B-Ponemon Institute Flying Blind in The Cloud WP - En-Us

Flying Blind in the Cloud

The State of Information Governance

Sponsored by Symantec

Independently conducted by Ponemon Institute LLC

Publication
Date: April 7, 2010

Flying Blind in the Cloud

Ponemon Institute© Research Report

The State of Information Governance
Prepared by Ponemon Institute, April 7 2010
I. Executive Summary
Despite widespread interest in adopting cloud computing technologies, many organizations are “flying
blind” with respect to making them secure, potentially putting their operations, intellectual property and
customer information at risk.
Sponsored by Symantec, Ponemon Institute independently conducted this national study, Flying Blind in
the Cloud: the State of Information Governance, to better understand how organizations are securing
their information assets in a cloud computing environment.
The survey was completed by 637 U.S. IT security practitioners and focused on the following issues:
• Organizations’ use of cloud computing applications, platforms and infrastructure services.

• The importance of cloud computing in the organization’s IT and data processing objectives.
• Policies and procedures in place to protect sensitive information in the cloud, especially regulated
data subject to data breach notification.
The following are the major findings of this study:
• Business applications, solution stacks and storage are the most popular cloud computing
applications, platforms and infrastructure services. Seventy-one percent report their
organizations use business applications such as CRM inc., Salesforce.com and webmail. This is
followed by peer-to-peer applications (58 percent) and social media applications (50 percent). Forty-
six percent use computing platforms such as solution stacks (Java, PHP and Python) and 45 percent
use services such as identity management, payments and search. The most popular infrastructure
service is storage (56 percent) followed by computing (43 percent).
• Few organizations take proactive steps to protect both their own sensitive business
information and that of their customers, consumers and employees when they store that
information with cloud computing vendors. In both cases, fewer than 1 in 10 respondents say
their organizations use any kind of product vetting or employee training to determine that the cloud
computing resources meet all appropriate security requirements before deploying cloud applications.
• Organizations are adopting cloud technologies without the usual vetting procedures. Despite
security concerns and the expected growth in cloud computing, most organizations lack the
procedures, policies and tools to ensure that sensitive data they put in the cloud remains secure. Only
27 percent of respondents say their organizations have procedures for approving cloud applications
that use sensitive or confidential data. The main reason organizations permit cloud computing without
vetting vendors for security risks is that they can’t control end users, 76 percent of respondents say,
followed by not enough resources to conduct an evaluation (50 percent), no one is in charge (44
percent) and not considered a priority (43 percent).
• Employees are making decisions without their IT departments’ insights or full knowledge of
the security risks involved. Only 30 percent of respondents vet or evaluate cloud computing
vendors prior to deploying their products and those people rely overwhelmingly – 65 percent – on
word-of-mouth recommendations and market reputation in making their purchase decisions. The
next-most common means were contractual agreements and assurances from the vendor (55 percent
and 53 percent, respectively). Only 23 percent require proof of security compliance such as SAS 70,
Sponsored by Symantec Page 2

Ponemon Institute©: Research Report

18 percent rely on in-house security assessments and just 6 percent rely on third-party assessments
by security experts or auditors.
• Our survey reveals a potential explanation for this ad hoc environment: In most organizations,
large gaps exist between which people are most responsible for vetting or evaluating cloud
computing vendors, and which people should be most responsible. End users (45 percent) and
business managers (23 percent) currently carry the brunt of responsibility, while corporate IT (11
percent) and information security (9 percent) personnel are far less involved. Overall, respondents
would prefer to see the latter positions take charge (35 percent for information security, 34 percent for
corporate IT), so end users (9 percent) and business managers (11 percent) can focus elsewhere.
• Moreover, only 20 percent of organizations reported that members of their IT security teams
are regularly involved in the decision-making process for allowing the use of cloud
applications or platforms. More than half say they were rarely involved and nearly 1 in 4 say they
never participated at all. Not surprisingly, 49 percent say they are not confident they know about all
cloud computing applications, platforms and infrastructure services their organizations currently use.
These results indicate that many organizations are “flying blind” with regards to securing these
technologies, potentially putting their operations, organizational and customer information at risk.
Other important findings include:
• Two years from now, most respondents plan to use cloud computing much more intensively
than they do today. Eighty percent of respondents – up from 50 percent today – expect cloud
computing to be very important and important to meeting their IT and data processing goals. The
percentage of organizations using cloud computing to meet between 21 and 80 percent of their IT
and data processing requirements is projected to triple, from 24 percent to 72 percent.
• Yet even as momentum for cloud computing builds, doubts about security difficulties of cloud
computing persist. Fifty-one percent of respondents state they saw disadvantages to using cloud
computing in their organizations: increased security risk (56 percent), loss of control over end users
(40 percent) and increased risks of non-compliance and data breaches (33 and 31 percent,
respectively). Two-thirds (66 percent) of respondents say cloud computing makes it more difficult to
protect confidential or sensitive information. The most common difficulties are controlling or restricting
end-user access (80 percent) and directly inspecting cloud computing vendors for security
compliance (77 percent).
• Organizations most frequently protect themselves through traditional IT security solutions

and legal or indemnification agreements with vendors. Legal or indemnification agreements with
cloud computing vendors are the most common means to protect both sensitive business and
customer data (32 percent for each kind of data). A point of potential concern is that most
organizations (60 percent) use conventional security tools to protect information in the cloud, even
though some of those tools – data loss prevention (DLP) and some encryption technologies come to
mind – sometimes don’t work in cloud environments. This indicates that many respondents don’t
understand the specific security risks and remedies cloud computing environments present.


