Security of Cloud Computing Users A Study of Practitioners in the US & Europe

(1)

Security of Cloud Computing Users

A Study of Practitioners in the US & Europe

Ponemon Institute© Research Report

Independently conducted by Ponemon Institute

LLC

(2)

Security of Cloud Computing Users

Prepared by Dr. Larry Ponemon, 12 May 2010

I. Executive Summary

CA and Ponemon Institute are pleased to present the results of the Security of Cloud Computing Users study. This paper represents the first of a two-part series on security of cloud applications, infrastructure and platforms. We also have a second study that focuses on cloud computing providers located in the United States and Europe. This study will be released in the coming months.

Cloud computing is being heralded as an important trend in information technology throughout the world. Benefits for business and IT include reducing costs and increasing productivity. The downside is that many organizations are moving swiftly to the cloud without making sure that the information they put in the cloud is secure.

The purpose of the study is to learn from IT and IT security practitioners in the US and Europe the current state of cloud computing security in their organizations and the most significant changes anticipated by respondents as computing resources migrate from on-premise to the cloud. As organizations grapple with how to create a secure cloud computing environment, we believe the findings from this study can provide guidance on how to address business and technology risks exacerbated by cloud computing. Specifically, in this study cloud computing users evaluate security technologies and control practices they believe are best deployed either on-premise or in the cloud. We also asked cloud computing users to rate the types of sensitive or confidential information too risky to be moved to the cloud.

Cloud computing has been defined as the use of a collection of distributed services, applications, information and infrastructure comprised of pools of computer, network, information and storage resources. These components can be rapidly orchestrated, provisioned, implemented and decommissioned using an on-demand utility-like model of allocation and consumption.1 Cloud service delivery models are Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

We surveyed 642 and 283 IT practitioners (a.k.a. cloud computing users) located in the US and Europe, respectively. We queried these individuals about the following topics:

 The perceptions about the security of cloud computing within organizations.

 How organizations in our study are using SaaS, PaaS and IaaS and how important these

resources are to achieving corporate data processing objectives.

 The reasons for using cloud computing resources.

 Who is responsible for ensuring a secure cloud computing environment.  How the security posture of cloud computing compares to on-premise.

 The security technologies that respondents see as most important to securing the cloud.  What respondents see as their organization’s primary cloud computing security risks.  Types of sensitive or confidential information too risky to be moved to the cloud.

1_{See Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Computing Architectural}

(3)

 Most significant changes anticipated as computing resources migrate from on-premise to the

cloud.

 How effective organizations are in achieving a secure IT environment for data, applications

and infrastructure managed on-premise versus obtained from cloud service providers.

 What enabling security technologies should continue to be deployed on-premise and what

technologies should be deployed as a service from the cloud.

 What system control activities are necessary for organizations to secure information assets

and the IT infrastructure.

 What security risks are most salient to organizations as they quickly migrate from on-premise

to cloud computing resources.

 How organizations deal with “critical areas of focus” for organizations deploying cloud

computing resources as identified by the Cloud Security Alliance (CSA).2

Following is a summary of the most salient findings from our study of cloud computing users. We expand upon each one of these findings in the next section of the paper.

 IT practitioners (respondents) lack confidence in their organizations’ ability to secure data and

applications deployed in cloud computing environments (especially public clouds).

 Organizations in the US are more likely than those in Europe to deploy business-critical

applications, IT platforms and IT infrastructure services in the cloud.

 IT practitioners in both the US and Europe hold similar views on the reasons for using cloud

computing resources as well as a plethora of security issues caused by rapid migration from on-premise to cloud computing environments.

 IT practitioners in both the US and Europe admit they do not have complete knowledge of all

the cloud computing resources deployed within their organizations today. This occurs because cloud computing deployment decisions are often made by end-users without conducting a thorough review for security.

 Because cloud computing deployment decisions are decentralized (especially SaaS),

respondents see end-users (or business management) as more responsible for ensuring a safe cloud computing environment than corporate IT.

 IT practitioners in both the US and Europe rate the security posture of on-premise computing

resources as substantially higher than comparable computing resources in the cloud.

 IT practitioners believe the security risks most difficult to curtail in the cloud computing

environment include: securing the physical location of data assets and restricting privileged user access to sensitive data.

 IT practitioners believe critical areas of focus as their organizations migrate from on-premise

to cloud computing environments concern access governance, identity and access management, business continuity and disaster recovery planning, and e-discovery.

(4)

II. Key Findings

This section provides the most important findings. Whenever feasible, we provide a simple graphic to illustrate the result. A tabular presentation may be provided as an alternative illustration when the result is too complex to graph.

1. Attributions about cloud computing security

Table 1 reports five attributions concerning respondents’ views about the security of cloud computing within their organizations. Please note respondents were given a five-point scale ranging from strongly agree to strongly disagree to rate each statement. The percentages shown in Table 1 is the combined strongly agree and agree responses (a.k.a. favorable view).

Table 1

Attributions about cloud computing security (strongly agree and agree

combined) US Europe Combined

My organization assesses the impact cloud computing has on the

ability to protect and secure confidential or sensitive information. 44% 56% 50%

My organization does not use cloud computing applications that are

not thoroughly vetted for security risks. 41% 60% 51%

My organization is vigilant in conducting audits or assessments of

cloud computing resources before deployment. 36% 57% 47%

My organization is proactive in assessing information that is too

sensitive be stored in the cloud. 38% 64% 51%

My organization’s security leaders are most responsible for securing

our organization’s safe use of cloud computing resources. 27% 38% 32%

Bar Chart 1 provides a graphical representation of the favorable views for respondents in the US and Europe. Results clearly show respondents in Europe hold more favorable perceptions about the state of cloud computing security than their US counterparts. Several of the average

percentages are below the 50 percent (scale midpoint), thus suggesting many respondents hold unfavorable views about cloud computing security in their organizations.

Bar Chart 1

Five attributions about cloud computing security

27% 36%

44% 41% 38%

38% 57%

56% 60% 64%

My organization’s security leaders are most responsible for securing our organization’s safe

use of cloud computing resources. My organization is vigilant in conducting audits or

assessments of cloud computing resources before deployment.

My organization assesses the impact cloud computing has on the ability to protect and secure confidential or sensitive information. My organization does not use cloud computing applications unless they are thoroughly vetted for

security risks.

My organization is proactive in assessing information that is too sensitive to be stored in

the cloud.

