Microsoft recently commissioned the Ponemon Institute to study the use of Cloud computing by American, German and Scandinavian IT professionals, and the data privacy and security issues associated with Cloud computing. The Ponemon Institute surveyed 1,771 individuals in positions within IT, compliance, data security, risk management, and privacy in the United States, Germany, and the Nordic countries (Denmark, Finland, Norway, and Sweden), and created three separate reports. This report focuses primarily on the analysis of American respondents.
The Ponemon Institute queried 24,051 American IT professionals and received 769 responses (3% response rate). American respondents were generally at or above supervisory level (65%), had an average of 11 years of business experience, and reported to either the Chief Information Officer (48%) or Chief Information Security Officer (10%). Respondents were distributed over a wide range of industries, with the largest proportions coming from financial services (17%), health and pharmaceutical services (11%) and the public sector/government (10%).
Three major topics were addressed:
- Current of projected future utilization of cloud computing in small and medium sized businesses;
- Perceptions of the security and privacy of data stored and/or analyzed in the Cloud; and
- Differences in attitudes toward data security in the Cloud among U.S., Germanand Scandinavian IT professions.
Prevalence and Nature of Cloud Computing in U.S. Businesses
Cloud computing is an integral and growing part of IT in the U.S., with 73% of respondents characterizing their company’s utilization of Cloud computing as “heavy” (vs. 17% as “light”), and 69% making use of public Cloud services (vs. 12% private). The following figure plots the perceived importance of Cloud computing over five qualitative categories (essential, very important, important, not important and irrelevant) now and two years in the future. Currently 65% of American IT professions consider the Cloud to be somewhere in the range from essential to important, and this percent increased to 81% for operations projected two years into the future. It is also significant that only 35% of U.S. respondents considered the Cloud to be unimportant or irrelevant now, a percentage that dropped to 19% when projected two years into the future.
The growing importance of Cloud computing to U.S. businesses is further illustrated by the chart below, which plots current and projected proportions of survey respondents who accomplish various proportions of their data management and IT needs by making use of the Cloud. As estimated by the sum of the product of the percent of respondents and their percent of Cloud usage, 35% of all IT needs are met with Cloud resources at the present time. When Cloud reliance is projected two years into the future, the percent rises to 44%.
The survey revealed that cloud technology is used in roughly seven different ways, with 50% of the usage falling into the first three categories of business Apps (especially customer relationship management), IT infrastructure (on-line backup security)and social media. Peer-to-peer services, storage, miscellaneous services and solutions stack comprise the remaining categories. Only 3% of U.S. respondents said their company did not use any Cloud services.
Attitudes and Practices Specifically Related to Data Security in the Cloud
The study shows that there is a large difference in the perception of the importance of security associated with Cloud computing. While 59% of U.S. respondents said a prospective Cloud provider’s privacy policies and practices had “some to a very significant” impact on their choice of provider, a total of 41% either did not care about a Cloud provider’s privacy practices or were unsure whether privacy practices made a difference.
When asked what measure they thought were most important to protecting the privacy of data used or stored in the Cloud, U.S. IT professionals identified three measures: knowing the physical location of data storage (62%), having effective provisions for segregating data among users (54%) and agreeing not to mine data for advertising (44%). (Note that multiple responses were allowed to this question).
Attitudes and actions relating to data security in Cloud computing were, however, inconsistent. While 60% of U.S. respondents claimed their organizations were committed to protecting sensitive or confidential information, only half said they were “extremely careful” about sharing confidential information with third parties, and less than 40% had determined which data were too sensitive for the Cloud or had explicitly assessed the impact of Cloud computing on privacy commitments and obligations.
We also see that there is a marked indifference toward security issues associated with Cloud computing that is definitely inconsistent with a “commitment to protecting sensitive or confidential information”. Eighty-six percent American IT professionals thought that the use of Cloud resources either had no effect on or actually decreased their company’s responsibility to protect the confidentiality of their clients’ information. Put another way, only 14 percent of respondents said the use of cloud resources increases an organization’s responsibility to safeguard customer, employee, consumer, and other personal information.
