Storm clouds in France.

Cloud Users' Security Concerns

A summary of the survey "Security of Cloud Computing Users"

CA Technologies funded a survey carried out by the Ponemon Institute in May 2010, "Security of Cloud Computing Users". The survey was about cloud security, specifically asking security practitioners at organizations currently using or migrating applications to the cloud.

Please click here to download the full original report. This page is my summary of the main points I found interesting and my comments on some of the statistics.

They surveyed 642 and 283 cloud computing users in the U.S. and Europe, respectively, the result of a 5.9% response rate for 15,733 surveys sent. The survey asked about their perceptions regarding the security of cloud computing; how they are using the various cloud service models; their division of responsibility for information security; how security of the cloud compares to on-premises; what they see as their primary cloud security risks; and more.

Recall the cloud computing service models: SaaS, PaaS, and IaaS for Software, Platform, and Infrastructure as a Service.

The specific service model defines who has responsibility for the hardware and software at the cloud provider or service end; the customer is always responsible for everything at the client end.

Maintained by Software / Hardware
SaaS PaaS IaaS Cloud
Network Cloud
Provider Customer Customer Service
←TCP/IP→ Client
Provider Programming environment:
PHP, Perl, Python, .NET, MySQL/SQL
Operating system:
Linux, Windows, Solaris
Provider Virtualization:
Xen, VMware, KVM
Hardware platform and virtualization are entirely maintained by the provider
Computers, switches, routers, HVAC, facility
Google Apps,
Google App Engine,
Microsoft Azure,
Microsoft SQL Azure,
Amazon AWS EC2/EBS/S3/etc,

Europe U.S.
SaaS 62% 67%
PaaS 33% 35%
IaaS 46% 53%

Use Rates for SaaS, PaaS, and IaaS

I would guess that the high rates for SaaS are largely Google Apps, GMail, and Salesforce, and IaaS is largely Amazon AWS followed by Rackspace.

Europe U.S.
SaaS 16% 22%
PaaS 9% 13%
IaaS 11% 14%

Percentages of business-critical applications or services run in SaaS, PaaS, and IaaS

These rates are approximately a third those of the simple use rates. So, about a third of those using cloud technology do so for business-critical purposes, about two-thirds of the cloud use is not business-critical.

SaaS 42%
PaaS 21%
IaaS 34%

Percentage believing that the cloud provider is most responsible for ensuring security

I do not understand this. In an IaaS model, the provider runs the facility, hardware, and virtualization as always. The provider gives the customer an operating system at deployment time, along with a VLAN and router  / firewall, but then everything else including OS maintenance is the responsibility of the customer.

With PaaS, the supplier also maintains the operating system and the programming environment.

The supplier's responsibility in SaaS is the same except with the addition of maintaining the application itself, everything at the cloud end.

The only correct answer that I can see is that the cloud provider is most responsible in SaaS. And, in IaaS, the least responsible. I would expect these numbers to be something more like 85%, 15%, 5%. I looked at the details in the second half of the report, and found that they agreed with the charts and graphs in the summary and discussion of the first half. Since they typically list the service models in the order PaaS, IaaS, SaaS, I wonder if there is some systematic misunderstanding in their survey.

Reason Combined
Reduce cost 73%
Faster deployment 57%
Increased efficiency 56%
Increased flexibility and choice 38%
Improve security 14%
Improve customer service 13%

Reason for migrating corporate IT to a cloud environment

This is much as I would expect: the main reasons are economic and there is little expectation of increasing security by a move to the cloud, despite the fact that in many ways the cloud can be more secure.

On premise In the cloud
Europe 63% 56%
U.S. 63% 52%

Percentage confidence level for 25 security features

This also makes sense: everyone realizes that nothing is perfect (or perfectly awful), but the cloud seems a little riskier. The biggest surprise to me is that there isn't a significantly larger difference between perceptions of on-premise and cloud security.

Technology Combined
Network intelligence systems 64%
Virtual Private Networks 64%
Log management 62%
Identity federation 51%
Encryption for stored data 45%
User management and provisioning 45%

Technologies believed to be most important for securing a cloud environment

This is interesting to see, but I'm not sure what I would have expected here...

Confidence that this risk
is properly managed
On premise In cloud Difference
Physical location of data assets
is properly managed
56% 33% 22%
Restrict privileged user access
to sensitive data
48% 29% 19%
Ensure compliance regarding
privacy and data protection
67% 54% 13%
Long-term availability of resources 51% 40% 12%
Recovery from significant IT failures 60% 50% 10%
Data segregation requirements 53% 45% 8%
Investigate improper/illegal activity 55% 48% 8%

Differences in confidence levels for properly managing specific risks

The numbers have been rounded off, so the differences are not necessarily what you would expect.

It seems quite reasonable that the greatest diffence has to do with physical location. The surprising thing to me is that the confidence in on-premise location is so low!

As for restriction of privileged user access, I'm sure this is worry that someone on the provider staff will start snooping around. Here is where we can benefit from what I think of as "the anonymity of the crowd".

If your data is stored somewhere similar to Amazon AWS, buried among who knows how much data belonging to random other customers, residing at randomly deployed storage locations accessed by randomly deployed compute instances, I can't imagine someone stumbling across it. It seems like it would take a threat inside the provider staff modifying the deployment processes in advance to notice when your organization deployed instances and focus on those data sets.

Types of sensitive information too risky for the cloud

This varies significantly by location. The concern in the U.S. is focused slightly more on protecting the business, while in Europe it's focused on protecting the individual.

For the U.S.:

  • 68% financial information
  • 68% intellectual property
  • 55% health information
  • 50% non-financial business confidential
  • 43% credit card information

For Europe:

  • 68% intellectual property
  • 66% health information
  • 65% employee records
  • 55% financial information
  • 50% non-financial business confidential

Cloud Security

Back to the Security Page