II. Key Findings
Following are the most salient findings of this survey research. Please note that most of the results are
displayed in Figure format. The actual data utilized in each figure and referenced in the paper are also in
the percentage frequency tables attached as the Appendix to this paper.
§1. Business applications, solution stacks and storage are the most popular cloud computing
applications, platforms and infrastructure services. Seventy-one percent report their organizations
use business applications such as CRM Inc., Salesforce.com and Web mail. This is followed by peer-to-
peer applications (58 percent) and social media applications (50 percent). Forty-six percent use
computing platforms such as solution stacks (Java, PHP and Python) and 45 percent use services such
as identity management, payments and search. The most popular infrastructure service is storage (56
percent) followed by computing (43 percent). Accordingly, see Bar Charts 1a and 1b.
Bar Chart 1a: Most popular cloud computing applications

Bar Chart 1b: Most popular cloud computing platform or infrastructure services
Respondents’ primary reasons for using cloud computing resources help explain these results. The
overwhelmingly most popular reason is reducing costs (71 percent), followed by increasing efficiency (49
percent) and faster deployment time (43 percent). The least popular reasons are improving security (11
percent), increasing flexibility and choice (10 percent), improving customer service (9 percent) and
complying with contractual agreements or policies (6 percent).


Bar Chart 2: Primary reasons for choosing cloud computing resources
Analysis of these statistics reveals several interesting points. Respondents are concerned about security
and don’t use the cloud for mission-critical applications and information, while simultaneously viewing the
benefits of cloud computing as so compelling that they’re willing to accept the risks. For the cloud model
to grow, cloud vendors must assure customers that operating in the cloud is secure.
Another possible reason could be that individual business units can deploy cloud computing applications
without coordinating with IT staff or buying and configuring their own equipment. All three factors can slow
deployment of cloud computing technologies and thus cause a perceived competitive disadvantage.
§2. Few organizations take proactive steps to protect both their own sensitive business
information and that of their customers, consumers and employees when they store that
information with cloud computing vendors. In both cases, the most popular action (32 percent) is legal
or indemnification agreements with cloud computing vendors. Fewer than 1 in 10 respondents say their
organizations uses any kind of product vetting or employee training to determine that cloud computing
resources meet all appropriate security requirements before deploying cloud resources. See Bar Chart 3.
Bar Chart 3: Steps taken to protect sensitive or confidential information
These results suggest that organizations are relying mostly on bureaucratic and passive means to
educate employees about cloud computing security policies, as the most popular responses don’t require


active end-user participation. Only 16 percent offer any kind of employee training, while 43 percent just
incorporate cloud computing security policies in their overall enterprise security policies and 23 percent
offer internal awareness programs that include emails to employees. Only 29 percent of respondents
have policies that restrict or limit the use of certain cloud computing applications. This data suggests huge
defects in how organizations communicate internally about securely using cloud computing.
Pie Chart 1: Does your organization have a policy Table 1: If yes, how is this policy communicated to
that restricts the use of certain cloud applications? end-users in the company?

It is part of the enterprise security policy 43%
Internal awareness including email to

employees 23%
Don’t know 18%
Informal process 11%
Formal in-house training 5%
The survey results also suggest that organizations’ training programs may not sufficiently prepare
employees to sufficiently protect sensitive or confidential information in the cloud. The largest number of
respondents (42 percent) offer general data security training without specifically discussing cloud
applications, followed by general data security training that does discuss cloud applications (19 percent).
Only 5 percent – 1 in 20 – of organizations offer specialized training for each cloud application.
Bar Chart 4: Methods for training employees about safeguarding sensitive or confidential information when using
cloud applications and resources.
§3. Organizations are adopting cloud technologies without the usual vetting procedures. Despite
security concerns and the expected growth in cloud computing, most organizations lack the procedures,
policies and tools to ensure that sensitive information they put in the cloud remains secure. Fifty-three
percent of respondents say their organizations do not have vetting procedures for approving cloud
applications that use sensitive or confidential data. The main reason organizations permit cloud
computing without vetting vendors for security risk is that they can’t control end users, 76 percent of

respondents say there are not enough resources to conduct an evaluation (50 percent), no one is in
charge (44 percent) and is not considered a priority (43 percent).
Pie Chart 2: Are cloud computing services evaluated Table 2: If no, why does your organization permit
for security prior to deployment or engagement? cloud computing resources without vetting or
evaluation for security?