The survey also looked into the percentage of respondents who considered various kinds of information to be too sensitive to be analyzed with Cloud resources (multiple choices were allowed). Not surprisingly, intellectual property (source code, architectural renderings, etc.), health records, various kinds of corporate financial records and research data were most frequently considered to be too sensitive for the Cloud, being identified by ~40-50% of the respondents. However, in another indication of inconsistency toward security and the Cloud, 46% of the respondents did not think any kind of information was too sensitive for the Cloud.
Adequate Security Assurances
Specific assurances from Cloud vendors and/or their track record in providing security were important to U.S. respondents. As mentioned, 59 percent of respondents say that the privacy policies and practices of their cloud providers would impact cloud purchasing decisions. 63 percent of respondents would be much less likely or less likely to purchase cloud services if the cloud vendor reported a material data breach involving the loss or theft of sensitive or confidential personal information. On the other hand, 34% would not discriminate among Cloud vendors on the basis of their security lapses, and 4% were not sure.
Assurances from Cloud providers did not affect purchasing decisions of respondents as much as evaluations by credible third parties. 51% of respondents would be much more likely or more likely to purchase from Cloud vendors that had been evaluated positively by credible third parties in terms of their ability to meets all privacy and data protection requirements, including regulations and laws in various countries. Only 34% of respondents would be equally persuaded by vendors who simply promised to meet all security requirements. It is perhaps indicative of a measure of indifference to Cloud security issues that nearly half (49%) of the respondents would not be swayed or were unsure of the impact of positive third party evaluations of vendor security measures.
The top three steps U.S. respondents indicated their organizations took to vet cloud providers did not explicitly focus on the technical aspects of data privacy. The most common vetting procedure was contractual negotiation and legal review (59%), followed by an audit report or other type of proof of compliance (51%), and a self-assessment checklist or questionnaire completed by the provider (43%). When Cloud providers were vetted specifically from the standpoint of information security was made a top concern, 63% relied they rely on assurances from the Cloud provider and 58% relied on contractual agreements with the cloud provider. Only 37 percent of U.S. IT professionals said they would use conventional data security tools such as encryption to protect information in the cloud.
Finally, 46% of American respondents said they regarded certification standards like the SAS-70 and the SSAE 16 as the most important certifications for evaluating cloud providers, while 38 percent regarded the ISO 27001 certification as most important.
The internal inconsistency in U.S. attitudes toward data security in the Cloud was once more apparent when the attitudes of American IT professionals were compared to their German and Scandinavian counterparts. The percent of U.S., German and Scandinavian respondents who were either confident or very confident in the general level of security provided by Cloud servicers was 39%, 56% and 46%, respectively. On the other hand, even though U.S. IT professionals were significantly less confident of Cloud security, they were also less likely than their European counterparts to select Cloud providers on the basis of their security measures. Only 30% of U.S. respondents said that the privacy policies and practices of Cloud providers would have a significant or very significant impact on their Cloud purchasing decisions. Comparable figures for Germans and Scandinavians were 45% and 49%, respectively.
On the other hand, there was a fair degree of similarity among the issues considered important in assessing a Cloud provider’s commitment to privacy across countries. Respondents from all three regions considered disclosure of the physical location of data storage, vendor agreement not to mine data and provisions for segregating data from different customers as the most important indicators of a vendor’s commitment to security. It could be expected that German and Scandinavian IT professionals would consider European Union Model Clauses in contracting as being more important than Americans.
Conclusions and Recommendations
The Ponemon Institute recommended that organizations assess specific, proactive steps to protect sensitive information in the cloud, including:
- Creating policies and procedures that clearly state the importance of protecting sensitive information stored in the cloud including the kinds of information are considered sensitive and proprietary;
- Evaluating the security posture of third parties before sharing confidential or sensitive information;
- Utilizing corporate IT or IT security for thorough reviews and audits of the vendor’s security qualification;
- Training employees to mitigate the security risks specific to cloud technology to ensure that sensitive and confidential information is not threatened;
- Establishing an organizational structure that allows the CIO, CISO, or other security or privacy leaders to participate actively in the vetting, purchasing, and implementing processes to ensure that they are handled appropriately;
- Establishing a functional role dedicated to information governance oversight to better protect the business;
- Defining a policy that governs the protection of sensitive and confidential data and applications that organizations are willing to put in the Cloud; and
- The provision of greater transparency by Cloud providers into their security infrastructure to help ensure customer confidence that information stored in the cloud is secure.
You can go here to download the full study.