Professional Documents
Culture Documents
B-Ponemon Institute Flying Blind in The Cloud WP - En-Us
B-Ponemon Institute Flying Blind in The Cloud WP - En-Us
B-Ponemon Institute Flying Blind in The Cloud WP - En-Us
I. Executive Summary
Despite widespread interest in adopting cloud computing technologies, many organizations are “flying
blind” with respect to making them secure, potentially putting their operations, intellectual property and
customer information at risk.
Sponsored by Symantec, Ponemon Institute independently conducted this national study, Flying Blind in
the Cloud: the State of Information Governance, to better understand how organizations are securing
their information assets in a cloud computing environment.
The survey was completed by 637 U.S. IT security practitioners and focused on the following issues:
• Business applications, solution stacks and storage are the most popular cloud computing
applications, platforms and infrastructure services. Seventy-one percent report their
organizations use business applications such as CRM inc., Salesforce.com and webmail. This is
followed by peer-to-peer applications (58 percent) and social media applications (50 percent). Forty-
six percent use computing platforms such as solution stacks (Java, PHP and Python) and 45 percent
use services such as identity management, payments and search. The most popular infrastructure
service is storage (56 percent) followed by computing (43 percent).
• Few organizations take proactive steps to protect both their own sensitive business
information and that of their customers, consumers and employees when they store that
information with cloud computing vendors. In both cases, fewer than 1 in 10 respondents say
their organizations use any kind of product vetting or employee training to determine that the cloud
computing resources meet all appropriate security requirements before deploying cloud applications.
• Organizations are adopting cloud technologies without the usual vetting procedures. Despite
security concerns and the expected growth in cloud computing, most organizations lack the
procedures, policies and tools to ensure that sensitive data they put in the cloud remains secure. Only
27 percent of respondents say their organizations have procedures for approving cloud applications
that use sensitive or confidential data. The main reason organizations permit cloud computing without
vetting vendors for security risks is that they can’t control end users, 76 percent of respondents say,
followed by not enough resources to conduct an evaluation (50 percent), no one is in charge (44
percent) and not considered a priority (43 percent).
• Employees are making decisions without their IT departments’ insights or full knowledge of
the security risks involved. Only 30 percent of respondents vet or evaluate cloud computing
vendors prior to deploying their products and those people rely overwhelmingly – 65 percent – on
word-of-mouth recommendations and market reputation in making their purchase decisions. The
next-most common means were contractual agreements and assurances from the vendor (55 percent
and 53 percent, respectively). Only 23 percent require proof of security compliance such as SAS 70,
18 percent rely on in-house security assessments and just 6 percent rely on third-party assessments
by security experts or auditors.
• Our survey reveals a potential explanation for this ad hoc environment: In most organizations,
large gaps exist between which people are most responsible for vetting or evaluating cloud
computing vendors, and which people should be most responsible. End users (45 percent) and
business managers (23 percent) currently carry the brunt of responsibility, while corporate IT (11
percent) and information security (9 percent) personnel are far less involved. Overall, respondents
would prefer to see the latter positions take charge (35 percent for information security, 34 percent for
corporate IT), so end users (9 percent) and business managers (11 percent) can focus elsewhere.
• Moreover, only 20 percent of organizations reported that members of their IT security teams
are regularly involved in the decision-making process for allowing the use of cloud
applications or platforms. More than half say they were rarely involved and nearly 1 in 4 say they
never participated at all. Not surprisingly, 49 percent say they are not confident they know about all
cloud computing applications, platforms and infrastructure services their organizations currently use.
These results indicate that many organizations are “flying blind” with regards to securing these
technologies, potentially putting their operations, organizational and customer information at risk.
• Two years from now, most respondents plan to use cloud computing much more intensively
than they do today. Eighty percent of respondents – up from 50 percent today – expect cloud
computing to be very important and important to meeting their IT and data processing goals. The
percentage of organizations using cloud computing to meet between 21 and 80 percent of their IT
and data processing requirements is projected to triple, from 24 percent to 72 percent.
