I came across a very interesting cloud computing security study from the Ponemon Institute (sponsored by CA, but independently carried out by Ponemon). The study is based on a survey the Institute carried out, responded to by around 900 people.
The survey results are as one might expect: IT professionals trust the security of on-premise computing more than that of cloud computing providers. But buried within the detail of the survey are some pretty interesting stats, to which I will turn momentarily.
Regarding what the respondents considered the top security issues for cloud computing, here are the top five responses from the survey takers (NOTE: the ranking is based on the difference in the confidence that these issues are addressed in on-premise vs. cloud environments; the percentage listed is the difference between confidence that the area is being addressed well by on-premise vs. in the cloud):
• Ensure the physical location of data assets are in secure environments (33%)
• Restrict privileged user access to sensitive data (29%)
• Ensure compliance with all applicable privacy and data protection regulations and laws (13%)
• Ensure long-term viability and availability of IT resources (12%)
• Ensure recovery from significant IT failures (10%)
Traditional Security Problems Persist
What is really interesting about this list, to me, is the fact that the level of confidence in how well these areas are being addressed today in on-premise environments. For example, on the topic of ensuring that the physical location of data assets are in secure environments, the respondents only gave cloud providers a 33% positive ranking. However, and here is the kicker, the respondents only gave the on-premise alternative a 56% positive rating! In other words, nearly half the respondents believe that their own internal data centers do not do a good job of securing the physical environments of their data centers -- not exactly a vote of confidence in current security procedures.
In fact, if one goes through the report comparisons of cloud versus on premise security, it's a strong indictment of the current state of security practices. For example, on the topic of "restricting privileged user access to sensitive data," only 29% of respondents believe that cloud computing providers do a good job; on the other hand, only 48% believe that their internal data center practices do a good job. Similar numbers are associated with other security-oriented topics like "ensure proper data segregation requirements are met" and "investigate inappropriate or illegal activity" -- in fact, on the latter item there is only a 7% difference between on-premise and cloud.
In my interpretation, the message of the survey regarding on-premise vs. cloud is this: public clouds are marked low due to unfamiliarity and suspicion of the new (very common human traits), while the established and accepted alternative -- on-premise -- gets terrible marks because not a very good job is done on security in on-premise environments. If after 40+ years of use, on-premise barely rates a fifty-fifty rating on "ensure the physical location of data assets are in secure environments," it's pretty clear that a poor job is being done today and it's unlikely to improve in the future; after all, past behavior is the best predictor of future behavior.
One might speculate that many of these numbers will change in favor of public clouds in the future. With regard to security of physical data locations, I know that Amazon and Terremark, to name a couple of cloud providers, run a very tight ship. When more people become aware of this fact, they're likely to come to regard cloud environments as more secure than the on-premise environments.
Does Cloud Make Security Revamp Mandatory?
If one wanted to speculate further, one could say that the issue of on-premise security will become more important as organizations build out private clouds. Christopher Hoff, a well-known security blogger, calls cloud computing a forcing function for security, in the sense that virtualizing and migrating workloads imposes a higher standard of security. I'm not sure about that, as one of the primary reasons security is lax is the fact that it is starved of budget in most IT organizations. Why would putting in a cloud raise the budgetary priority?
Interestingly, most of the coverage and discussion I've read about this report have emphasized the fear of security among respondents. If one views the report's findings through lenses looking for confirmation that IT organizations are reluctant to use public cloud computing, evidence to support that perspective can be found. On the other hand, however, if one looks with another set of lenses -- and looks for behavior rather than expressed opinions -- another perspective appears. When asked "Does your organization use IaaS resources from cloud computing providers," U.S. respondents responded positively at 53% and European at 46%. Put another way, while security may be a concern, actual behavior indicates that security is not holding back cloud use.
Of course, it may be that the respondents feel that their organizations are using cloud computing while not observing appropriate security practices: "they're doing it, but they're doing it wrong." In my recent experience moderating a roundtable of CISOs from large enterprises (which I wrote about here), what came through loud and clear is that security practitioners are constantly trying to catch up with events that have bypassed or outstripped them. We do a lot of work in security, and have some recommendations about how to approach cloud computing security in public environments, which you can read here.
With regard to the Ponemon Report, it should be required reading for every security professional concerned with cloud computing. It's the second example of excellent work from Ponemon I've come across in the past few weeks, hard on the heels of the earlier "2010 Access Governance Trends Survey." Both are highly recommended.
Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.