
The takeaway from this question is that if not now, a majority of organizations either have or will move critical systems to the cloud soon. That bodes well for the future of cloud computing. It suggests a can-do attitude among organizations that they will find a way to employ the cloud for all types of applications and systems.
6 Principles for Effective Cloud Computing
ISACA Guide Aims to Minimize Cloud Computing RisksISACA, the professional association focused on IT governance, counsels that organizations adopting cloud computing should adhere to six principles. Doing so will help enterprises avoid the perils of transferring IT decision-making away from technology specialists to business unit leaders. Here are ISACA’s definitions of the six principles:
• Enablement: Plan for cloud computing as a strategic enabler, rather than as an outsourcing arrangement or technical platform. • Cost/benefit: Evaluate the benefits of cloud acquisition based on a
full understanding of the costs of cloud compared with the costs of other technology platform business solutions.
• Enterprise risk: Take an enterprise risk management perspective to manage the adoption and use of cloud.
• Capability: Integrate the full extent of capabilities that cloud providers offer with internal resources to provide a comprehensive technical support and delivery solution.
• Accountability: Manage accountabilities by clearly defining internal and provider responsibilities.
• Trust: Make trust an essential part of cloud solutions, building trust into all business processes that depend on cloud computing.
Ramsés Gallego, the Quest Software security strategist who serves on ISACA’s Guidance and Practices Committee, characterizes cloud computing as a game changer, especially for the small and midsize enterprise.
“Its availability means that technology infrastructure is not the market differentiator it has been in the past,” Gallego says. “These principles will enable enterprises to experience the value that cloud can provide and help ensure that internal and external users can trust cloud solutions.” Trust is key because many people, including IT security experts, lack confidence in the cloud as a platform that assures security and privacy.
“The cloud’s availability means the technology infrastructure is not
the market differentiator it has been in the past.”
– RAMSÉS GALLEGONo, we don’t have plans to do so Perhaps, but not within 12 months Yes, we plan to move one or more of our business critical systems to the cloud in the coming months Yes, one or more of our business critical systems are in the cloud
0 5 10 15 20 25 30 35 34% 29% 19% 18% User Organization Both Don’t know Cloud Provider 47% 34% 12% 7%
2012 CLOUD SECURITY SURVEY
Allaying Concerns
What controls do you implement to mitigate risks?
(multiple answers allowed)
Other controls respondents cite included increased contract management, onsite inspection, adjusted incident management, third-party testing, financial penalties and increased liability for providers.
Among the steps organizations already are taking to secure cloud data are tried-and-true IT security tools and processes, including encryption, strong identity and access management controls and more audits.
The Guardians
Who’s responsible for ensuring security of cloud resources?
In the end, it’s the users’ responsibilities to ensure the security of their cloud implementations.
Tomas Soderstrom, chief technology officer/IT at NASA’s Jet Propulsion Laboratory, sees the end-user organization as ultimately responsible for securing their organization’s IT. But, he points out, an end-user organization consists of many different entities – IT, information security, business units, operations and so on – thus, they must collaborate. “The real enabler here becomes the IT security people,” Soderstrom says. “They need to become consultants to show the business how to secure the data and be able to put it securely in the cloud. Because if they don’t, all of a sudden there could be a security breach, and it could shut down the whole organization’s use of the cloud.”
A slim majority of respondents say it’s their organization, not the provider, who’s responsible for ensuring the security of cloud resources. It’s your data and systems, and it wouldn’t be wise to outsource the responsibility for IT security to someone else, even if they are the ones who are hosting your IT assets. The fact that more of our respondents feel the IT or IT security organization rather than the business or data owners should assume that responsibility reflects the fact that there isn’t just one business-side organization employing the cloud in most enterprises, and that it’s not unusual for enterprises to employ more than one cloud provider. Someone must be in charge. Encryption techniques
Stronger ID/access management controls Increased due diligence of provider More auditing of cloud-service provision 0 10 20 30 40 50 60 60% 43% 42% 37% Cloud Provider IT or IT security organization Business side/ data owner
48%
38%
2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
“You could put in a cloud the
secret to the atomic bomb and
the cloud provider wouldn’t
know because that’s not their
business.”