• Yet even as momentum for cloud computing builds, doubts about security difficulties of cloud
computing persist. Fifty-one percent of respondents state they saw disadvantages to using cloud
computing in their organizations: increased security risk (56 percent), loss of control over end users
(40 percent) and increased risks of non-compliance and data breaches (33 and 31 percent,
respectively). Two-thirds (66 percent) of respondents say cloud computing makes it more difficult to
protect confidential or sensitive information. The most common difficulties are controlling or restricting
end-user access (80 percent) and directly inspecting cloud computing vendors for security
compliance (77 percent).
Following are the most salient findings of this survey research. Please note that most of the results are
displayed in Figure format. The actual data utilized in each figure and referenced in the paper are also in
the percentage frequency tables attached as the Appendix to this paper.
§1. Business applications, solution stacks and storage are the most popular cloud computing
applications, platforms and infrastructure services. Seventy-one percent report their organizations
use business applications such as CRM Inc., Salesforce.com and Web mail. This is followed by peer-to-
peer applications (58 percent) and social media applications (50 percent). Forty-six percent use
computing platforms such as solution stacks (Java, PHP and Python) and 45 percent use services such
as identity management, payments and search. The most popular infrastructure service is storage (56
percent) followed by computing (43 percent). Accordingly, see Bar Charts 1a and 1b.
Bar Chart 1b: Most popular cloud computing platform or infrastructure services
Respondents’ primary reasons for using cloud computing resources help explain these results. The
overwhelmingly most popular reason is reducing costs (71 percent), followed by increasing efficiency (49
percent) and faster deployment time (43 percent). The least popular reasons are improving security (11
percent), increasing flexibility and choice (10 percent), improving customer service (9 percent) and
complying with contractual agreements or policies (6 percent).
Analysis of these statistics reveals several interesting points. Respondents are concerned about security
and don’t use the cloud for mission-critical applications and information, while simultaneously viewing the
benefits of cloud computing as so compelling that they’re willing to accept the risks. For the cloud model
to grow, cloud vendors must assure customers that operating in the cloud is secure.
Another possible reason could be that individual business units can deploy cloud computing applications
without coordinating with IT staff or buying and configuring their own equipment. All three factors can slow
deployment of cloud computing technologies and thus cause a perceived competitive disadvantage.
§2. Few organizations take proactive steps to protect both their own sensitive business
information and that of their customers, consumers and employees when they store that
information with cloud computing vendors. In both cases, the most popular action (32 percent) is legal
or indemnification agreements with cloud computing vendors. Fewer than 1 in 10 respondents say their
organizations uses any kind of product vetting or employee training to determine that cloud computing
resources meet all appropriate security requirements before deploying cloud resources. See Bar Chart 3.
These results suggest that organizations are relying mostly on bureaucratic and passive means to
educate employees about cloud computing security policies, as the most popular responses don’t require
active end-user participation. Only 16 percent offer any kind of employee training, while 43 percent just
incorporate cloud computing security policies in their overall enterprise security policies and 23 percent
offer internal awareness programs that include emails to employees. Only 29 percent of respondents
have policies that restrict or limit the use of certain cloud computing applications. This data suggests huge
defects in how organizations communicate internally about securely using cloud computing.
Pie Chart 1: Does your organization have a policy Table 1: If yes, how is this policy communicated to
that restricts the use of certain cloud applications? end-users in the company?
The survey results also suggest that organizations’ training programs may not sufficiently prepare
employees to sufficiently protect sensitive or confidential information in the cloud. The largest number of
respondents (42 percent) offer general data security training without specifically discussing cloud
applications, followed by general data security training that does discuss cloud applications (19 percent).
Only 5 percent – 1 in 20 – of organizations offer specialized training for each cloud application.