US Europe

(5)

From the above chart, only 27 percent of US respondents and 38 percent of European

respondents believe their organization’s security leaders are most responsible for ensuring safety in cloud computing environments. Thirty-eight percent of US respondents say their organizations are proactive in assessing information too sensitive to be stored in the cloud. In contrast, 64 percent of European respondents hold a more favorable impression.

Only 36 percent of US respondents believe their organizations are vigilant in conducting audits or assessments of cloud computing resources before deployment. Fifty-seven percent of European respondents hold this favorable perception. While not shown in the above chart, 55 percent of US respondents and 44 percent of European respondents are not confident that they know all cloud computing applications, platforms or infrastructure services in use today. This finding suggests the consumerization of IT creates a void in the organization’s ability to evaluate cloud computing security.

2. Cloud computing experience

This section compares US and European experience deploying SaaS, PaaS and IaaS cloud computing resources. Bar Chart 2 shows that US organizations have a higher usage rate for software, platform and infrastructure services than organizations in Europe.

Bar Chart 2

Use rates for SaaS, IaaS and PaaS cloud computing resources

As shown in Bar Chart 3, respondents’ organizations in the US and Europe use cloud computing resources to accomplish business-critical IT or data processing activities.

Bar Chart 3

Percentage of business-critical applications or services from the cloud

35% 53%

67% 33%

46%

62%

PaaS resources IaaS resources SaaS resources

Europe US

13% 14%

22%

9% 11%

16%

Europe US

(6)

As noted in both Bar Charts 2 and 3, SaaS resources are the most frequently used cloud computing resources for respondents in the US and Europe. According to respondents, the dependency on cloud computing resources to meet business-critical needs is expected to increase significantly over the next two years in the US and Europe.

A majority of respondents believe the responsibility for security rests within their organizations. However, as shown in Bar Chart 4, there is a percentage of respondents who say the cloud computing vendor is “most responsible” for ensuring security. This perceived responsibility of cloud providers varies considerably with SaaS at the highest percentage and PaaS at the lowest percentage.

Bar Chart 4

The cloud computing provider is most responsible for ensuring security

Combined US and Europe results

As noted in Bar Chart 5, about half of all respondents acknowledge that SaaS, IaaS and PaaS resources are not evaluated for security prior to deployment within their organizations.

Bar Chart 5

Are cloud computing resources evaluated for security prior to deployment?

Percentage Yes response

3. Reasons for using cloud computing resources

Respondents in the US and Europe generally agree on the reasons why their organizations are deploying cloud computing resources. For respondents in the US (top four reasons) are: 78 percent to reduce cost, 56 percent to achieve faster deployment time, 50 percent to increased efficiency, and 45 percent to increase flexibility and choice.

21%

34%

42%

0% 10% 20% 30% 40% 50%

45% 61% 53%

51%

66%

59% 46%

52%

49%

U.S. Europe Combined

(7)

For respondents in Europe, the top four reasons are: 67 percent to reduce cost, 62 percent to increase efficiency, 58 percent to achieve faster deployment time, and 31 percent to increase flexibility and choice. Bar Chart 6 provides the combined US and European results. As shown, only 14 percent believe that cloud computing will actually improve security.

Bar Chart 6

Reasons for migrating corporate IT to the cloud computing environment

4. Who is responsible for ensuring a secure cloud computing environment

Bar Chart 7 reports the frequency of respondents who say they are not aware of all cloud computing resources deployed within their organizations today, showing about half are not confident about their level of knowledge.

Bar Chart 7

How confident are you that your organization knows all cloud computing resources in use today?

The “consumerization of IT” causes security experts to be excluded from the evaluation and vetting process and this in turn causes a lack of confidence among IT practitioners. Hence, we believe this is a main reason why they believe end-users or business unit management (rather than IT security) are most responsible for ensuring a safe and secure cloud computing

environment.

Thus, for respondents in the US, the functions believed to be most responsible for ensuring a safe and secure cloud computing environment are: end-users (75 percent), business unit

13% 14%

38%

56% 57%

73%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Improve customer service Improve security Increase flexibility and choice Increase efficiency Faster deployment time Reduce cost

45% 56% 50%

55% 44% 50%

0% 20% 40% 60% 80% 100%

US Europe Combined

(8)

management (69 percent), information security (29 percent), and corporate IT (23 percent). For Europe, the most responsible functions include: end-users (62 percent), business unit

management (58 percent), corporate IT (35 percent), and information security (31 percent). Bar Chart 8 provides the combined results for US and Europe, showing that most respondents generally agree end-users, business unit management, and IT (which includes information security) need to take a proactive role in ensuring cloud computing security. In contrast, 25 percent believe no one person has primary responsibility.

Bar Chart 8

Job functions most responsible for ensuring a safe and secure cloud computing environment

*Please note that the Information technology (IT) category combines corporate IT and information security.

5. The security posture of cloud computing is perceived by US and European respondents as lower than on-premise computing

In this section, we conducted a rating of the organizations’ security posture using 25 attributes or features of a typical security program or initiative. For respondents in the US, the issues identified as having the most serious impact on their organization’s security posture as a result of cloud computing are as follows in ascending order of importance:

 Not knowing where information assets are physically located  Inability to limit physical access to IT infrastructure

 Inability to enforce security policies

 Inability to identify and properly authenticate users before granting access rights  Inability to secure sensitive or confidential information at rest

For respondents in Europe, the most important issues affecting their organizations security posture as a result of cloud computing are in ascending order of importance:

 Inability to limit physical access to IT infrastructure  Inability to conduct independent audits

 Inability to identify and properly authenticate users before granting access rights  Inability to enforce security policies

 Inability to prevent data loss or theft

10% 11%

25%

59% 64%

69%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Legal Compliance No one person is responsible Information technology* Business unit management End-users

(9)

Based on prior research, we utilized a list of 25 feature that are known to affect the security posture of private and public sector organizations.3 As shown in Table 2, these 25 security features are used to determine differences between on-premise and cloud computing resources. The percentages within the columns “on-premise” and “in the cloud” are the ratings from

respondents who are say they are confident or very confident that their organizations can achieve this security feature in either environment.

The difference column is simply on-premise minus the cloud for each one of the 25 attributes. A positive difference mean respondents, on average, have a higher confidence level for on-premise than in the cloud. A negative difference means the opposite. Finally, these 25 differences are ranked and ordered from the largest positive difference to the largest negative difference.

