Cloud computing providers: Clueless about security?

A survey of 127 of cloud computing providers suggests many regard security as being mainly their customer’s problem, and indeed, see their own proficiencies in low cost and speed of deployment services.

More on cloud security: Cloud security still a struggle for many companies, survey finds

Those are among the findings from Ponemon Institute’s “Security of Cloud Computing Providers Study,” which quizzed 103 cloud service providers in the U.S. and 24 in Europe on their views and practices in securing the data entrusted to them by customers. In the survey 65% of the respondents were “public” cloud providers, the remainder “private” cloud or “hybrid” mix. The most frequently offered service was software-as-a service, followed by infrastructure-as-a-service and platform-as-a-service.  

The candid responses from managers, director and technical staff for the cloud providers indicates  well over half “do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure confidential or sensitive information,” the Ponemon survey notes.

“Buyer beware – on average, providers of cloud computing technologies allocate 10% or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met,” states the survey report, “The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.”

Private-cloud providers, however, “appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.”

In general, cloud providers overwhelmingly believe customers seek them out mainly to reduce costs and get “faster deployment time.” Over 60% of the cloud providers surveyed expressed lack of confidence in the security of the cloud resources they provided.  In fact, 91% said they don’t provide security-as-a-service from the cloud today, but about one third are considering doing that in the next two years.

Matthew Gardiner, director of security at CA Technologies, says the cloud providers “are reacting to the market they’re living in now” and they “shouldn’t be beaten over the head” for giving what they believe their customers want, like fast deployment. But other evidence suggests customers have  higher expectations about the level of security they should be able to get in the cloud, he notes. The reality is that most customers today are reluctant to hand over more sensitive data to the cloud due to a huge disconnect about what they expect the cloud provider to be able to do and what it can or will.

Over 65% of the cloud service providers responding to the survey said they see ensuring recovery from significant IT failures as something they have confidence they can do.

Cloud providers did express some confidence in some of their own skills. 81% of cloud providers indicate they feel they do have access to “highly-qualified IT security personnel,” and 80% of them believe they can “prevent or curtail viruses and malware infection.” Seventy-one percent said they can “secure sensitive or confidential information in motion” and “achieve compliance with leading self-regulatory frameworks.”

The cloud providers surveyed had the least confidence in their ability to “identify and authenticate users before granting access,” or “prevent or curtail external attacks,” “encrypt sensitive or confidential information assets whenever feasible” or “determine the root cause of cyber attacks.”

Read more about data center in Network World’s Data Center section.