A study of North American and European cloud computing service providers was recently completed by CA Technologies and the Ponemon Institute. The study included Public, Private and Hybrid (both Private and Public cloud services). Most of the service providers believe their biggest selling points are ‘lower cost and relative speed’ of Services falling in line with SaaS (Software as a service) and IaaS (Infrastructure as a Service) offerings. Of note is the biggest concern that about lack of security in the cloud and within the applicable services. Per the study, on average, providers have less than 10% of resources spent on security with most having no dedicated security personnel, leaving the onus for cloud security on the customer!
The areas of security, as viewed by the vendor/providers, not deemed critical were in areas of compliance and regulation (at the bottom of each list with very low percentages, 15% or less being deployed by Cloud Vendor/Providers). The prime example below being:
Data loss prevention
Correlation or event management
Access governance systems
Encryption for wireless communication
Perhaps the most telling and worrisome quote in regards to this practice being:
“The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.”
So if security is the responsibility of the customer and areas such as User Provisioning, Access Management and Data Loss Prevention are on the bottom of the heap as priorities, customers need to be wary.