Table 2

Attributions that define an effective IT security posture

Confident and very confident responses for US and Europe samples

Confident and very confident responses for US and Europe

samples premise On- In the cloud Difference Rank

Limit physical access to IT infrastructure 84% 48% 36% 1

Know where information assets are physically located 73% 48% 25% 2

Identify and authenticate users before granting access to

information assets or IT infrastructure 59% 37% 22% 3

Conduct independent audits 65% 43% 22% 4

Enforce security policies 73% 53% 20% 5

Secure sensitive or confidential information at rest 50% 33% 17% 6

Prevent or curtail system-level connections from insecure

endpoints 62% 49% 14% 7

Prevent or curtail data loss or theft 64% 50% 13% 8

Ensure security program is adequately managed 64% 52% 12% 9

Prevent or curtail external attacks 45% 36% 9% 10

Ensure security governance processes are effective 76% 68% 8% 11

Secure vendor relationships before sharing information

assets 43% 36% 7% 12

Encrypt sensitive or confidential information assets whenever

feasible 48% 43% 6% 13

Achieve compliance with leading self-regulatory frameworks

including PCI DSS, ISO, NIST and others 69% 63% 5% 14

Comply with all legal requirements 77% 72% 5% 15

Prevent or curtail viruses and malware infection 85% 79% 5% 16

Perform patches to software promptly 56% 51% 5% 17

Monitor network/traffic intelligence 69% 64% 5% 18

Conduct training and awareness for all system users 64% 60% 3% 19

Secure sensitive or confidential information in motion 70% 66% 3% 20

Control all live data used in development and testing 52% 49% 3% 21

Secure endpoints to the network 62% 59% 3% 22

Access to highly qualified IT security personnel 83% 81% 2% 23

Determine the root cause of cyber attacks 47% 51% -4% 24

Prevent or curtail system downtime and business interruption 60% 66% -6% 25

Average 64% 54% 10%

3_{These 25 attributes have been developed by PGP Corporation and Ponemon Institute in its annual}

encryption trends survey to define the security posture of responding organizations. These features have been validated from more than 20 independent studies conducted since June 2005. For more information,

(10)

As noted in Table 2, only two attributes – namely, determining the root cause of cyber attacks and preventing or curtailing system downtime – enjoy higher confidence ratings in the cloud than on-premise. The fact that 23 out of 25 attributes yield positive differences suggest respondents view the on-premise computing environment as more secure than in the cloud.

Bar Chart 9 summarizes our analysis by providing a comparison of the average confidence level response for all 25 attributes for US and European respondents. As shown, both US and European respondents express a higher level of confidence for on-premise versus cloud.

Bar Chart 9

Overall security posture differences between on-premise and cloud computing environments

Percentage reflects the average percentage confidence level for all 25 security features listed in Table 2

Bar Chart 10 provides a summary of the five security features yielding the most significant differences between on premise versus cloud computing environments.

Bar Chart 10

Security features with the most significant differences between on-premise and cloud computing

63% _52%

63%

56%

On premise In the cloud

Europe US

59% 65%

73% 73% 84%

37% 43%

48% 53%

48%

Identify and authenticate users before granting access to information assets or IT infrastructure

Conduct independent audits Know where information assets are physically located Enforce security policies Limit physical access to IT infrastructure

(11)

6. Security technologies respondents see as most important for securing the cloud

Respondents were asked to rate 25 enabling security technologies in terms of whether a

particular solution is important to achieving security in the cloud computing environment. As can be seen, respondents rate network intelligence systems and virtual private networks as their top choices, followed by log management, identity federation, encryption for data at rest and user management and provisioning as the most important technologies.

Bar Chart 11

Technologies believed to be most important in securing the cloud computing environment

Important & very important response for US and Europe combined

Bar Chart 12 provides a summary of the technologies that respondents see as least important to securing cloud computing resources. Here we see database scanning, wireless encryption, endpoint solutions, access governance systems, encryption for data in motion and whitelisting as more appropriately being deployed on-premise.

Bar Chart 12

Technologies best deployed on-premise

US and Europe results combined

Similar to the above analysis for enabling technologies, we examined the control procedures that respondents believe can be deployed by cloud providers as a service. For respondents in the US, the top five security control activities that should be deployed from the cloud are (in

ascending order of importance): certifications such as PCI DSS, ISO, and NIST, training of data handlers, surveillance of data center operations, quality assurances and help desk activities.

45% 45%

51%

62% 64% 64%

0% 10% 20% 30% 40% 50% 60% 70%

User management and provisioning Encryption for data at rest Identity federation Log management Virtual private network (VPN) Network intelligence systems

20% 13%

12% 9%

8% 7%

0% 5% 10% 15% 20% 25%

Whitelisting solutions Encryption for data in motion Access governance systems Endpoint solutions Encryption for wireless communication Database scanning and monitoring

(12)

For respondents in Europe, the top five security control activities as a possible service from cloud providers include (in ascending order of importance): certification such as PCI DSS, ISO, NIST and others, help desk activities, external audit, surveillance of data center operations, and quality assurances.

7. What respondents see as their organizations’ primary cloud computing security risks

Table 3 summarizes the combined US and European results for seven known security risk areas in the cloud computing environment as predicted by leading IT analysts. We once again compute the difference between on-premise and cloud to determine if these risk areas are more salient in the cloud environment. Clearly, the differences for all seven attributes are positive, suggesting that respondents believe these security risk areas are more salient in the cloud environment.

Table 3

Seven cloud computing security risks. Each cell represents respondents’ confidence level for IT operations (1) on-premise and (2) in the cloud.

Confident & very confident (combined) that risk area is properly

managed premise On- In the cloud Difference

Ensure the physical location of data assets are in secure

environments 56% 33% 22%

Restrict privileged user access to sensitive data 48% 29% 19%

Ensure compliance with all applicable privacy and data protection

regulations and laws 67% 54% 13%

Ensure long-term viability and availability of IT resources 51% 40% 12%

Ensure recovery from significant IT failures 60% 50% 10%

Ensure proper data segregation requirements are met 53% 45% 8%

Investigate inappropriate or illegal activity 55% 48% 8%

Average 56% 43% 13%

Bar Chart 13 illustrates the difference in confidence levels for US and European respondents in terms of their organizations’ ability to effectively respond to each security risk.