Bar Chart 4: Methods for training employees about safeguarding sensitive or confidential information when using
cloud applications and resources.
§3. Organizations are adopting cloud technologies without the usual vetting procedures. Despite
security concerns and the expected growth in cloud computing, most organizations lack the procedures,
policies and tools to ensure that sensitive information they put in the cloud remains secure. Fifty-three
percent of respondents say their organizations do not have vetting procedures for approving cloud
applications that use sensitive or confidential data. The main reason organizations permit cloud
computing without vetting vendors for security risk is that they can’t control end users, 76 percent of
Sponsored by Symantec Page 6
Ponemon Institute©: Research Report
respondents say there are not enough resources to conduct an evaluation (50 percent), no one is in
charge (44 percent) and is not considered a priority (43 percent).
Pie Chart 2: Are cloud computing services evaluated Table 2: If no, why does your organization permit
for security prior to deployment or engagement? cloud computing resources without vetting or
evaluation for security?
Not able to control end-users 76%
When correlated with Key Finding 1, these results show why cloud computing applications – readily
available to end users through the Internet – are much more popular than cloud computing platforms and
infrastructure services, which require more coordination with organizations’ IT staffs. Some of the very
qualities that make cloud computing attractive – ease of use, end-user accessibility through the Internet,
potential cost savings and productivity improvements – can make it difficult to engage the IT staff
necessary to keep sensitive and confidential information secure. So much of what IT security does is
driven by engagement with IT staff but unfortunately in the case of cloud computing, both IT security and
management staff are often out of the loop.
§4. Employees are making decisions without their IT departments’ insights or full knowledge of
the security risks involved. Only 30 percent of respondents vet or evaluate cloud computing vendors
prior to deploying their products and those people rely overwhelmingly – 65 percent – on word-of-mouth
recommendations and market reputation in making their purchase decisions. The next-most common
means are contractual agreements and assurances from the vendor (55 percent and 53 percent,
respectively). Only 23 percent require proof of security compliance such as SAS 70, 18 percent rely on in-
house security assessments and just 6 percent rely on third-party assessments by experts or auditors.
Bar Chart 5: How does your organization go about vetting cloud vendors?
§5. Our survey reveals a potential explanation for this ad hoc environment: In most organizations,
large gaps exist between which people are most responsible for vetting or evaluating cloud
computing vendors, and which people respondents thought should be most responsible. End
users (45 percent) and business managers (23 percent) currently carry the brunt of responsibility, while
corporate IT (11 percent) and information security (9 percent) personnel are far less involved. Overall,
respondents would prefer to see the latter positions take charge (35 percent for information security, 34
percent for corporate IT), so end users (9 percent) and business managers (11 percent) can focus
elsewhere.
Bar Chart 6: Who is (and who should be) most responsible for vetting and evaluating cloud vendors?
Despite a wider appreciation for the need for IT security, Findings 3, 4 and 5 (described above) show that
security is not a primary job responsibility or concern for many people making cloud computing decisions.
These employees often don’t have a sophisticated-enough understanding of IT security risks and
remedies, especially regarding new technologies such as cloud computing that emphasize key business
imperatives such as ease of use and cost savings. This can contribute to a mindset that puts immediate
business needs and technological benefits ahead of ensuring information is sufficiently secure.
As we have mentioned, the use of cloud computing is relatively new and growing quickly. Consequently,
organizations may have been caught off guard because they haven’t updated their security procedures
and policies to include cloud computing and its requirements. In addition, lines of business may be
circumventing IT in their efforts to realize the benefits of cloud as soon as they can. These factors present
a real challenge for IT.
The use of cloud computing in business environments raises an important point about how to secure
information in the cloud. As people adopt more dispersed systems, data becomes more fluid and
protecting access to that data is critical. In this environment, the cloud is driving the trend that IT
governance requires a combination of both business and IT management and leadership.