Not able to control end-users 76%
Not enough resources to conduct

evaluation 50%
No one is in-charge 44%
Not considered a priority 43%
Don’t know 18%

When correlated with Key Finding 1, these results show why cloud computing applications – readily
available to end users through the Internet – are much more popular than cloud computing platforms and
infrastructure services, which require more coordination with organizations’ IT staffs. Some of the very
qualities that make cloud computing attractive – ease of use, end-user accessibility through the Internet,
potential cost savings and productivity improvements – can make it difficult to engage the IT staff
necessary to keep sensitive and confidential information secure. So much of what IT security does is
driven by engagement with IT staff but unfortunately in the case of cloud computing, both IT security and
management staff are often out of the loop.
§4. Employees are making decisions without their IT departments’ insights or full knowledge of
the security risks involved. Only 30 percent of respondents vet or evaluate cloud computing vendors
prior to deploying their products and those people rely overwhelmingly – 65 percent – on word-of-mouth
recommendations and market reputation in making their purchase decisions. The next-most common
means are contractual agreements and assurances from the vendor (55 percent and 53 percent,
respectively). Only 23 percent require proof of security compliance such as SAS 70, 18 percent rely on in-
house security assessments and just 6 percent rely on third-party assessments by experts or auditors.
Bar Chart 5: How does your organization go about vetting cloud vendors?


§5. Our survey reveals a potential explanation for this ad hoc environment: In most organizations,
large gaps exist between which people are most responsible for vetting or evaluating cloud
computing vendors, and which people respondents thought should be most responsible. End
users (45 percent) and business managers (23 percent) currently carry the brunt of responsibility, while
corporate IT (11 percent) and information security (9 percent) personnel are far less involved. Overall,
respondents would prefer to see the latter positions take charge (35 percent for information security, 34
percent for corporate IT), so end users (9 percent) and business managers (11 percent) can focus
elsewhere.
Bar Chart 6: Who is (and who should be) most responsible for vetting and evaluating cloud vendors?
Despite a wider appreciation for the need for IT security, Findings 3, 4 and 5 (described above) show that
security is not a primary job responsibility or concern for many people making cloud computing decisions.
These employees often don’t have a sophisticated-enough understanding of IT security risks and
remedies, especially regarding new technologies such as cloud computing that emphasize key business
imperatives such as ease of use and cost savings. This can contribute to a mindset that puts immediate
business needs and technological benefits ahead of ensuring information is sufficiently secure.
As we have mentioned, the use of cloud computing is relatively new and growing quickly. Consequently,
organizations may have been caught off guard because they haven’t updated their security procedures
and policies to include cloud computing and its requirements. In addition, lines of business may be
circumventing IT in their efforts to realize the benefits of cloud as soon as they can. These factors present
a real challenge for IT.
The use of cloud computing in business environments raises an important point about how to secure
information in the cloud. As people adopt more dispersed systems, data becomes more fluid and
protecting access to that data is critical. In this environment, the cloud is driving the trend that IT
governance requires a combination of both business and IT management and leadership.
§6. Moreover, only 20 percent of organizations reported that members of their IT security teams
are regularly involved in the decision-making process for allowing the use of cloud applications or
platforms. More than half say they are rarely involved and nearly 1 in 4 say they never participate. Not
surprisingly, 49 percent say they are not confident they know about all cloud computing applications,
platforms and infrastructure services their organizations currently use. These results indicate that many
organizations are “flying blind” with regards to securing these technologies, potentially putting their
business operations, intellectual property and customer information at risk.


Pie Chart 3: How confident are you that your IT Table 3: How involved are members of your security
organization knows all cloud computing resources team in the decision-making process for allowing the
used within your company today? use of cloud applications or platforms?

Rarely 56%
Never 24%
Some of the time 12%
Most of the time 5%
Always 3%

§7.Two years from now, most respondents plan to use cloud computing much more intensively
than they do today. Eighty percent of respondents – up from 50 percent today – expect cloud computing
to be very important and important to meeting their IT and data processing goals. The percentage of
organizations using cloud computing to meet between 21 and 80 percent of their IT and data processing
requirements is projected to triple, from 24 percent to 72 percent.
Bar Chart 7: How important is the use of cloud computing for meeting IT objectives
§8. Yet even as momentum for cloud computing builds, doubts about the security of cloud
computing persist. Fifty-one percent of respondents state they saw disadvantages to using cloud
computing in their organizations: increased security risk (56 percent), loss of control over end users (40
percent) and increased risks of non-compliance and data breaches (33 and 31 percent, respectively).


Pie Chart 3: In your opinion, are there any

disadvantages to using cloud computing resources Table 3: If yes, what are the main disadvantages?
within your organization?

Increased security risk 56%
Loss of control over end-users 40%
Increased risk of non-compliance 33%
Increased data privacy risk 31%
Increased risk of business process

conflicts or snafus 19%
Increased complexity in meeting IT

requirements 16%

Two-thirds (66 percent) of respondents say cloud computing makes it more difficult to protect confidential
or sensitive information. The most common difficulties are in controlling or restricting end-user access (80
percent) and directly inspecting cloud computing vendors for security compliance (77 percent).
Pie Chart 3: In your opinion, are there any

disadvantages to using cloud computing resources Table 3: If yes, what are the main disadvantages?
within your organization?