Bar Chart 13

Seven known security risks in the cloud computing environment

Confident and very confident responses for US and Europe combined

48% 56% 51%

53% 55%

60% 67%

29% 33% 40%

45% 48%

50% 54%

Privileged user access to sensitive data Data assets are in secure physical environments Long-term viability and availability of IT resources Proper data segregation requirements are met Inappropriate or illegal activity Recovery from significant IT failures Compliance with all applicable regulations and laws

(13)

For respondents in the US, the top three risk areas with the largest differences between on-premise and cloud computing (in ascending order):

 Ensuring the physical location of data assets are in secure environments  Restricting privileged user access to sensitive data

 Ensuring proper data segregation requirements are met

For respondents in Europe, the top three risk areas with the largest differences between on-premise and cloud computing (in ascending order):

 Ensuring the physical location of data assets are in secure environments  Restricting privileged user access to sensitive data

 Ensuring compliance with all applicable privacy and data protection regulations and laws 8. What types of sensitive or confidential information are too risky for the cloud

We asked respondents to rate different information or data types in terms of risk to their

organizations. For respondents in the US, following are data assets that respondents believe are too risky for the cloud computing environment.

 68% financial information  68% intellectual property  55% health information

 50% non-financial business confidential information  43% credit card information

For Europe, following are data assets that respondents believe are too risky for the cloud.

 68% intellectual property  66% health information  65% employee records  55% financial information

 50% non-financial business confidential information

It is interesting to note that employee records are deemed more risky for respondents in Europe and financial information is deemed more risky for respondents in the US. Sixty-eight percent of respondents in the US and Europe view intellectual property such as source code as too risky for the cloud. Bar Chart 14 lists the most risky data types for the combined US and Europe samples.

Bar Chart 14

The types of confidential or sensitive information too risky for the cloud

US and Europe results combined

44% 51%

53% 61%

62% 68%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Credit card information Non-financial business information Employee records Health information Financial business information Intellectual property

(14)

9. Most significant changes anticipated by US and European respondents as computing resources migrate from on-premise to the cloud

The Cloud Security Alliance (CSA) has established 14 “areas of focus” that organizations need to manage as IT and data processing operations migrate from on-premise to the cloud computing environment.4 Respondents were asked to rate the importance of each area of focus based on their extant experiences in the cloud environment.

Bar Chart 15 provides the top five most critical areas of focus for respondents in the US and Europe. The percentage shown in each bar represents the average important or very important response of respondents. As can be seen, identity and access management and business continuity and disaster recovery are viewed as the top most important security issues.

Bar Chart 15

The top five critical areas of focus for organizations migrating to the cloud environment

Important & very important response for US and Europe combined

The top five critical areas of focus for US respondents are: identity and access management, business continuity and disaster recovery, compliance and audit, procedures for e-discovery, and encryption and key management. Similarly, for respondents in Europe, the top five critical areas of focus are procedures for e-discovery, identity and access management, business continuity and disaster recovery, encryption and key management, and data center operations

4_{Ibid, footnote 1.}

39% 40%

46% 47%

50%

0% 10% 20% 30% 40% 50% 60%

Encryption and key management Compliance and audit Procedures for electronic discovery Business continuity and disaster recovery Identity and access management

(15)

III. Methods

Our study involved two independent sampling frames consisting of IT and IT security practitioners located in the United States and Europe. In total, more than 11,000 individuals in the US and 4,700 individuals in certain European countries were asked to participate in a web-based survey. As noted in Table 3, our final samples for respondents in the US and Europe are 642 and 283, respectively. One screening question was used to terminate respondents who did not have the requisite knowledge or experience in cloud computing domains.

Table 4: Sample response US Europe Total

Sample frame 11,015 4,718 15,733

Invitations sent 10,450 4,298 14,748

Returned surveys 713 329 1,042

Rejections for reliability 71 46 117

Final sample (after screening) 642 283 925

Response rates 5.8% 6.0% 5.9%

Pie Chart 1 reports the percentage frequencies of countries where European respondents are located. As can be seen, the UK (34 percent) and Germany (22 percent) represent the two largest segments for the European sample.

Pie Chart 1

Country locations of respondents in the European sample

Table 5 reports the organizational level of respondents in both the US and European samples. As shown, a majority of respondents are at or above the supervisory level in their organizations.

Table 5

Respondents’ organizational level best US Europe Combined

Vice President or executive 1% 2% 2%

Director 18% 17% 18%

Manager 25% 19% 22%

Supervisor 19% 23% 21%

Staff or technician 32% 34% 33%

Contractor 3% 2% 3%

Other 2% 3% 3%

Total 100% 100% 100%

34%

22% 13%

8% 6%

8%

7% 2%

United Kingdom Germany France Netherlands Switzerland Spain Italy Other

(16)

Table 6 reports the respondents’ reporting channel or chain of command. As can be seen, a majority of respondents report through their organization’s CIO (54 percent), CISO (14 percent) or CTO (10 percent).

Table 6: Respondents’ reporting channel US Europe Combined

Chief Information Officer 53% 54% 54%

Chief Information Security Officer 16% 12% 14%

Chief Technology Officer 9% 11% 10%

Chief Risk Officer 6% 7% 7%

General Counsel 4% 0% 2%

Compliance Officer 3% 5% 4%

Chief Financial Officer 2% 4% 3%

Director of Internal Audit 2% 2% 2%

Chief Security Officer 2% 2% 2%

Other 2% 0% 1%

Total 100% 100% 100%

Pie Chart 2 reports 14 industry distribution of respondents’ organizations. Financial services (19 percent), government (15 percent), retail (9 percent) and healthcare and pharmaceuticals (8 percent) represented the largest industry segments.

Pie Chart 2

Industry distribution of respondents’ organizations

In total, US respondents have, on average, 12.5 years of overall experience and 12 years in either IT or IT security. Respondents in Europe had, on average 14.2 years of experience and 13.1 years in IT or IT security.

Table 7 reports the worldwide headcount of respondent organizations, which is used as a surrogate for organizational size. As reported, a majority of respondents work in larger-sized organizations with more than 10,000 employees.