§6. Moreover, only 20 percent of organizations reported that members of their IT security teams
are regularly involved in the decision-making process for allowing the use of cloud applications or
platforms. More than half say they are rarely involved and nearly 1 in 4 say they never participate. Not
surprisingly, 49 percent say they are not confident they know about all cloud computing applications,
platforms and infrastructure services their organizations currently use. These results indicate that many
organizations are “flying blind” with regards to securing these technologies, potentially putting their
business operations, intellectual property and customer information at risk.
Pie Chart 3: How confident are you that your IT Table 3: How involved are members of your security
organization knows all cloud computing resources team in the decision-making process for allowing the
used within your company today? use of cloud applications or platforms?
Rarely 56%
Never 24%
Always 3%
§7.Two years from now, most respondents plan to use cloud computing much more intensively
than they do today. Eighty percent of respondents – up from 50 percent today – expect cloud computing
to be very important and important to meeting their IT and data processing goals. The percentage of
organizations using cloud computing to meet between 21 and 80 percent of their IT and data processing
requirements is projected to triple, from 24 percent to 72 percent.
Bar Chart 7: How important is the use of cloud computing for meeting IT objectives
§8. Yet even as momentum for cloud computing builds, doubts about the security of cloud
computing persist. Fifty-one percent of respondents state they saw disadvantages to using cloud
computing in their organizations: increased security risk (56 percent), loss of control over end users (40
percent) and increased risks of non-compliance and data breaches (33 and 31 percent, respectively).
Two-thirds (66 percent) of respondents say cloud computing makes it more difficult to protect confidential
or sensitive information. The most common difficulties are in controlling or restricting end-user access (80
percent) and directly inspecting cloud computing vendors for security compliance (77 percent).
Taken together, these statistics indicate that not many cloud service providers are offering compliance-
ready infrastructure. Vendors that facilitate security and regulatory compliance through their services and
solutions, therefore, differentiate themselves in a competitive market.
So what is considered too dangerous or risky to store in the public cloud ecosystem. According to
respondents, the top three categories of confidential information considered too risky to be stored in the
cloud include: financial business information (69 percent), health information (65 percent) and credit card
information (53 percent).
Bar 8: Types of sensitive or confidential information considered too risky for public clouds
§9. Organizations most frequently protect themselves through traditional IT security solutions and
legal or indemnification agreements with vendors. Legal or indemnification agreements with cloud
computing vendors were the most common means to protect both sensitive business and customer data
(32 percent for each kind of data [see Bar Chart 3]). A point of potential concern is that most
organizations (60 percent) use conventional security tools to protect information in the cloud, even though
some of those tools don’t work in cloud environments. These results suggest that many respondents don’t
understand the specific security risks and remedies cloud computing environments present.
Bar 10: Types of sensitive or confidential information considered too risky for public clouds
Cloud providers and their customers must be in sync about security but that level of maturity by and large
hasn’t developed yet. Such syncing is particularly challenging because most organizations don’t have IT
professionals involved in assessing cloud-related risks.
Business managers and end-users put business considerations first and are often too busy to take
advantage of cloud computing trends. As a result, they trust too much in standard business practices and
not in evaluations based on IT security best practices. While legal protections are of course necessary,
they don’t always effectively address issues specific to IT security, which can leave organizations at risk.
This study underscores pervasive concerns many public sector organizations have about keeping data—
especially personal and/or sensitive data—under control and secure in cloud computing environments.
Implications for the public sector include the following:
• The primary reasons organizations use cloud computing tie directly into public sector priorities. These
are reducing taxpayer costs and delivering better services faster to constituencies. Increased focus
on security is crucial for cloud vendors to persuade public sector organizations that cloud computing
can help accomplish those organizations’ missions (Key Finding 1).
• Developing an effective combination of business and IT management and leadership that cloud
computing demands is especially important for public sector organizations given the specific
business, security and regulatory challenges the public sector faces compared to other industry
sectors (Key Finding 5).