It is more difficult to control or restrict
end-user access 80%
It is more difficult to inspect cloud

computing vendor for security
compliance directly 77%
It is more difficult to apply conventional

information security in the cloud
computing environment 31%
Don’t know 10%

Taken together, these statistics indicate that not many cloud service providers are offering compliance-
ready infrastructure. Vendors that facilitate security and regulatory compliance through their services and
solutions, therefore, differentiate themselves in a competitive market.
So what is considered too dangerous or risky to store in the public cloud ecosystem. According to
respondents, the top three categories of confidential information considered too risky to be stored in the
cloud include: financial business information (69 percent), health information (65 percent) and credit card
information (53 percent).


Bar 8: Types of sensitive or confidential information considered too risky for public clouds
§9. Organizations most frequently protect themselves through traditional IT security solutions and
legal or indemnification agreements with vendors. Legal or indemnification agreements with cloud
computing vendors were the most common means to protect both sensitive business and customer data
(32 percent for each kind of data [see Bar Chart 3]). A point of potential concern is that most
organizations (60 percent) use conventional security tools to protect information in the cloud, even though
some of those tools don’t work in cloud environments. These results suggest that many respondents don’t
understand the specific security risks and remedies cloud computing environments present.
Bar 10: Types of sensitive or confidential information considered too risky for public clouds
Cloud providers and their customers must be in sync about security but that level of maturity by and large
hasn’t developed yet. Such syncing is particularly challenging because most organizations don’t have IT
professionals involved in assessing cloud-related risks.
Business managers and end-users put business considerations first and are often too busy to take
advantage of cloud computing trends. As a result, they trust too much in standard business practices and
not in evaluations based on IT security best practices. While legal protections are of course necessary,
they don’t always effectively address issues specific to IT security, which can leave organizations at risk.


III. Implications for Public Sector & Financial Services Organizations
This study underscores pervasive concerns many public sector organizations have about keeping data—
especially personal and/or sensitive data—under control and secure in cloud computing environments.
Implications for the public sector include the following:
• The primary reasons organizations use cloud computing tie directly into public sector priorities. These
are reducing taxpayer costs and delivering better services faster to constituencies. Increased focus
on security is crucial for cloud vendors to persuade public sector organizations that cloud computing
can help accomplish those organizations’ missions (Key Finding 1).
• Developing an effective combination of business and IT management and leadership that cloud
computing demands is especially important for public sector organizations given the specific
business, security and regulatory challenges the public sector faces compared to other industry
sectors (Key Finding 5).
• Public sector organizations are especially interested in cloud vendors offering compliance-ready
infrastructure because that infrastructure can help them meet security and regulatory requirements
more quickly and effectively. This can lead to faster and better mission success and help avoid costly
data breaches (Key Finding 8).
Financial services organizations face similar issues:
• Developing an effective combination of business and IT management and leadership that cloud
computing demands is especially important for financial services organizations given the specific
business, security and regulatory challenges they face compared to other industry sectors (Key
Finding 5).
• Financial services organizations are especially interested in cloud vendors offering compliance-ready
infrastructure because that infrastructure can help them meet security and regulatory requirements
more quickly and effectively. This can lead to faster and better service delivery, improved
performance and avoidance of costly data breaches (Key Finding 8).
• Financial services organizations that rely on legal or indemnification agreements for protection need
to ensure those agreements contain sufficient data security and access provisions to meet regulatory
requirements (Key Finding 9).


IV: Methods
A sampling frame of nearly 14,000 adult-aged individuals who reside within the United States was used to
recruit and select participants to this survey. Our randomly selected sampling frame was built from
several proprietary lists of experienced IT and IT security practitioners.
Table 4: Sample response statistics Freq. Pct%

Sampling frame 13,956 100.0%
Total invitations 12,531 89.8%
Bounce back 1,650 11.8%
Returns 918 6.6%
Rejections 109 0.8%
Final sample 809 5.8%
After screen 1 755 5.4%
After screen 2 637 4.6%
In total, 918 respondents completed the survey. Of the returned instruments, 109 surveys failed reliability
checks. A total of 809 surveys were used as our final sample, which represents a 5.8 percent response
rate.
Two screening questions were used to ensure respondents had relevant knowledge and experience,
resulting in a reduced sample size of 637 individuals. Ninety percent of respondents completed all survey
1
items within 15 minutes. The average overall experience level of respondents is 12.01 years, and the
years of experience in their present job is 4.5 years.
Pie Chart 4 reports the primary industry sector of respondents’ organizations. As shown, the largest
segments include financial services, government, industrial companies, pharmaceuticals and healthcare
(combined), and services.
Pie Chart 4: Industry distribution of respondents’ organizations

1
Please note that nominal compensation was provided to respondents who successfully completed the survey
instrument.

Table 5 reports the respondent organization’s global headcount. As shown, a majority of respondents
work within companies with more than 1,000 employees. Over 38 percent of respondents are located in
larger-sized companies with more than 10,000 employees.
Table 5: The worldwide headcount of respondents’ organizations Pct%

Less than 500 people 4%
500 to 1,000 people 11%
1,001 to 5,000 people 21%
5,001 to 10,000 people 26%
10,001 to 25,000 people 25%
25,001 to 75,000 people 8%
More than 75,000 people 5%
Total 100%
Table 6 reports the respondent’s primary reporting channel. As can be seen, 52 percent of respondents
are located in the organization’s IT department (led by the company’s CIO). Eighteen percent report to
the company’s security officer (or CISO).
Table 6: Respondent’s primary reporting channel Pct%