19%

15%

9% 8% 7%

7% 7% 6%

6% 5%

4% 3% 2% _{Financial services} _Government

Retail Health & pharma Technology Communications Industrial Transportation Transportation Education Services Research

(17)

Table 7

Worldwide headcount of respondents’ organization US Europe Combined

Less than 500 people 5% 9% 7%

500 to 1,000 people 9% 12% 11%

1,001 to 5,000 people 13% 18% 16%

5,001 to 10,000 people 25% 23% 24%

10,001 to 25,000 people 21% 20% 21%

25,001 to 75,000 people 15% 15% 15%

More than 75,000 people 12% 3% 8%

Total 100% 100% 100%

IV. Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys.

 Non-response bias: The current findings are based on a sample of survey returns. We sent

surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who

completed the instrument.

 Sampling-frame bias: The accuracy is based on contact information and the degree to which

the list is representative of individuals who are IT or IT security practitioners. We also

acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.

 0BSelf-reported results: The quality of survey research is based on the integrity of confidential

responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.

(18)

V. Recommendations & Conclusion

The findings of our study suggest users of cloud computing resources may be putting their organizations in peril as a consequence of insecure cloud computing applications, infrastructure and platforms. As noted in this research, cloud computing deployment decisions are frequently made by end-users who may not have the knowledge or expertise to properly evaluate security risks. Without vetting procedures that involve IT security practitioners or other learned experts, organizations may find that mission-critical applications are operating in insecure environments. Despite this finding, we believe security should not be entirely the responsibility of the end-user. Instead, IT should embrace the inevitability of cloud computing. Security in the cloud is a shared responsibility between the cloud provider and the enterprise. IT security vendors, cloud users, and cloud providers need to collaborate to build security into cloud environments. To make this work, transparency is needed to ensure that cloud providers have accountability in ensuring a safe IT environment for cloud users.

Admittedly, enhancing security practices will likely increase the cost of cloud computing resources, which diminishes one of the main reasons for choosing the cloud. Despite this concern, we believe many organizations will pay a premium to cloud providers that are known to be secure. When it is difficult to ascertain the cloud provider’s level of security, organizations will seek alternative solutions to help minimize security risks. To minimize this possibility, we propose a four-pronged approach to mitigating security risk, as follows:

 First, take an inventory of all cloud computing resources in use today and assess the risk they pose to the organization’s security posture. This assessment process should involve a core team led by corporate IT or security (depending on the expertise required).

 Second, for all high risk cloud applications, make a decision about whether to discontinue their use to allocate more resources to make them more secure.

 Third, develop policies and procedures that require knowledgeable people such as the company’s IT security function to evaluate the security posture of all future cloud computing providers.

 Fourth, to avoid bottlenecks in the process, procedures should enable mission-critical applications to be vetted as a priority before moving to a secure cloud environment. Our research shows that IT and IT security practitioners generally agree on the areas of focus that organizations need to consider before migrating to the cloud. These include:

 Ensuring access rights, especially for privileged users, are effectively managed in the cloud computing environment.

 Taking steps to locate sensitive or confidential data after deployment to the cloud.

 Establishing oversight and control practices to ensure mission-critical applications and sensitive data too risky to move to the cloud are kept on-premise.

 Modifying plans for business continuity, disaster recovery and e-discovery as information assets and critical infrastructure moves to the cloud.

 Building control practices to thoroughly vet cloud providers before deploying their services.

(19)

 Establishing the right mix of enabling technologies and control practices to ensure that the migration from on-premise to cloud environments is executed safely and securely.

In our study, only 14 percent of respondents believe that cloud computing will actually improve their organization’s security posture. This low percentage means that there is a significant opportunity for cloud computing providers to refute this perception and demonstrate that their IT infrastructure is equal or superior to on-premise computing environments. The shift to cloud computing provides an opportunity to increase security for the varied applications, platforms and infrastructure offerings.

While on-premise computing is not without inherent security risks, cloud computing poses new threats and challenges that need to be seriously considered before adoption. In conclusion, our next study on providers of cloud computing software, platforms and infrastructure will examine how the community of users and providers can best work together to establish practices that enable safety and security in the cloud.

(20)

Appendix 1: Survey Details

Fieldwork for the US and Europe concluded on March 26, 2010. All work was independently conducted by Ponemon Institute.

Cloud user study

Sample response US Europe

Sample frame 11,015 4,718

Invitations sent 10,450 4,298

Returned surveys 713 329

Rejections for reliability 71 46

Final sample 642 283

Response rates 5.8% 6.0%

I. Screening

Q1. Does your organization use cloud computing resources? US Europe

Yes 551 250

No (stop) 91 33

Total 642 283

Q2. What best describes your organization’s cloud computing

deployment approach? Please check one US Europe

Use mostly public clouds 419 198

Use mostly private clouds 56 42

Use a combination of public and privacy clouds (hybrid) 76 10

Total 551 250

II. Attributions about cloud computing security (strongly agree &

agree combined) US Europe

Q3a. My organization assesses the impact cloud computing has on

the ability to protect and secure confidential or sensitive information. 44% 56%

Q3b. My organization does not use cloud computing applications

that are not thoroughly vetted for security risks. 41% 60%

Q3c. My organization is vigilant in conducting audits or assessments

of cloud computing resources before deployment. 36% 57%

Q3d. My organization is proactive in assessing information that is too

sensitive be stored in the cloud. 38% 64%

Q3e. My organization’s security leaders are most responsible for

securing our organization’s safe use of cloud computing resources. 27% 38%

III. Cloud computing experience

Q4a. Does your organization use SaaS resources from cloud

computing providers? US Europe

Yes 67% 62%

No 23% 31%

Unsure 10% 7%

(21)

Q4b. If yes, what percent of your organization’s business-critical applications utilizes SaaS versus conventional software

applications? US Europe

Less than 10% 17% 15%

Between 11 to 20% 21% 32%

Between 21 to 30% 18% 11%

Between 31 to 40% 10% 6%

Between 40 to 50% 8% 5%

Between 50 to 75% 6% 3%

Between 76 to 90% 1% 0%

More than 90% 1% 1%

Don’t know 18% 27%

Total 100% 100%

Extrapolated value 22% 16%

Q4c. In your opinion, who is most responsible for ensuring the

security of SaaS applications used within your organization? US Europe

My company’s end-users are most responsible 23% 9%

My company’s IT function is most responsible 14% 28%

My company’s IT security function is most responsible 9% 10%

The cloud computing provider is most responsible 40% 43%

Responsibility is shared between my company and the cloud

computing provider 12% 8%

Don’t know 2% 3%

Total 100% 100%

Q4d. How important is the use of SaaS in meeting your

organization’s IT and data processing objectives? US Europe

Today (important & very important combined) 40% 34%

Over the next two years (important & very important combined) 67% 62%

Q4e. How confident are you that SaaS applications used within your

organization are secure? US Europe

Confident & very confident response (combined) 49% 60%

Q4f. Are SaaS applications evaluated for security prior to

deployment within your organization? US Europe

Yes 45% 61%

No 37% 28%

Total 100% 100%

Q5a. Does your organization use IaaS resources from cloud

Yes 53% 46%

No 40% 41%

Unsure 7% 13%

(22)

