Study Shows Improved Practices in Cloud Security, Sometimes
CA Technologies and the Ponemon Institute recently conducted study titled “Security of Cloud Computing Users 2013.” This study reveals that many companies have improved their practices around cloud computing security compared to a previous study from 2010. The responses raise questions and concerns about organizations’ use of security best practices and their awareness of cloud services used within their organizations. It also confirms there are conflicting views on who is most responsible for cloud security.
What should be done?
It is common knowledge among CIOs, CISOs that there are essentially five characteristics and best practices effectively implemented by organizations with well devised security policies. According to recent comments by Ben Rothke, Manager Information Security at Wyndham Worldwide here are the most notable five characteristics:
1. Have a CISO: Somebody needs to drive security. For example, a Chief Financial Officer is critical for driving finances. Similarly, a Chief Information Security Officer is critical for spearheading the company’s security practice.
2. Risk Management: Risk drives everything. The CISO understands the risks and threats the organization faces and designs
a security program around that. This must be customized and not a series of standard “best practices.”
3. Invest in people not products: The cost of hardware and software purchased has no real direct corresponding effect to the level of security. A company that has great talent using open source products will be more secure than a company that spends millions on proprietary tools but does not intrinsically know how to use them.
4. Policies and procedures: It’s very important to have standardization across all business units and processes. You want the firewall installed and managed in one location to be installed and managed the same way in another location. “If things aren’t done via standard processes you’ll have inconsistencies and that’s where security breaches and mistakes happen. When you don’t have common procedures and common practices things are done ad hoc, and ad hoc is the enemy of good security.
5. Awareness – People have to have situational awareness of what they’re doing. For example, if you don’t have effective key management all the security you have may be useless.
Back to the study.
“While cloud computing is still one of the most disruptive and promising trends of the past decade, the study shows that cloud security struggles to get past a grade of 50 percent when it comes to best practices, including the percentage of organizations that say they engage their security teams in determining the use of cloud services,” said Mike Denning, general manager, Security, CA Technologies. “We believe that organizations can do better and gain the benefits of cloud computing by reducing risk and achieving that desired balance of protection and business enablement.”
The study provided several key insights:
• Cloud confidence and best practices are improving but further progress can be made. Positive survey responses only hovered around half (50 percent) for any given question around cloud security best practices, such as vetting services for security risk, engaging the security team in determining cloud service use and assessing how a cloud service could impact data security. In addition, while this statistic improved by five percent from the 2010 survey, only 50 percent of organizations are confident they know all the cloud services in use within their organization.
• Responsibility for cloud security is mixed with a bias toward end users and IT Security getting a pass. The survey shows a concerning lack of agreement remains regarding who has responsibility for cloud security. While some organizations expect their cloud services providers to ensure the security of SaaS and IaaS applications (36 percent and 22 percent, respectively), a significant amount of the responsibility is assigned to companies’ end-users (31 percent for SaaS; 21 percent for IaaS), and very little responsibility was assigned to IT Security (eight percent for SaaS and 10 percent for IaaS). This relinquishment of responsibility points to a lack of clarity around ownership, which may lead to gaps in security processes and governance.
• Users prefer hybrid identity and access management (IAM) security solutions. Sixty-four percent of survey respondents would prefer a hybrid IAM implementation that supports both on-premise and cloud-based applications.
“Confidence in and best practices for the security of cloud computing is improving but not as significantly as one might have expected since our 2010 study,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Our latest study offers organizations new data that should spark them to examine their own internal practices which could result in improvements in how they adopt and secure cloud services and applications.”
Enjoyed the article?
Sign-up for our free newsletter to kick off your day with the latest technology insights, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.