Ponemon Prognosis Shows State of Cloud Security Improvements

For as much chatter that the cloud security gap continues to garner at trade shows such as last week's RSA Conference, a new Ponemon Institute study out this week shows that, in many ways, organizations are incrementally improving how they manage the risks around placing sensitive databases and applications in the cloud.

Still, there's room for improvement. In some glaring cases -- namely, data governance and access control -- the perceived risk climbed since 2010 when Ponemon last conducted a similar survey.

"What we found in 2010, in general, was that security is not the priority in the cloud universe," says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, who said the two surveys asked the same attribution questions as a way of testing perceptions attitudes and change around data security in the cloud. "What we found [in 2012] were small improvements, but consistently so in every one of our attributions."

Conducted on behalf of CA Technologies, the "Ponemon State of Cloud Security" report found that among more than 700 IT decision makers, 51 percent reported that cloud computing applications not vetted for risk are not used in their organizations. That's a 10 percentage point jump over the past two years. Meanwhile, back in 2010 only 44 percent of organizations reported that doing a risk assessment before putting databases and other IT assets in the cloud. That number jumped up to 50 percent this time around.

"In general, all of these results suggest that security is still an issue, but it's getting better," says Ponemon, who noted that, in particular, organizations have improved their ability to prevent or curtail data loss or theft from cloud resources, which went up nine percentage points. "In the last two years, there have been a ton of products building encryption technology in the cloud."

However, there were some areas where organizations did not improve, according to the survey. For example, fewer organizations reported that they were able to ensure governance processes were effective, even in the cloud. Similarly, fewer organizations reported they were able to properly identify and authenticate users before granting access to data and systems in the cloud.

"But I think the reason isn't that technology is getting worse -- it's just that the demands on the cloud are growing," he says.

This survey tracks well with results from a recent survey out from cloud security provider SilverSky, which showed a whopping 97 percent of companies have increased or maintained their confidence in the cloud over the past year, and that currently 24 percent of all business functions are cloud-based today.

One of the big challenges organizations and top technology executives have faced is the difficulty of assigning responsibility for security. Ponemon's survey shows that since 2010, more executives believe they share responsibility with cloud providers, but 36 percent of organizations still lay security responsibility solely at the feet of their providers.

"Moving to the cloud should be career-defining, not career-limiting," says Andrew Jaquith, CTO of SilverSky. "When CIOs and security decision makers move their critical workloads to the cloud, they seek providers that cut their costs, simplify their architectures, and protect their data. But equally important, they are making a leap of faith by entrusting services they can't do without to someone they don't know."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.