Q5b. If yes, what percent of your organization’s business-critical

computing utilizes IaaS versus on-premise infrastructure services? US Europe

Less than 10% 35% 45%

Between 11 to 20% 18% 13%

Between 21 to 30% 7% 9%

Between 31 to 40% 5% 4%

Between 40 to 50% 3% 2%

Between 50 to 75% 5% 1%

Between 76 to 90% 0% 0%

More than 90% 1% 0%

Total 100% 100%

security of IaaS resources used within your organization? US Europe

Don’t know 5% 2%

Total 100% 100%

Q5d. How important is the use of IaaS in meeting your organization’s

IT and data processing objectives? US Europe

Q5e. How confident are you that IaaS resources used within your

organization are secure? (very confident & confident combined). US Europe

Q5f. Are IaaS resources evaluated for security prior to deployment

within your organization? US Europe

Yes 51% 66%

No 29% 23%

Total 100% 100%

Q6a. Does your organization use PaaS resources from cloud

Yes 35% 33%

No 50% 59%

Unsure 15% 8%

(23)

Q6b. If yes, what percent of your organization’s business-critical

resources utilizes PaaS versus on-premise platform services? US Europe

Less than 10% 40% 61%

Between 11 to 20% 21% 9%

Between 21 to 30% 10% 2%

Between 31 to 40% 5% 4%

Between 40 to 50% 0% 0%

Between 50 to 75% 2% 1%

Between 76 to 90% 0% 0%

More than 90% 1% 0%

Total 100% 100%

security of PaaS resources used within your organization? US Europe

Total 100% 100%

Q6d. How important is the use of PaaS in meeting your

organization’s IT and data processing objectives? US Europe

Q6e. How confident are you that PaaS resources used within your

organization are secure? (confident & very confident combined) US Europe

Q6f. Are PaaS resources evaluated for security prior to deployment

within in you organization? US Europe

Yes 46% 52%

No 31% 26%

(24)

Q7. What are the primary reasons why cloud computing resources

are used within your organization? Please select only three choices. US Europe

Reduce cost 78% 67%

Increase efficiency 50% 62%

Improve security 12% 15%

Faster deployment time 56% 58%

Increase flexibility and choice 45% 31%

Improve customer service 12% 14%

Comply with contractual agreements or policies 9% 11%

Other 2% 0%

Total 264% 258%

Q8. How confident are you that your IT organization knows all cloud computing applications, platform or infrastructure services in use

today? US Europe

Q9. Which individuals or functions within your organization are responsible for ensuring cloud computing providers are safe and

secure? Please select no more than three choices. US Europe

End-users 75% 62%

Business unit management 69% 58%

Corporate IT 23% 35%

Compliance 9% 12%

Legal 10% 9%

Procurement 5% 2%

Internal audit 2% 0%

Information security 29% 31%

Physical security 2% 5%

No one person is responsible 23% 27%

Other 2% 3%

(25)

IV. Security posture

The following matrix lists 25 attributions that define an effective IT security environment. Please assess the effectiveness of your organization’s IT security environment for: (1) on-premises and (2) in-cloud applications, platforms and infrastructure. The four-point scale provided to the right of each attribute should be used to define your level of confidence in being able to accomplish the stated security requirement.

US security objectives (confident & very confident combined) On-premise In the cloud

Determine the root cause of cyber attacks 49% 47%

Know where information assets are physically located 82% 40%

Secure sensitive or confidential information at rest 54% 32%

Secure sensitive or confidential information in motion 74% 72%

Secure endpoints to the network 64% 58%

Identify and authenticate users before granting access to information

assets or IT infrastructure 58% 34%

Secure vendor relationships before sharing information assets 41% 36%

Prevent or curtail data loss or theft 62% 51%

Prevent or curtail external attacks 43% 39%

Limit physical access to IT infrastructure 87% 46%

Ensure security governance processes are effective 79% 66%

Prevent or curtail system downtime and business interruption 61% 65%

Prevent or curtail system-level connections from insecure endpoints 63% 46%

Comply with all legal requirements 75% 64%

including PCI DSS, ISO, NIST and others 70% 66%

Prevent or curtail viruses and malware infection 83% 78%

Perform patches to software promptly 54% 49%

Control all live data used in development and testing 55% 48%

Enforce security policies 76% 52%

Access to highly qualified IT security personnel 85% 81%

Conduct training and awareness for all system users 67% 61%

Conduct independent audits 65% 45%

Ensure security program is adequately managed 63% 41%

Monitor network/traffic intelligence 67% 52%

feasible 50% 40%

(26)

The following matrix lists 25 attributions that define an effective IT security environment. Please assess the effectiveness of your organization’s IT security environment for: (1) on-premises and (2) in-cloud applications, platforms and infrastructure. The four-point scale provided to the right of each attribute should be used to define your level of confidence in being able to accomplish the stated security requirement.