CEO/Executive Committee 1%
Chief Financial Officer 4%
Chief Information Officer 52%
Chief Information Security Officer 18%
Compliance Officer 5%
Chief Privacy Officer 0%
Director of Internal Audit 1%
General Counsel 0%
Chief Technology Officer 7%
Human Resources Leader 0%
Chief Security Officer 4%
Chief Risk Officer 6%
Other 3%
Total 100%
Table 7 reports the respondent organization’s global footprint. As can be seen, a large number of
participating organizations are multinational companies that operate outside the United States.
Table 7: Location of the respondent Pct%

Northeast 20%
Mid-Atlantic 18%
Midwest 18%
Southeast 13%
Southwest 12%
Pacific 19%
Total 100%


V. Caveats to this study
There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most web-based
surveys.
• Non-response bias: The current findings are based on a sample of survey returns. We sent surveys
to a representative sample of individuals, resulting in a large number of usable returned responses.
Despite non-response tests, it is always possible that individuals who did not participate are
substantially different in terms of underlying beliefs from those who completed the instrument.
• Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is
representative of individuals who are IT or IT security practitioners. We also acknowledge that the
results may be biased by external events such as media coverage. We also acknowledge bias
caused by compensating subjects to complete this research within a holdout period. Finally, because
we used a web-based collection method, it is possible that non-web responses by mailed survey or
telephone call would result in a different pattern of findings.
• Self-reported results: The quality of survey research is based on the integrity of confidential
0B
responses received from subjects. While certain checks and balances can be incorporated into the
survey process, there is always the possibility that a subject did not provide a truthful response.


VI: Recommendations
We recommend that organizations immediately assess what specific, proactive steps they should take to
protect sensitive information stored in the cloud. Other recommendations to implement immediately
include the following:
• Organizations should ensure that policies and procedures clearly state the importance of protecting
sensitive information stored in the cloud. The policy should outline what information is considered
sensitive and proprietary.
• Organizations should vet and evaluate the security posture of third parties before sharing confidential
or sensitive information. As part of the process, corporate IT and/or IT security experts should
conduct a thorough review and audit of the vendor’s security qualifications.
• Prior to deploying cloud technology, organizations should formally train employees how to mitigate
the security risks specific to the new technology to make sure sensitive and confidential information is
not threatened.
• Organizations should establish an organizational structure that allows the CIO, CISO or other
security/privacy leaders to participate actively in the vetting, purchasing and implementing processes
to ensure they are handled appropriately.
• Larger organizations should establish a function dedicated to information governance oversight.
• Organizations should expand their governance activities beyond traditional IT areas to better protect
their business.
• Organizations should define policy around information and applications they are willing to put in the
cloud.
• Cloud computing vendors should provide more transparency into their security infrastructure to help
ensure customer confidence that information stored in the cloud is secure.
These recommendations should be incorporated into all procedures involving employees using cloud
computing resources. Doing so will address numerous significant risks facing organizations as cloud
computing technologies become more pervasive.
If you have questions or comments about this research report or you would like to obtain additional copies
of the document (including permission to quote from or reuse this report), please contact us by letter,
phone call or e-mail:
Ponemon Institute LLC
Attn: Research Department
2308 US 31 North
Traverse City, Michigan 49686 USA
1.800.887.3118
research@ponemon.org
H


Detailed Survey Results

Audited results presented by Dr. Larry Ponemon, completed March 2009
The following tables provide the frequency and percentage frequency of responses to all survey questions. This web-
based survey was conducted by Ponemon Institute with subject debriefing completed on March 2, 2010. The final
sample size involves 809 respondents (637 after screening).
Sample response statistics Freq. Pct%

Sampling frame 13956 100.0%
Total invitations 12531 89.8%
Bounce back 1650 11.8%
Returns 918 6.6%
Rejections 109 0.8%
Final sample 809 5.8%
I. Screening
Q1. Does your organization use cloud computing resources? Freq, Remainder
Yes 755 755
No (stop) 54 0
Total 809 755
Q2. What percent of your organization’s total use of cloud computing

resources involves public versus private clouds? Freq, Remainder
All or mostly public cloud 501 501
About equal public and private cloud 136 136
All or mostly private cloud (stop) 118 0
Total 755 637
II. Attributions about information governance. Please use the

scale provided below each statement to express your opinions about
information governance within your organization. Strongly agree Agree
Q3a. My organization is committed to protecting confidential or
sensitive information. 19% 32%
Q3b. My organization has established clearly defined accountability
for safeguarding of confidential or sensitive information. 16% 26%
Q3c. My organization educates employees to understand their
responsibilities in safeguarding sensitive or confidential information. 16% 24%
Q3d. My organization is careful about sharing confidential or sensitive
information with third parties such as business partners, contractors,
and vendors. 16% 32%
Q3e. My organization respects the privacy rights of customers,
consumers and employees. 12% 27%
Q3f. My organization is proactive in managing compliance with
privacy and data protection requirements around the globe. 8% 23%


