The use of cloud services in many circumstances is gaining management support. However, that upbeat attitude is missing in the IT departments. The Lumension-sponsored Ponemon report 2014 State of Endpoint Risk suggests the use of cloud computing, whether company-backed or employee-driven, has increased angst among the survey respondents – 19,001 IT practitioners in the United States. The slide below shows that 44 percent of the respondents (16 percent increase from 2012 to 2013) identified using cloud-computing resources as a major concern. IT Staff cited numerous concerns surrounding cloud computing.
Source: 2014 State of Endpoint Risk Report
Who’s Responsible for the Data in the Cloud?
The Ponemon report mirrored much of what security pundits have been saying for the past several years. What has me curious is who’s responsible? Who’s to blame if something happens to company data when it's in the cloud? One might expect all sorts of mention about this, but there isn’t. Minor discussions about responsibility started cropping up two or three years ago. However, “buyer beware” was the only real conclusion drawn.
With IT staff’s concern increasing, it might be a good idea to see if anything has changed in the responsibility department. Back in 2012, I interviewed several C-level executives. During the interviews, I asked who they thought was responsible for securing cloud-resident company data. Every executive believed data security was no longer their concern once the data was on someone else's servers.
The 2012 Businessweek article Who's Responsible for Protecting Data in the Cloud? by Sarah Frier affirmed my unscientific poll. In the article, Frier quoted Verizon Communication’s Mario Santana, who said, “Some businesses mistakenly assume that once they opt to store data on outside servers, they no longer have to concern themselves with safeguarding that information.”
Based on the Ponemon and Businessweek findings, the disconnect between C-level executives and IT departments in 2012 became apparent. Fast forward two years and what business leaders and IT practitioners are saying about security and who's responsible for company data that's entrusted to a cloud service provider has changed.
What's Different in 2014?
In April of 2014, Ponemon Institute released its third annual Trends in Cloud Encryption Study sponsored by Thales e-Security. Ponemon’s survey queried 4,275 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan, Brazil and Russia. The survey’s main thrust was examining how organizations protect their data when it is given to cloud-service providers.
Ponemon researchers asked participants two questions that are important to this discussion:
- What percent of organizations transfer sensitive or confidential data to external cloud-based services?
- Who is most responsible for protecting sensitive or confidential data transferred to a cloud-based service provider?
First, let’s look at what percentage of organizations are sending sensitive and confidential data to cloud-service providers. The slide below shows that for the survey year of 2013, 53 percent of those polled were transferring sensitive data to the cloud, 36 percent will do so within two years, and 11 percent were not using cloud-service providers. What's interesting is that the results for the past three years remained similar.
Source: Trends In Cloud Encryption
Next up, for the survey year of 2013, who was most responsible for protecting sensitive or confidential data transferred to a cloud-based service provider? It depends. The survey participants said responsibility hinges on the type of cloud service being provided – SaaS or IaaS/PaaS. The slide below depicts the respondents' opinions on who was responsible when a company used an SaaS environment. In 2013, 54 percent viewed the cloud provider as being responsible for security and 24 percent viewed cloud-service users as being responsible, while 19 percent felt responsibility should be shared. (Learn more in Choosing Between IaaS and PaaS: What You Need to Know.)
Source: Trends In Cloud Encryption
The next slide portrays the respondent’s opinion on who was responsible when a company uses an IaaS/PaaS environment. In 2013, 47 percent viewed security as a shared responsibility, 26 percent viewed cloud-service users as being responsible, and 22 percent felt this was a cloud-service provider responsibility.
Source: Trends In Cloud Encryption
The bottom line? Things have changed. It appears that the “buyer beware” attitude has matured right along with cloud-service products. But as an Internet-savvy attorney told me, responsibilities are determined by the contracts, nothing more or nothing less. That's something for all those involved in cloud services to keep in mind.