Europe security objectives (confident & very confident combined) On-premise In the cloud

Determine the root cause of cyber attacks 46% 55%

Know where information assets are physically located 64% 57%

Secure sensitive or confidential information at rest 45% 33%

Secure sensitive or confidential information in motion 66% 61%

Secure endpoints to the network 59% 59%

Identify and authenticate users before granting access to information

assets or IT infrastructure 59% 39%

Secure vendor relationships before sharing information assets 46% 37%

Prevent or curtail data loss or theft 65% 49%

Prevent or curtail external attacks 47% 33%

Limit physical access to IT infrastructure 81% 50%

Ensure security governance processes are effective 73% 69%

Prevent or curtail system downtime and business interruption 59% 67%

Prevent or curtail system-level connections from insecure endpoints 62% 52%

Comply with all legal requirements 79% 79%

including PCI DSS, ISO, NIST and others 67% 61%

Prevent or curtail viruses and malware infection 87% 81%

Perform patches to software promptly 57% 52%

Control all live data used in development and testing 50% 50%

Enforce security policies 69% 54%

Access to highly qualified IT security personnel 81% 80%

Conduct training and awareness for all system users 60% 60%

Conduct independent audits 65% 41%

Ensure security program is adequately managed 65% 64%

Monitor network/traffic intelligence 71% 76%

feasible 47% 46%

Average 63% 56%

Q10b. In my organization, cloud computing presents a more secure

environment than on-premise computing. US Europe

Strongly agree & agree (combined) 29% 33%

(27)

Q11a. US Sample: Please review the following list of 25 enabling security technologies that may be deployed by your organization to secure information assets and the IT infrastructure. For each

technology, please indicate whether it should be deployed: (1)

on-premise, (2) in the cloud, or (3) a combination of both. On-premise In the cloud Combination

Access governance systems 65% 12% 23%

Anti-virus & anti-malware 43% 42% 15%

Correlation or event management 50% 43% 7%

Data loss prevention (DLP) 56% 8% 36%

Database scanning and monitoring 45% 45% 10%

Encryption for data at rest 45% 17% 38%

Encryption for data in motion 30% 38% 32%

Encryption for wireless communication 49% 47% 4%

Endpoint solutions 75% 11% 14%

Firewalls 43% 45% 12%

Identity federation 34% 35% 31%

ID & credentialing system 62% 35% 3%

Identity & access management (IAM) 45% 8% 47%

Intrusion detection or prevention 30% 62% 8%

Log management 42% 17% 41%

Network intelligence systems 36% 59% 5%

Patch management 25% 52% 24%

Perimeter or location surveillance 16% 67% 17%

Privileged password management 62% 28% 10%

Service oriented architecture (SOA) security 27% 58% 15%

Single sign-on (SSO) 24% 33% 42%

User management and provisioning 50% 33% 17%

Virtual private network (VPN) 37% 35% 28%

Whitelisting solutions 58% 17% 25%

Web application firewalls (WAF) 32% 31% 37%

(28)

Q11a. Europe Sample: Please review the following list of 25 enabling security technologies that may be deployed by your organization to secure information assets and the IT infrastructure.

For each technology, please indicate whether it should be

deployed: (1) on-premise, (2) in the cloud, or (3) a combination of

both. On-premise In the cloud Combination

Access governance systems 61% 5% 34%

Anti-virus & anti-malware 39% 24% 37%

Correlation or event management 35% 27% 38%

Data loss prevention (DLP) 75% 15% 10%

Database scanning and monitoring 40% 42% 18%

Encryption for data at rest 65% 23% 12%

Encryption for data in motion 20% 51% 29%

Encryption for wireless communication 50% 42% 8%

Endpoint solutions 78% 5% 18%

Firewalls 48% 17% 35%

Identity federation 30% 35% 34%

ID & credentialing system 70% 11% 19%

Identity & access management (IAM) 54% 7% 40%

Intrusion detection or prevention 20% 63% 17%

Log management 40% 27% 32%

Network intelligence systems 23% 68% 9%

Patch management 29% 50% 21%

Perimeter or location surveillance 22% 60% 19%

Privileged password management 58% 27% 15%

Service oriented architecture (SOA) security 31% 25% 44%

Single sign-on (SSO) 29% 25% 46%

User management and provisioning 59% 33% 8%

Virtual private network (VPN) 31% 24% 45%

Whitelisting solutions 59% 10% 31%

Web application firewalls (WAF) 25% 23% 52%

Average 44% 30% 27%

Q11b. In general, the above enabling security technologies should

be provided as a service from the cloud. U.S. Europe

(29)

Q12. US Sample: Please review the following list of 17 system control activities that may be deployed by your organization to secure information assets and the IT infrastructure. For each

Background checks of privileged users 76% 6% 18%

Certifications (such as PCI DSS, ISO, NIST and others) 36% 51% 13%

Communications 81% 16% 3%

Controls assessment 58% 17% 25%

External audit 59% 29% 12%

Helpdesk activities 43% 30% 27%

IT audit 9% 10% 81%

Monitoring changes in regulatory requirements 90% 3% 7%

Policies and procedures 78% 3% 19%

Quality assurances 44% 31% 25%

Redress and enforcement 75% 12% 13%

Surveillance 37% 34% 29%

Training of data handlers 31% 36% 33%

Training of end users 57% 30% 12%

Training of security practitioners 90% 3% 7%

Vetting and monitoring of third parties 50% 7% 42%

Average 57% 20% 23%

Q12. Europe Sample: Please review the following list of 17 system

control activities that may be deployed by your organization to secure information assets and the IT infrastructure. For each

Background checks of privileged users 56% 7% 37%

Certifications (such as PCI DSS, ISO, NIST and others) 34% 54% 11%

Communications 90% 5% 5%

Controls assessment 55% 10% 35%

External audit 53% 32% 15%

Helpdesk activities 25% 49% 26%

IT audit 72% 13% 15%

Monitoring changes in regulatory requirements 90% 5% 6%

Policies and procedures 91% 5% 4%

Quality assurances 50% 22% 27%

Redress and enforcement 89% 5% 6%

Surveillance 32% 30% 38%

Training of data handlers 80% 12% 8%

Training of end users 86% 3% 11%

Training of security practitioners 96% 2% 2%

Vetting and monitoring of third parties 75% 13% 12%

(30)

Q13. Please rate your organization’s ability to mitigate or

significantly curtail this risk for IT operations (1) on-premises and (2) in the cloud. The four-point scale provided to the right of each attribute should be used to define your level of confidence in being able to mitigate or curtail each risk area from 1 = very confident, 2 = confident, 3 = somewhat confident, 4 = not confident

Q13. US Sample. Seven cloud computing security risks

Confident & very confident (combined)

On

premises In the cloud

Restrict privileged user access to sensitive data 45% 28%

regulations and laws 63% 56%

environments 58% 37%

Ensure proper data segregation requirements are met 56% 45%

Ensure recovery from significant IT failures 57% 55%

Investigate inappropriate or illegal activity 55% 52%

Ensure long-term viability and availability of IT resources 53% 48%

Average 55% 46%

Q13. Europe Sample. Seven cloud computing security risks

Confident & very confident (combined)