• Public sector organizations are especially interested in cloud vendors offering compliance-ready
infrastructure because that infrastructure can help them meet security and regulatory requirements
more quickly and effectively. This can lead to faster and better mission success and help avoid costly
data breaches (Key Finding 8).
• Developing an effective combination of business and IT management and leadership that cloud
computing demands is especially important for financial services organizations given the specific
business, security and regulatory challenges they face compared to other industry sectors (Key
Finding 5).
• Financial services organizations are especially interested in cloud vendors offering compliance-ready
infrastructure because that infrastructure can help them meet security and regulatory requirements
more quickly and effectively. This can lead to faster and better service delivery, improved
performance and avoidance of costly data breaches (Key Finding 8).
• Financial services organizations that rely on legal or indemnification agreements for protection need
to ensure those agreements contain sufficient data security and access provisions to meet regulatory
requirements (Key Finding 9).
IV: Methods
A sampling frame of nearly 14,000 adult-aged individuals who reside within the United States was used to
recruit and select participants to this survey. Our randomly selected sampling frame was built from
several proprietary lists of experienced IT and IT security practitioners.
In total, 918 respondents completed the survey. Of the returned instruments, 109 surveys failed reliability
checks. A total of 809 surveys were used as our final sample, which represents a 5.8 percent response
rate.
Two screening questions were used to ensure respondents had relevant knowledge and experience,
resulting in a reduced sample size of 637 individuals. Ninety percent of respondents completed all survey
1
items within 15 minutes. The average overall experience level of respondents is 12.01 years, and the
years of experience in their present job is 4.5 years.
Pie Chart 4 reports the primary industry sector of respondents’ organizations. As shown, the largest
segments include financial services, government, industrial companies, pharmaceuticals and healthcare
(combined), and services.
1
Please note that nominal compensation was provided to respondents who successfully completed the survey
instrument.
Sponsored by Symantec Page 13
Ponemon Institute©: Research Report
Table 5 reports the respondent organization’s global headcount. As shown, a majority of respondents
work within companies with more than 1,000 employees. Over 38 percent of respondents are located in
larger-sized companies with more than 10,000 employees.
Table 6 reports the respondent’s primary reporting channel. As can be seen, 52 percent of respondents
are located in the organization’s IT department (led by the company’s CIO). Eighteen percent report to
the company’s security officer (or CISO).
Table 7 reports the respondent organization’s global footprint. As can be seen, a large number of
participating organizations are multinational companies that operate outside the United States.
There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most web-based
surveys.
• Non-response bias: The current findings are based on a sample of survey returns. We sent surveys
to a representative sample of individuals, resulting in a large number of usable returned responses.
Despite non-response tests, it is always possible that individuals who did not participate are
substantially different in terms of underlying beliefs from those who completed the instrument.
• Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is
representative of individuals who are IT or IT security practitioners. We also acknowledge that the
results may be biased by external events such as media coverage. We also acknowledge bias
caused by compensating subjects to complete this research within a holdout period. Finally, because
we used a web-based collection method, it is possible that non-web responses by mailed survey or
telephone call would result in a different pattern of findings.
• Self-reported results: The quality of survey research is based on the integrity of confidential
0B
responses received from subjects. While certain checks and balances can be incorporated into the
survey process, there is always the possibility that a subject did not provide a truthful response.
VI: Recommendations
We recommend that organizations immediately assess what specific, proactive steps they should take to
protect sensitive information stored in the cloud. Other recommendations to implement immediately
include the following:
• Organizations should ensure that policies and procedures clearly state the importance of protecting
sensitive information stored in the cloud. The policy should outline what information is considered
sensitive and proprietary.
• Organizations should vet and evaluate the security posture of third parties before sharing confidential
or sensitive information. As part of the process, corporate IT and/or IT security experts should
conduct a thorough review and audit of the vendor’s security qualifications.