III. Background on cloud computing

Q4.What cloud computing applications does your organization
presently use? Please select all that apply. Total%
We don’t use cloud computing applications 14%
Peer-to-peer (such as Skype) 58%
Social media applications (such as Facebook, YouTube, Twitter, etc.) 50%
Business applications (such as CRM inc, SalesForce.com, webmail,
HR, GoogleDocs, etc.) 79%
Infrastructure applications (online backup, security, archiving, etc.) 23%
Other 5%
Total 229%
Q5. What cloud computing platforms does your organization

presently use? Please select all that apply. Total%
We don’t use cloud computing platforms 39%
Services (such as identity management, payments, search and
others) 45%
Solution stacks (such as Java, PHP, Python, ColdFusion and others) 46%
Other 11%
Total 141%
Q6. What cloud computing infrastructure services does your

organization presently use? Please select all that apply. Total%
We don’t use infrastructure services 38%
Computing 43%
Network 14%
Storage 56%
Other 10%
Total 161%
Q7. Approximately, what percent of your organization’s total IT and

data processing requirements are met by using cloud computing Extrapolated
resources today? Pct% Percent
Less than 5% 15% 1%
Between 5 to 10% 12% 1%
Between 11 to 20% 29% 4%
Between 21 to 30% 9% 2%
Between 31 to 40% 6% 2%
Between 40 to 50% 5% 2%
Between 51 to 60% 3% 2%
Between 61 to 70% 1% 1%
Between 71 to 80% 0% 0%
Between 81 to 90% 0% 0%
More than 90% 3% 3%
Don’t know 17% 0%
Total 100% 18%


Q8. In your opinion (best guess), what percent of your organization’s

total IT and data processing requirements will be met by using cloud Extrapolated
computing resources two years from today? Pct% Percent
Less than 5% 4% 0%
Between 5 to 10% 3% 0%
Between 11 to 20% 6% 1%
Between 21 to 30% 11% 3%
Between 31 to 40% 17% 6%
Between 40 to 50% 13% 6%
Between 51 to 60% 12% 7%
Between 61 to 70% 11% 7%
Between 71 to 80% 8% 6%
Between 81 to 90% 0% 0%
More than 90% 5% 5%
Don’t know 10% 0%
Total 100% 40%
Q9. How important is the use of cloud computing applications or

platform solutions for meeting your organization’s IT and data
processing objectives? Today Next two years
Very important 18% 34%
Important 32% 46%
Not important 31% 18%
Irrelevant 19% 2%
Total 100% 100%
Q10. What are the primary reasons why cloud computing resources
are used within your organization? Please select only two choices. Total%
Reduce cost 71%
Increase efficiency 49%
Improve security 11%
Faster deployment time 43%
Increase flexibility and choice 10%
Improve customer service 9%
Comply with contractual agreements or policies 6%
Other 0%
Total 199%
Q11. How confident are you that your IT organization knows all cloud
computing applications, platform or infrastructure services in use
today? Pct%
Very confident 19%
Confident 32%
Not confident 49%
Total 100%


Q12a. Are cloud computing services evaluated for security prior to

engagement or deployment by your end-users in you organization? Pct%
Yes 30%
No 53%
Don’t know 17%
Total 100%
Q12b. If yes, who is responsible for vetting or evaluating cloud Who is most Who should be
computing vendors in your organization? responsible most responsible
End-users 45% 9%
Business unit managers 23% 11%
Corporate IT 11% 34%
Compliance 3% 6%
Legal 1% 0%
Procurement 3% 2%
Internal audit 1% 0%
Information security 9% 35%
Physical security 0% 0%
Other 2% 0%
No one person (shared responsibility) 2% 3%
Total 100% 100%
Q12c. If yes, how does your organization go about vetting or

evaluating cloud computing vendors? Please select all that apply. Total%
Word-of-mouth (market reputation) 65%
Contractual negotiation and legal review 26%
Proof of security compliance (such as SAS 70) 23%
Self-assessment checklist or questionnaire completed by vendor 25%
Assessment by in-house security team 18%
Third-party assessment by security expert or auditor 6%
Other 6%
Total 169%
Q12d. If no, why does your organization permit cloud computing

resources to be deployed without vetting or evaluation for security
risks? Please select all that apply. Total%
No one is in-charge 44%
Not considered a priority 43%
Not enough resources to conduct evaluation 50%
Not able to control end-users 76%
Other 5%
Don’t know 18%
Total 236%


Q13a. In your opinion, are there any disadvantages to using cloud

computing resources within your organization? Pct%
Yes 51%
No 26%
Don’t know 23%
Total 100%
Q13b. If yes, what are the main disadvantages? Please select only
two choices. Total%
Increased security risk 56%
Increased data privacy risk 31%
Loss of control over end-users 40%
Increased risk of non-compliance 33%
Increased complexity in meeting IT requirements 16%
Increased risk of business process conflicts or snafus 19%
Other 0%
Total 195%
IV. Information governance in the cloud

