Home > Cloud Computing, Cloud Security > On the CA/Ponemon Security of Cloud Computing Providers Study…

On the CA/Ponemon Security of Cloud Computing Providers Study…

CA Technologies

Image via Wikipedia

CA recently sponsored the second in a series of Ponemon Institute cloud computing security surveys.

The first, released in May, 2010 was focused on responses from practitioners: “Security of Cloud Computing Users – A Study of Practitioners in the US & Europe

The latest titled “Security of Cloud Computing Providers Study (pdf),” released this week, examines “cloud computing providers'” perspectives on the same.  You can find the intro here.

While the study breaks down the  survey in detail in Appendix 1, I would kill to see the respondent list so I could use the responses from some of these “cloud providers” to quickly make assessments of my short list of those to not engage with.

I suppose it’s not hard to believe that security is not a primary concern, but given all the hype surrounding claims of “cloud is more secure than the enterprise,” it’s rather shocking to think that this sort of behavior is reflective of cloud providers.

Let’s see why.

This survey qualifies those surveyed as such:

We surveyed 103 cloud service providers in the US and 24 in six European countries for a total of 127 separate providers. Respondents from cloud provider organizations say SaaS (55 percent) is the most frequently offered cloud service, followed by IaaS (34 percent) and PaaS (11 percent). Sixty-five percent of cloud providers in this study deploy their IT resources in the public cloud environment, 18 percent deploy in the private cloud and 18 percent are hybrid.

…and offers these most “salient” findings:

  • The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.
  • The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always  evaluated for security threats prior to deployment to customers.
  • Buyer beware – on average providers of cloud computing technologies allocate 10 percent or less of their operational resources to security and most do not have confidence that  customers’ security requirements are being met.
  • Cloud providers in our study say the primary reasons why customers purchase cloud  resources are lower cost and faster deployment of applications. In contrast, improved security  or compliance with regulations is viewed as an unlikely reason for choosing cloud services. The majority of cloud providers in our study admit they do not have dedicated security  personnel to oversee the security of cloud applications, infrastructure or platforms.

  • Providers of private cloud resources appear to attach more importance and have a higher  level of confidence in their organization’s ability to meet security objectives than providers of  public and hybrid cloud solutions.
  • While security as a “true” service from the cloud is rarely offered to customers today, about  one-third of the cloud providers in our study are considering such solutions as a new source  of revenue sometime in the next two years.

Ultimately, CA summarized the findings as such:

“The focus on reduced cost and faster deployment may be sufficient for cloud providers now, but as organizations reach the point where increasingly sensitive data and applications are all that remains to migrate to the cloud, they will quickly reach an impasse,” said Mike Denning, general manager, Security, CA Technologies. “If the risk of breach outweighs potential cost savings and agility, we may reach a point of “cloud stall” where cloud adoption slows or stops until organizations believe cloud security is as good as or better than enterprise security.”

I have so much I’d like to say with respect to these summary findings and the details within the reports, but much of it I already have.  I don’t think these findings are reflective of the larger cloud providers I interact with which is another reason I would love to see who these “cloud providers” were beyond the breakdown of their service offerings that were presented.”

In the meantime, I’d like to refer you to these posts I wrote for reflection on this very topic:


Enhanced by Zemanta
  1. Chris
    April 29th, 2011 at 08:04 | #1


    Before you get too freaked out by a Ponemon report, do some background checking. They consistently announce "the sky is falling" and the only way save your butt is to buy products from the vendor who sponsored the study. I have yet to see a single one of their studies that would hold weight with a real statistician. They are the FUD masters. 😀

  2. May 3rd, 2011 at 07:17 | #2

    Hi Chris,

    Thank you for following our work and for the careful review of our latest study. Because we do not collect personal or company identifiable information we cannot provide the names of the respondents or their companies. However, I can tell you we had a mix of both large and small cloud service providers, which is broken down in the study and also posted on my blog.

    As always, I’m happy to discuss the various research pieces we do.

  3. Phil Agcaoili
    May 3rd, 2011 at 22:35 | #3

    The salient findings are disturbing, but are sadly realistic and trust the Ponemon findings. The fact that customers are adopting cloud because of lower cost and faster deployment of applications is also not a shocker.

    The finding that cloud providers hold the customer responsible to secure their own data in the cloud jibes with the fact that I'm seeing increased staffing for internal security teams for companies that leverage the cloud. Many vendors that I've spoken to this past year have also wrestled with the balance of cost effectiveness versus security to deliver their service, so understand why this is reflected in the study findings.

    I'm also certain that a cloud provider's security preparedness can easily be ascertained through RFP/RFI responses from cloud providers that have adopted respectable security practices. I'm coaching more and more vendors and customers to respectively complete or demand answers for the CSA Consensus Assessment Initiative (CAI) questionnaire and Cloud Controls Matrix (CCM) and embed within their Master Services Agreement, so we'll see how much water this study holds in the next year or if the sentiment changes.

    I know that several prominent cloud providers are quietly getting ISO 27001 certified and/or are exploring obtaining SSAE 16 SOC 1 and 2 reports (the next generation of SAS 70 type I and II attestations that are designed from the ground up for service providers).

    Thanks for the post and analysis, as always.

  4. Nick793
    September 28th, 2011 at 21:11 | #4

    hey there i heard about a site named iphone5inside taking preorders for
    iphone5.Did anyone happen to have experience with them.are they ligid or just another scam site?

  1. May 3rd, 2011 at 17:54 | #1
  2. May 4th, 2011 at 07:39 | #2
  3. May 4th, 2011 at 07:53 | #3
  4. May 17th, 2011 at 11:08 | #4