On

premises In the cloud

Restrict privileged user access to sensitive data 50% 29%

regulations and laws 72% 52%

environments 53% 29%

Ensure proper data segregation requirements are met 50% 46%

Ensure recovery from significant IT failures 63% 46%

Investigate inappropriate or illegal activity 55% 43%

Ensure long-term viability and availability of IT resources 49% 31%

Average 56% 39%

Q14. What types of confidential or sensitive information does your

organization consider too risky to be stored in the cloud? US Europe

Consumer data 21% 30%

Customer information 34% 45%

Credit card information 43% 44%

Employee records 41% 65%

Health information 55% 66%

Non-financial confidential business information 50% 52%

Financial business information 68% 55%

Intellectual property such as source code, design plans, architectural

renderings 68% 71%

Research data 36% 39%

Other (please specify) 2% 0%

None of the above 31% 15%

(31)

Q15. What types of business applications does your organization

consider too risky to be processed and housed in the cloud? US Europe

Sales and CRM applications 21% 33%

ERP applications 23% 30%

Human resource and payroll applications 30% 54%

Financial and accounting applications 41% 52%

Engineering applications 20% 40%

Manufacturing applications 32% 39%

Logistics applications 11% 25%

Scheduling and time management applications 9% 36%

Communication applications 14% 35%

Other 3% 5%

Average 20% 35%

Q16. Are members of your security team involved in determining the

use of certain cloud applications or platforms? US Europe

Always & most of the time combined. 31% 35%

Q17. The Cloud Security Alliance (CSA) has advanced the following 14 areas as “critical areas of focus” for organizations deploying cloud computing resources. For each critical area of focus listed below,

please rate the significance of change to your IT operations as your

organization migrates from on-premises IT to cloud computing environments.

Change on IT operations (significant and very significant combined) US Europe

Governance and enterprise risk management 34% 33%

Legal and contracting issues 12% 20%

Procedures for electronic discovery 40% 51%

Compliance and audit 45% 35%

Information lifecycle management 21% 19%

Portability and interoperability 20% 15%

Business continuity and disaster recovery 50% 43%

Data center operations 10% 35%

Incident response, notification and remediation 12% 30%

Application security 21% 15%

Encryption and key management 35% 43%

Identity and access management 51% 49%

Storage operations 12% 15%

Virtualization operations 16% 22%

Average 27% 30%

Q18. IT leaders of my organization are concerned about the security

of cloud computing resources. US Europe

(32)

V. Organization characteristics and respondent demographics

D1. What organizational level best describes your current position? US Europe

Senior Executive 0% 2%

Vice President 1% 0%

Director 18% 17%

Manager 25% 19%

Supervisor 19% 23%

Staff or technician 32% 34%

Contractor 3% 2%

Other 2% 3%

Total 100% 100%

D2. Check the Primary Person you or your supervisor reports to

within your organization. US Europe

CEO/Executive Committee 0% 0%

Chief Financial Officer 2% 4%

Chief Information Officer 53% 54%

Chief Information Security Officer 16% 12%

Compliance Officer 3% 5%

Chief Privacy Officer 1% 0%

Director of Internal Audit 2% 2%

General Counsel 4% 0%

Chief Technology Officer 9% 11%

Human Resources Leader 0% 3%

Chief Security Officer 2% 2%

Chief Risk Officer 6% 7%

Other 2% 0%

Total 100% 100%

D3. Geographic region (location of respondent) US Europe

United States 69% 0%

United Kingdom 0% 11%

Germany 0% 7%

France 0% 4%

Netherlands 0% 3%

Switzerland 0% 2%

Spain 0% 2%

Italy 0% 2%

Other 0% 1%

(33)

D4. Age of respondent US Europe

Less than 25 years 5% 5%

26 to 35 years 34% 28%

36 to 45 years 30% 31%

46 to 55 years 19% 20%

56 to 65 years 9% 11%

More than 65 years 3% 5%

Total 100% 100%

Experience US Europe

D5a. Total years of business experience 12.53 14.15

D5b. Total years in IT or data security 11.9 13.06

D5c. Total years in current position 4.5 5.1

D6. Educational and career background: US Europe

Compliance (auditing, accountant, legal) 11% 14%

IT (systems, software, computer science) 56% 52%

Security (law enforcement, military, intelligence) 14% 20%

Other non-technical field 6% 10%

Other technical field 13% 4%

Total 100% 100%

D7. What industry best describes your organization’s industry

concentration or focus? US Europe

Airlines 3% 4%

Automotive 5% 2%

Agriculture 0% 0%

Brokerage 3% 2%

Cable 2% 0%

Chemicals 3% 2%

Credit Cards 3% 3%

Defense 3% 1%

Education 4% 5%

Entertainment 1% 3%

Services 1% 2%

Health Care 5% 1%

Hospitality & Leisure 2% 3%

Manufacturing 4% 1%

Insurance 5% 3%

Internet & ISPs 1% 1%

Government 10% 14%

Pharmaceutical 4% 5%

Professional Services 1% 5%

Research 1% 5%

Retail 8% 9%

Banking 13% 11%

(34)

Telecommunications 4% 5%

Technology & Software 2% 5%

Transportation 4% 1%

Wireless 5% 4%

Total 100% 100%

D8. What best describes your role in managing data protection and

security risk in your organization? Check all that apply. US Europe

Setting priorities 59% 62%

Managing budgets 56% 55%

Selecting vendors and contractors 51% 48%

Determining privacy and data protection strategy 48% 50%

Evaluating program performance 46% 51%

Average 52% 53%

D9. What is the worldwide headcount of your organization? US Europe

Less than 500 people 5% 9%

500 to 1,000 people 9% 12%

1,001 to 5,000 people 13% 18%

5,001 to 10,000 people 25% 23%

10,001 to 25,000 people 21% 20%

25,001 to 75,000 people 15% 15%

More than 75,000 people 12% 3%

Total 100% 100%

Please contact Ponemon Institute at [email protected] if you have any questions or concerns about this research. Thank you for your interest in our work.

Ponemon Institute

Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible

information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive

information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict

data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

Security of Cloud Computing Users A Study of Practitioners in the US & Europe

Security of Cloud Computing Users

A Study of Practitioners in the US & Europe

Ponemon Institute© Research Report

Sponsored by CA

Independently conducted by Ponemon Institute

Security of Cloud Computing Users

Appendix 1: Survey Details

Cloud user study

Ponemon Institute