– FRANÇOISE GILBERT
ISMG: What are the responsibilities of
the end-user organization, regardless of the contract, to make sure that its data is secure?
DAVID MATTHEWS: The
responsibility that you have for securing your data doesn’t change because you move into a cloud environment; they’re exactly the same. You have to treat it that way from the very beginning. You have to look at everything that you could do to classify your information, protect your information, to be able to have access to your information. You have to find a way to do those exact same things and move into the cloud through contract or through the vetting processes. The legal issues have to be well understood as well. So they really don’t change. One of the things that people thought [was], “Maybe we could get out from under some of this risk if we move things to the cloud.” We just have to assume that we’ve got, if anything, maybe more risk, or a different kind anyway.
FRANÇOISE GILBERT: I would agree
with that. It’s your data, and you’re responsible for it and it’s irrelevant what you do with it. Whether you put it in the cloud or in the trunk of your car, it’s your responsibility. It may be even more responsibility than before because there are situations where the cloud provider does not have a clue about the
data that you have. You could put in a cloud the secret to the atomic bomb and the cloud provider wouldn’t know because that’s not their business. Their business is to provide you with, if you want, a big safe deposit box where you put your information. What you put in that safe deposit box they don’t know. If you have very important information, it’s your responsibility to make the decision whether or not you put it there, how you protect it and what kind of security measures you can use to protect that information because the cloud provider would not know the nature of the information.
David Matthews is deputy chief
information officer for the City of Seattle. Françoise Gilbert, a lawyer specializing in IT security and privacy, is a founder and managing director of the IT Law Group.
Ultimate Responsibility
Accountability for securing data doesn’t change because of a move into the cloud.
2012 CLOUD SECURITY SURVEY
The Agenda
Top officials at businesses, not for
profits and governments around
the world are pressuring their IT
and IT security organizations to
adopt cloud computing because
of the potential savings it offers.
Technologists know of the security challenges that make widespread adoption of cloud services difficult, but in many instances, employing this new technology is doable; the vulnerabilities can be addressed.Understanding the current state of cloud computing – whether at your organization or those of others – will help you address the evolving challenges of secure cloud computing.
But these challenges can’t be mitigated until enterprises – including internal business operations as well as IT and IT security organizations – figure out what they have and how to improve on it. Cloud will evolve into something much different in the coming years.
Fundamental Concerns
Clues to how organizations will use cloud computing securely in the coming months and years can be found in the research. Cutting costs is a major reason why organizations migrate to the cloud, but other factors are likely to surface, including the need to quickly obtain additional computer resources. This will require processes to assure that the adoption of cloud computing can be done efficiently and securely.
In the end, implementing cloud computing effectively requires protecting information and preventing its loss. Traditional means to safeguard data – such as encryption – work in the cloud environment as well, and should not be ignored.
The Bottom Line
Cloud computing provides organizations with a lot of flexibility in how they fund and deploy information technology securely. The cloud allows organizations to introduce new technologies with far less upfront costs, as they switch from capital expenditures to operational expenditures. This will not only allow organizations to be more flexible with limited financial resources, but with introducing new applications and products. The cloud also gives organizations entry to advanced technologies without considerable initial costs.
Vetting the Vendor
Most organizations cannot move to the cloud alone. They need a third-party vendor to help them scrutinize the reliability of cloud providers.
Trust is a fundamental trait of information risk and IT security, and that’s amplified in the cloud. And as the vast majority of our respondents say, external certification of cloud providers builds trust in them.
Before you get a third-party to vet your cloud providers, make sure you can trust the organization you retain to conduct the evaluation. Look to the federal government’s FedRAMP program, which certifies third-party evaluators, for pre-approved vetters.
Also, conduct your own due diligence of third-party certifiers and the cloud providers. The data you protect belong to you; ultimately, it’s your responsibility, as well as your legal obligation, to assure the security of information and systems.
2012 CLOUD SECURITY SURVEY
2012 CLOUD SECURITY SURVEY
Confronting Risk
The anxiety many IT security pros express about adopting cloud services is understandable. But you don’t need Valium to calm those nerves, just best practices.
And among the best practices to employ is the encryption of crucial data to be housed on the cloud. Other steps to take to mitigate risk include employing stronger identity and access management controls, auditing the cloud provider and conducting onsite inspections.