Q14. How does your organization go about protecting confidential or
sensitive information in the cloud? Please select only two choices. Total%
We rely on assurances from the cloud computing vendor 53%
We rely on contractual agreements with the cloud computing vendor 55%
We buy additional security services provided by the cloud computing
vendor 11%
We use conventional security tools to protect information in the cloud 60%
Don’t know 16%
Other 2%
Total 197%
Q15a. Does cloud computing make it more difficult to protect

confidential or sensitive information? Pct%
Yes 66%
No 23%
Don’t know 11%
Total 100%
Q15b. If yes, why does it make it more difficult to protect confidential

or sensitive information in the cloud? Please select only two choices. Total%
It is more difficult to inspect cloud computing vendor for security
compliance directly 77%
It is more difficult to apply conventional information security in the
cloud computing environment 31%
It is more difficult to control or restrict end-user access 80%
Don’t know 10%
Other 0%
Total 198%


Q15c. What types of confidential or sensitive information does your

organization consider too risky to be stored in the cloud? Please
select all that apply. Total%
Consumer data 12%
Customer information 20%
Credit card information 53%
Employee records 38%
Health information 65%
Non-financial confidential business information 19%
Financial business information 69%
Intellectual property such as source code, design plans, architectural
renderings 22%
Research data 29%
Other 9%
Total 336%
Q16. How does your organization determine that all appropriate

security requirements are met before deploying cloud computing
resources? Pct%
Self-assessment completed by the vendor 8%
Vetting and evaluation by in-house security team 5%
Vetting and evaluation by outside security expert or auditor 2%
Legal or indemnification agreement with cloud computing vendor 21%
Training of end-users before deploying cloud applications 6%
Other 3%
None of the above 55%
Total 100%
Q17. How does your organization educate employees about

safeguarding sensitive or confidential information when using cloud
applications? Pct%
Specialized training for each cloud application 5%
General data security training includes discussion of cloud
applications 19%
General data security training without specific discussion about cloud
applications 42%
Informal awareness effort 24%
Other 0%
Total 100%
Q18a. Does your organization have a policy that restricts or limits the
use of certain cloud computing applications? Pct%
Yes 29%
No 49%
Don’t know 22%
Total 100%


Q18b. If yes, how is this policy communicated to end-users? Pct%

Internal awareness including email to employees 23%
It is part of the enterprise security policy 43%
Formal in-house training 5%
Informal process 11%
Don’t know 18%
Other 0%
Total 100%
Q19. In your opinion, how does the use of cloud computing

applications affect the individual employee’s responsibility to
safeguard sensitive or confidential information stored in the cloud? Pct%
Cloud computing increases employee (end-user) responsibility. 62%
Cloud computing decreases employee (end-user) responsibility. 4%
Cloud computing does not affect employee (end-user) responsibility. 34%
Total 100%
Q20. How does your organization ensure safe sharing of confidential

or sensitive information with cloud computing vendors? Pct%
Informal self-assessment to review security requirements 8%
Vetting and evaluation by in-house security team 6%
Vetting and evaluation by outside expert or auditor 2%
Other 3%
Total 100%
Q21. How does your organization go about ensuring the privacy

rights of customers, consumers and employees when this personal
information is stored in the cloud? Pct%
Informal self-assessment to review privacy requirements 8%
Vetting and evaluation by in-house privacy compliance expert 5%
Vetting and evaluation by outside privacy expert or auditor 0%
Other 5%
Total 100%
Q22. What privacy and data protection regulatory requirements are

most difficult to meet in the cloud computing environment? Please
select no more than three choices. Total%
Various US state data breach laws 48%
Health Insurance Portability and Accountability Act (HIPAA) 45%
EU Data Protection Directive 43%
Sarbanes-Oxley 40%
Safe Harbor (US and EU agreement) 39%
Various country-specific privacy laws 35%


Gramm-Leach-Bliley 12%
Various FTC requirements including the Red Flags Rule 10%
Fair and Accurate Credit Transaction Act (FACTA) 9%
Fair Credit Reporting Act (FCRA) 7%
US Federal Privacy Act 5%
Children’s Online Privacy Protection Act (COPPA) 2%
Total 295%
Q23. Does the organization have procedures on how to decide if

cloud applications using sensitive or confidential information should
be allowed? Pct%
Yes 27%
No 51%
Don’t know 22%
Total 100%
Q24. Are members of your security team involved in the decision-

making process about allowing the use of certain cloud applications
or platforms? Pct%
Always 3%
Most of the time 5%
Some of the time 12%
Rarely 56%
Never 24%
Total 100%
V. Attributions about cloud computing. Please use the scale

provided below each statement to express your opinions about
information governance within your organization. Strongly agree Agree
Q25a. My organization assesses the affect cloud computing
applications may have on the classification of data according to risk. 9% 12%
Q25b. My organization determines what data is too sensitive for
cloud computing applications. 8% 16%
Q25c. My organization is vigilant in conducting audits or assessments
of data used by cloud computing applications. 6% 9%
Q25d. My organization is proactive in assessing the types of data to
be allowed in the cloud. 6% 17%
Q25e. My organization’s IT infrastructure has the ability to ensure
substantial security of information in the cloud. 11% 12%
VI. Organization characteristics and respondent demographics

D1. Your current title is (approximate only) Pct%
Director IT security 20%
Manager, network security 18%
Chief information security officer (CISO or approximate) 15%
IT compliance & security 14%
Quality assurance 12%
All others 22%
Total 100%