• Prior to deploying cloud technology, organizations should formally train employees how to mitigate
the security risks specific to the new technology to make sure sensitive and confidential information is
not threatened.
• Organizations should establish an organizational structure that allows the CIO, CISO or other
security/privacy leaders to participate actively in the vetting, purchasing and implementing processes
to ensure they are handled appropriately.
• Organizations should expand their governance activities beyond traditional IT areas to better protect
their business.
• Organizations should define policy around information and applications they are willing to put in the
cloud.
• Cloud computing vendors should provide more transparency into their security infrastructure to help
ensure customer confidence that information stored in the cloud is secure.
These recommendations should be incorporated into all procedures involving employees using cloud
computing resources. Doing so will address numerous significant risks facing organizations as cloud
computing technologies become more pervasive.
If you have questions or comments about this research report or you would like to obtain additional copies
of the document (including permission to quote from or reuse this report), please contact us by letter,
phone call or e-mail:
Ponemon Institute LLC
Attn: Research Department
2308 US 31 North
Traverse City, Michigan 49686 USA
1.800.887.3118
research@ponemon.org
H
The following tables provide the frequency and percentage frequency of responses to all survey questions. This web-
based survey was conducted by Ponemon Institute with subject debriefing completed on March 2, 2010. The final
sample size involves 809 respondents (637 after screening).
I. Screening
Q1. Does your organization use cloud computing resources? Freq, Remainder
Yes 755 755
No (stop) 54 0
Total 809 755
Q10. What are the primary reasons why cloud computing resources
are used within your organization? Please select only two choices. Total%
Reduce cost 71%
Increase efficiency 49%
Improve security 11%
Faster deployment time 43%
Increase flexibility and choice 10%
Improve customer service 9%
Comply with contractual agreements or policies 6%
Other 0%
Total 199%
Q11. How confident are you that your IT organization knows all cloud
computing applications, platform or infrastructure services in use
today? Pct%
Very confident 19%
Confident 32%
Not confident 49%
Total 100%
Q12b. If yes, who is responsible for vetting or evaluating cloud Who is most Who should be
computing vendors in your organization? responsible most responsible
End-users 45% 9%
Business unit managers 23% 11%
Corporate IT 11% 34%
Compliance 3% 6%
Legal 1% 0%
Procurement 3% 2%
Internal audit 1% 0%
Information security 9% 35%
Physical security 0% 0%
Other 2% 0%
No one person (shared responsibility) 2% 3%
Total 100% 100%
Q13b. If yes, what are the main disadvantages? Please select only
two choices. Total%
Increased security risk 56%
Increased data privacy risk 31%
Loss of control over end-users 40%
Increased risk of non-compliance 33%
Increased complexity in meeting IT requirements 16%
Increased risk of business process conflicts or snafus 19%
Other 0%
Total 195%
Q18a. Does your organization have a policy that restricts or limits the
use of certain cloud computing applications? Pct%
Yes 29%
No 49%
Don’t know 22%
Total 100%
Gramm-Leach-Bliley 12%
Various FTC requirements including the Red Flags Rule 10%
Fair and Accurate Credit Transaction Act (FACTA) 9%
Fair Credit Reporting Act (FCRA) 7%
US Federal Privacy Act 5%
Children’s Online Privacy Protection Act (COPPA) 2%
Total 295%
D2. What organizational level best describes your current position? Pct%
Senior Executive 0%
Vice President 2%
Director 20%
Manager 26%
Supervisor 15%
Staff or technician 34%
Other 3%
Total 100%
D8. What best describes your role in managing data protection and
security risk in your organization? Check all that apply. Pct%
Setting priorities 69%
Managing budgets 68%
Selecting vendors and contractors 63%
Determining privacy and data protection strategy 58%
Evaluating program performance 60%
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to
conduct high quality, empirical studies on critical issues affecting the management and security of
sensitive information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data
confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or organization identifiable information in our business research).
Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant
or improper questions.