Cloud Users' Security Concerns
A summary of the survey "Security of Cloud Computing Users"
CA Technologies funded a survey carried out by the Ponemon Institute in May 2010, "Security of Cloud Computing Users". The survey was about cloud security, specifically asking security practitioners at organizations currently using or migrating applications to the cloud.
Please click here to download the full original report. This page is my summary of the main points I found interesting and my comments on some of the statistics.
They surveyed 642 and 283 cloud computing users in the U.S. and Europe, respectively, the result of a 5.9% response rate for 15,733 surveys sent. The survey asked about their perceptions regarding the security of cloud computing; how they are using the various cloud service models; their division of responsibility for information security; how security of the cloud compares to on-premises; what they see as their primary cloud security risks; and more.
Recall the cloud computing service models: SaaS, PaaS, and IaaS for Software, Platform, and Infrastructure as a Service.
The specific service model defines who has responsibility for the hardware and software at the cloud provider or service end; the customer is always responsible for everything at the client end.
| Maintained by | Software / Hardware | |||||
| SaaS | PaaS | IaaS | Cloud Provider |
Network | Cloud Customer |
|
| Provider | Customer | Customer | Service Application |
←TCP/IP→ | Client Application |
|
| Provider | Programming environment: PHP, Perl, Python, .NET, MySQL/SQL |
Software environment |
||||
| Operating system: Linux, Windows, Solaris |
Operating system |
|||||
| Provider | Virtualization: Xen, VMware, KVM |
Hardware platform and virtualization are entirely maintained by the provider | ||||
| Hardware: Computers, switches, routers, HVAC, facility |
||||||
|
Google Apps, Salesforce.com |
Google App Engine, Microsoft Azure, Microsoft SQL Azure, GoDaddy |
Amazon AWS
EC2/EBS/S3/etc, Rackspace, Hosting.com |
Examples | |||
Use Rates for SaaS, PaaS, and IaaS
I would guess that the high rates for SaaS are largely Google Apps, GMail, and Salesforce, and IaaS is largely Amazon AWS followed by Rackspace.
| Europe | U.S. | |
| SaaS | 62% | 67% |
| PaaS | 33% | 35% |
| IaaS | 46% | 53% |
Percentages of business-critical applications or services run in SaaS, PaaS, and IaaS
These rates are approximately a third those of the simple use rates. So, about a third of those using cloud technology do so for business-critical purposes, about two-thirds of the cloud use is not business-critical.
| Europe | U.S. | |
| SaaS | 16% | 22% |
| PaaS | 9% | 13% |
| IaaS | 11% | 14% |
Percentage believing that the cloud provider is most responsible for ensuring security
I do not understand this. In an IaaS model, the provider runs the facility, hardware, and virtualization as always. The provider gives the customer an operating system at deployment time, along with a VLAN and router / firewall, but then everything else including OS maintenance is the responsibility of the customer.
With PaaS, the supplier also maintains the operating system and the programming environment.
The supplier's responsibility in SaaS is the same except with the addition of maintaining the application itself, everything at the cloud end.
The only correct answer that I can see is that the cloud provider is most responsible in SaaS. And, in IaaS, the least responsible. I would expect these numbers to be something more like 85%, 15%, 5%. I looked at the details in the second half of the report, and found that they agreed with the charts and graphs in the summary and discussion of the first half. Since they typically list the service models in the order PaaS, IaaS, SaaS, I wonder if there is some systematic misunderstanding in their survey.
| Combined | |
| SaaS | 42% |
| PaaS | 21% |
| IaaS | 34% |
Reason for migrating corporate IT to a cloud environment
This is much as I would expect: the main reasons are economic and there is little expectation of increasing security by a move to the cloud, despite the fact that in many ways the cloud can be more secure.
| Reason | Combined |
| Reduce cost | 73% |
| Faster deployment | 57% |
| Increased efficiency | 56% |
| Increased flexibility and choice | 38% |
| Improve security | 14% |
| Improve customer service | 13% |
Percentage confidence level for 25 security features
This also makes sense: everyone realizes that nothing is perfect (or perfectly awful), but the cloud seems a little riskier. The biggest surprise to me is that there isn't a significantly larger difference between perceptions of on-premise and cloud security.
| On premise | In the cloud | |
| Europe | 63% | 56% |
| U.S. | 63% | 52% |
Technologies believed to be most important for securing a cloud environment
This is interesting to see, but I'm not sure what I would have expected here...
| Technology | Combined |
| Network intelligence systems | 64% |
| Virtual Private Networks | 64% |
| Log management | 62% |
| Identity federation | 51% |
| Encryption for stored data | 45% |
| User management and provisioning | 45% |
Differences in confidence levels for properly managing specific risks
The numbers have been rounded off, so the differences are not necessarily what you would expect.
It seems quite reasonable that the greatest diffence has to do with physical location. The surprising thing to me is that the confidence in on-premise location is so low!
As for restriction of privileged user access, I'm sure this is worry that someone on the provider staff will start snooping around. Here is where we can benefit from what I think of as "the anonymity of the crowd".
If your data is stored somewhere similar to Amazon AWS, buried among who knows how much data belonging to random other customers, residing at randomly deployed storage locations accessed by randomly deployed compute instances, I can't imagine someone stumbling across it. It seems like it would take a threat inside the provider staff modifying the deployment processes in advance to notice when your organization deployed instances and focus on those data sets.
| Confidence that this risk is properly managed | On premise | In cloud | Difference |
| Physical location of data assets is properly managed | 56% | 33% | 22% |
| Restrict privileged user access to sensitive data | 48% | 29% | 19% |
| Ensure compliance regarding privacy and data protection | 67% | 54% | 13% |
| Long-term availability of resources | 51% | 40% | 12% |
| Recovery from significant IT failures | 60% | 50% | 10% |
| Data segregation requirements | 53% | 45% | 8% |
| Investigate improper/illegal activity | 55% | 48% | 8% |
Types of sensitive information too risky for the cloud
This varies significantly by location. The concern in the U.S. is focused slightly more on protecting the business, while in Europe it's focused on protecting the individual.
For the U.S.:
- 68% financial information
- 68% intellectual property
- 55% health information
- 50% non-financial business confidential
- 43% credit card information
For Europe:
- 68% intellectual property
- 66% health information
- 65% employee records
- 55% financial information
- 50% non-financial business confidential