D2. What organizational level best describes your current position? Pct%
Senior Executive 0%
Vice President 2%
Director 20%
Manager 26%
Supervisor 15%
Staff or technician 34%
Other 3%
Total 100%
D3. Check the Primary Person you or your supervisor reports to

within your organization. Pct%
CEO/Executive Committee 1%
Chief Financial Officer 4%
Chief Information Officer 52%
Chief Information Security Officer 18%
Compliance Officer 5%
Chief Privacy Officer 0%
Director of Internal Audit 1%
General Counsel 0%
Chief Technology Officer 7%
Human Resources Leader 0%
Chief Security Officer 4%
Chief Risk Officer 6%
Other 3%
Total 100%
D4. Location Pct%

Northeast 20%
Mid-Atlantic 18%
Midwest 18%
Southeast 13%
Southwest 12%
Pacific 19%
Total 100%
D5. Experience Mean Median

D5a. Total years in business 10.1 10.5
D5b. Total years in IT security 9.9 10.0
D5c. Total years in current position 4.8 5.3


D6. Educational and career background: Pct%

Compliance (auditing, accountant, legal) 9%
IT (systems, software, computer science) 42%
Security (law enforcement, military, intelligence) 29%
Other non-technical field 13%
Other technical field 7%
Total 100%
D7. What industry best describes your organization’s industry

concentration or focus? Pct%
Airlines 1%
Automotive 1%
Agriculture 0%
Brokerage 2%
Cable 1%
Chemicals 1%
Credit Cards 2%
Defense 2%
Education 3%
Entertainment & Media 3%
Services 4%
Health Care 6%
Hospitality & Leisure 5%
Manufacturing 7%
Insurance 3%
Internet & ISPs 2%
Government 11%
Pharmaceutical 5%
Professional Services 4%
Research 2%
Retail 7%
Banking 11%
Energy 3%
Telecommunications 3%
Technology & Software 6%
Transportation 4%
Wireless 1%
Total 100%
D8. What best describes your role in managing data protection and
security risk in your organization? Check all that apply. Pct%
Setting priorities 69%
Managing budgets 68%
Selecting vendors and contractors 63%
Determining privacy and data protection strategy 58%
Evaluating program performance 60%


D9. What is the worldwide headcount of your organization? Pct%

Less than 500 people 4%
500 to 1,000 people 11%
1,001 to 5,000 people 21%
5,001 to 10,000 people 26%
10,001 to 25,000 people 25%
25,001 to 75,000 people 8%
More than 75,000 people 5%
Total 100%
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to
conduct high quality, empirical studies on critical issues affecting the management and security of
sensitive information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data
confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or organization identifiable information in our business research).
Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant
or improper questions.


B-Ponemon Institute Flying Blind in The Cloud WP - En-Us

Uploaded by

Copyright:

Available Formats

You might also like

B-Ponemon Institute Flying Blind in The Cloud WP - En-Us

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

B-Ponemon Institute Flying Blind in The Cloud WP - En-Us

Uploaded by

Copyright:

Available Formats

Flying Blind in the Cloud

The State of Information Governance

Flying Blind in the Cloud

The State of Information Governance

Prepared by Ponemon Institute, April 7 2010

• Organizations’ use of cloud computing applications, platforms and infrastructure services.

The following are the major findings of this study:

Sponsored by Symantec Page 2

Other important findings include:

• Organizations most frequently protect themselves through traditional IT security solutions

Sponsored by Symantec Page 3

II. Key Findings

Bar Chart 1a: Most popular cloud computing applications

Sponsored by Symantec Page 4

Bar Chart 2: Primary reasons for choosing cloud computing resources

Bar Chart 3: Steps taken to protect sensitive or confidential information

Sponsored by Symantec Page 5

It is part of the enterprise security policy 43%

Internal awareness including email to

Don’t know 18%

Informal process 11%

Formal in-house training 5%

Not enough resources to conduct

No one is in-charge 44%

Not considered a priority 43%

Don’t know 18%

Sponsored by Symantec Page 7

Sponsored by Symantec Page 8

Some of the time 12%

Most of the time 5%

Sponsored by Symantec Page 9

Pie Chart 3: In your opinion, are there any

Loss of control over end-users 40%

Increased risk of non-compliance 33%

Increased data privacy risk 31%

Increased risk of business process

Increased complexity in meeting IT

Pie Chart 3: In your opinion, are there any

It is more difficult to inspect cloud

It is more difficult to apply conventional

Don’t know 10%

Sponsored by Symantec Page 10

Sponsored by Symantec Page 11

III. Implications for Public Sector & Financial Services Organizations

Financial services organizations face similar issues:

Sponsored by Symantec Page 12

Table 4: Sample response statistics Freq. Pct%

Pie Chart 4: Industry distribution of respondents’ organizations

Table 5: The worldwide headcount of respondents’ organizations Pct%

Table 6: Respondent’s primary reporting channel Pct%

Table 7: Location of the respondent Pct%

Sponsored by Symantec Page 14

V. Caveats to this study

Sponsored by Symantec Page 15

• Larger organizations should establish a function dedicated to information governance oversight.

Sponsored by Symantec Page 16

Detailed Survey Results