In some respects, cloud computing isn’t new. Organizations have been outsourcing computing services for decades. So use proven IT security tools and processes to assure the security of your cloud ventures.
Ultimate Responsibility
Take responsibility. It’s your data, your systems that are at stake, and in the end, the buck stops with you.
Ultimately, as IT security professionals, security is your responsibility. But that doesn’t mean you should do it alone. Partner with your organization’s IT and business organizations as well as the cloud provider.
The cloud offers many benefits, and as you become more comfortable with its security, be the evangelist in your
organization for the technology. Though cloud computing is not a panacea, at least not yet, enterprise computing is heading to the cloud. Implemented properly and securely, cloud computing will add value to your organization’s growing need for safe computing.
Action Items
1. Create a Team
Organize stakeholders within and outside your organization to address the security concerns of cloud computing. No single individual or group owns cloud computing, but the IT and IT security organizations are best situated for getting all participants together.
2. Employ What You Know
In many respects, cloud computing isn’t new; it’s just another version of outsourcing that organizations have employed for decades. The same tools and processes you used to secure your systems in the past can be employed to protect your digital assets in the cloud: encryption, stronger identity and access management controls, audits and onsite inspections.
3. Network
Talk to other organizations in your field as well as industry groups, such as information sharing and analysis centers, to determine how they approach secure cloud computing.
4. Perform Due Diligence
Whether you use a third party, piggyback on other trusted organizations, such as the U.S. federal government’s FedRAMP initiative, do it yourself or a combination of all three, it’s essential that you vet the security your cloud provider furnishes. Ultimately, it’s your responsibility to protect your information and systems.
5. Just Do It
Pilot cloud initiatives that contain non-sensitive information. In doing so, you’ll learn ways to secure data that will prove useful when you seek to safeguard sensitive data in the cloud. You’ll also learn to deal with cloud computing vendors.
2012 CLOUD SECURITY SURVEY
NIST Issues Long-Awaited Cloud Guidance
NIST has published its long-awaited cloud computing guidance, Special Publication 800-146: Cloud Computing Synopsis and Recommendations, which addresses risk management and other security matters.
http://www.inforisktoday.com/
nist-issues-long-awaited-cloud-guidance-a-4810
Tips for Contracting Cloud Services
Cloud services contracts often provide little to no wiggle room for organizations. In planning to use cloud computing services, what steps do organizations need to take before signing any contract? IT security lawyer Françoise Gilbert offers some key strategies.
http://www.inforisktoday.com/
tips-for-contracting-cloud-services-a-4797
Linking the Cloud to Continuous Monitoring
NIST information risk management evangelist Ron Ross sees continuous monitoring playing a vital role in securing cloud computing.
http://www.inforisktoday.com/
linking-cloud-to-continuous-monitoring-a-4520
FedRAMP Security Controls Unveiled
The federal government has issued some 170 controls for FedRAMP, the program designed to vet cloud computing providers for federal government agencies.
http://www.inforisktoday.com/
fedramp-security-controls-unveiled-a-4391
5 Essential Characteristics of Cloud Computing
To employ new technologies effectively, such as cloudcomputing, organizations must understand what exactly they’re getting. With this in mind, the National Institute of Standards and Technology has issued its 16th and final version of The NIST Definition of Cloud Computing.
http://www.inforisktoday.com/5-essential-characteristics- cloud-computing-a-4189
10 Realms of Cloud Security Services
Security poses a major challenge to the widespread adoption of cloud computing, yet an association of cloud users and vendors sees the cloud as a provider of information security services.
http://www.inforisktoday.com/10-realms-cloud- security-services-a-4097
Cloud Computing: 5 Topics for the Boss
Here are the top five cloud computing security risks and concerns CISOs must discuss with their managers.
http://www.inforisktoday.com/cloud-computing-5- topics-for-boss-a-3554
Cryptography in the Cloud
There’s no better way to secure critical data than through cryptography, especially when that data is stored in the cloud, says cryptography expert Ralph Spencer Poore.
http://www.inforisktoday.com/cryptography-in-cloud-a-3305
Learn more about the key issues driving secure cloud computing
InfoRiskToday features extensive coverage of cloud security. Here’s a sampling: