The 26-page survey report returned a stunning conclusion – though one not surprising to those familiar with legal contracting for cloud computing; namely that a majority of cloud providers do not believe data security is their responsibility – but the customer’s.
In addition, the survey revealed that a “majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.”
The report surveyed 103 cloud service cloud providers in the U.S. and 24 in six European counties (UK, Germany, France, Netherlands, Spain and Italy), broken down by providers in SaaS (55%), IaaS (34%) and PaaS (11%). The cloud providers range in size, offerings and scale. The U.S. sample was composed of 42% having less than 1,000 employees, and 58% having from 1,001 to 5,000 employees up to organizations with more than 75,000 employees.
The report states its “Key Finding” that:
[P]roviders of cloud computing resources are not focused on security in the cloud. Rather, their priority is delivering the features their customers want such as low cost solutions with fast deployment that improves customer service and increases the efficiency of the IT function. As a result, providers in our study conclude that they cannot warrant or provide complete assurance that their products or services are sufficiently secure.
These results have sparked vigorous debate and questions on the report itself (i.e., here). It should be noted that the an entire page of qualifications and caveats is provided, including listing the issues of: non-response bias, sampling-frame bias, and the problems inherent in self-reported results.
Also, the report clearly states that “Sixty-five percent of cloud providers in this study deploy their IT resources in the public cloud environment, 18 percent deploy in the private cloud and 18 percent are hybrid.” The large numbers of public cloud providers undoubtedly skewed the results, and the security provisions of public cloud providers are by and large not acceptable for any corporate entity whose data consist of sensitive information, PII, PHI or similar such information, with a further observation that private cloud providers “appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.” It would have been useful had the surveyed providers been further broken down as to public, hybrid and private cloud offerings.
The study further reports that the majority of cloud providers surveyed “admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.”
If accurate overall in the industry, the cloud provider landscape is in need of serious change.
One bit of somewhat good news the survey revealed is that “about one-third of the cloud providers in our study are considering such solutions [providing additional security] as a new source of revenue sometime in the next two years.” Better late than never, I suppose, but I expect various forward looking cloud providers to push that timeframe up as a distinct competitive advantage (i.e. see IBM’s recent cloud announcements, here).
Breaking Down the Details
Another of the report’s conclusion is that “the focus on cost and speed and not on security or data protection [in cloud offerings] creates a security hole.” This potential “security hole” is a prime reason we advise clients, in certain circumstances, to be prepared to walk away from cloud providers under consideration if adequate and legally defensible security measures cannot be adequately negotiated and contractually provided for.
The report also states that “cloud providers are least confident about the following security requirements:
- Identify and authenticate users before granting access
- Secure vendor relationships before sharing information assets
- Prevent or curtail external attacks
- Encrypt sensitive or confidential information assets whenever feasible
- Determine the root cause of cyber attacks
These are serious security concerns any way you slice it.
But what are some actual hard numbers in the report? The report is worth a read, and at only 26-pages with numerous charts and table, makes for quick scanning, but some of the results, if again representative, are jaw dropping.
For instance, Table 2: Enabled security technologies deployed by cloud providers notes some truly concerning items. The percentages reflect technologies presently used or that will be deployed in the next 12 months. US & Europe results combined. Only 31% of cloud providers surveyed utilize an “ID & credentialing system” and only 43% use or plan to use in the next 12 months “encryption for data at rest” while 58% state they use or plan to use “encryption for data in motion.” The report summarizes that “[t]he enabling security technologies least used by US and European providers in the cloud computing environment are:
- Single sign-on
- Data loss prevention
- Correlation or event management
- Access governance systems
- Encryption for wireless communication
The fundamental takeaway from the Ponemon study is that cloud security is very much a work in progress, and that any cloud initiative or plan for corporate cloud usage needs serious due diligence by representatives from business, IT and legal working in conjunction.
Please feel free to contact me or any or the attorneys at the InfoLawGroup to discuss your own cloud scenarios or the legal issues and risks raised by moving to the cloud.