Overcoming the Apprehension of Cloud Computing

ALSOAnalysis and Insights

• Top Security Concerns • Success Factors • Confronting Risk • Vetting Vendors • Ultimate Responsibility

Results from the 2012 Cloud Computing Security Survey

SURVEY RESULTS

REPORT

Overcoming the Apprehension of

Cloud ComputingResults from the 2012 Cloud Computing Security Survey

Overcoming the Apprehension of

Cloud Computing

2 © 2012 Information Security Media Group

2012 CLOUD SECURITY SURVEY

Ask IT security practitioners what’s their No. 1 concern about cloud computing, and their most

common answer, by far, is data protection. That concern – along with others such as enforcing security

policies, maintaining an audit trail and meeting regulatory requirements – makes many organizations

anxious about moving critical information and operations to the cloud.

No wonder many of the respondents to Information Security Media Group’s Cloud Computing

Security Survey express hesitation about putting on the cloud credit card, financial, health, personally

identifiable and proprietary information, as well as intellectual property and trade and government

secrets.

Despite their jitters, many IT security practitioners feel they have little choice but to pursue cloud

computing options. Because of the perceived cost savings the cloud provides, their bosses see the

cloud as a way to reduce IT expenses. Besides, IT security practitioners recognize that the cloud will

play a crucial role in the future of enterprise computing, so they must identify and implement secure

cloud computing practices. In fact, it’s already happening.

As you review the 2012 survey results, think about how to turn apprehension into resolve. In reality,

many of the practices employed to secure data and systems can be used to provide cloud security.

Questions to consider:

• What proven IT security practices can be adapted to work on the cloud?

• With whom should you partner – from within your own enterprise, third parties, industry

colleagues and cloud providers – to safeguard your digital assets on the cloud?

• How can you use cloud computing contracts with vendors to protect your interest in safeguarding

data on the cloud?

Please let me know how you answer these questions, and share other thoughts you have about the

survey and cloud computing security. Your ideas are important in helping all of us at ISMG shape our

evolving cloud computing security coverage.

Eric Chabrow

Executive Editor

Information Security Media Group

[email protected]

Eric Chabrow Executive Editor

Confronting Cloud Computing AnxietyFrom the Editor

2012 CLOUD SECURITY SURVEY 2012 CLOUD SECURITY SURVEY

3

Contents

Introduction: What’s the Survey About?

Hot Topics

Sponsor’s Perspective

Scrutinizing the Cloud Provider

6 Principles for Effective Cloud Computing

The Agenda

Action Items

Resources

4

7

8

16

19

22

23

24

Implementing cloud computing effectively requires protecting information and preventing its loss.

Sponsored by

Survey Results1013141721

Fundamental ConcernsThe Bottom LineVetting the VendorConfronting RiskUltimate Responsibility

Overcoming the Apprehension of Cloud ComputingResults from the 2012 Cloud Computing Security Survey

CSC (NYSE: CSC), a trusted global leader in cybersecurity solutions, protecting

some of the nation’s – and the world’s – most sensitive government and business

systems and networks.

www.csc.com/cybersecurity



No longer an emerging technology, cloud computing is taking off globally as a way to gain efficient access to critical applications, processes and storage.

Still, as the 2012 Cloud Computing Security Survey –

Overcoming the Apprehension of Cloud Computing – shows,

cloud initiatives are relatively new for many organizations.

Nearly 1 in 3 survey respondents say their organizations are

not using the cloud, a strikingly high percentage considering

how quickly the computing platform is maturing. Distrust

for its ability to secure data remains a high barrier for many

organizations.

Types of CloudsWhat cloud environments has your organization employed?

(multiple answers allowed)

Security on the cloud is what worries most IT security

practitioners. Nearly three-quarters of our respondents cite

security as preventing their organizations from adopting cloud

services.

Not Very AnxiousDo concerns about security prevent your organization from

adopting cloud services?

And, because of their unease with the cloud, the promises the

cloud presents in providing efficient and less costly secure IT

solutions have fallen short. More than half of our respondents

say their organizations have yet to achieve their cloud

computing goals.

Introduction: What Is This Survey About?

Private

None

Public

Hybrid

Community

0 10 20 30 40 50 60

54%

31%

24%

24%

15%

Yes

No72%

28%


5

Achieving ObjectivesHave your organization’s cloud goals been met?

Despite jittery responses about the cloud’s security from many

of the IT security professionals we questioned, the survey

reveals that organizations are beginning to turn to the cloud

to do much of what they’ve been doing all along, whether

internally or contracting out to vendors using private networks

to make the connection. Application hosting and e-mail/

messaging are among the earliest offerings by cloud providers.

The demand for data storage will only increase as the amount of

data soars.

Popular OfferingsWhat cloud services does your organization have or will

shortly deploy? (only top 5 listed)

Organizations are beginning to turn to the cloud to do much of what they’ve been doing all along.

No

Not much

Yes

Some

Many

0 5 10 15 20 25 30

30%

22%

18%

18%

12%

Application hosting

E-mail/messaging

Data storage

Collaboration software

Applicationdevelopment/testing

0 5 10 15 20 25 30 35

34%

34%

29%

25%

23%



Cloud computing is revolutionizing the way businesses, not for

profits and governments manage their information technology

assets because of its potential to save organizations a significant

amount of money and enable them to adopt new applications

and scale systems to meet their computing needs.

We report a lot about cloud computing security on all of our

editorial websites, and we wanted to examine not only cloud

security concerns, but how security leaders addressed these

concerns through policy, technology and improved vendor

management. We asked survey respondents about their:

• Top Security Concerns: Were they more anxious about

where their data are stored or whether a malicious insider

might be a threat to it?

• Success Factors: On a scale with cost savings and

availability of services, how did security rank among

elements critical to a successful cloud computing

implementation?

• Protective Measures: What were some of the practices

organizations employed, from instituting more stringent

contracts to enforcing third-party audits and participating

in mock security exercises with cloud service providers?

• Ultimate Responsibility for Cloud Security: Lots of

parties have roles in cloud computing: The IT and IT

security organizations, business information owners

and cloud providers. Who should be in charge to assure

security?

The survey also covered cloud computing trends by industry

and region, how senior leaders made their cloud decisions and

top cloud-service investments projected for the coming year.

This survey was developed by the editorial staff of Information

Security Media Group with the help of members of our brands’

Boards of Advisers, which include some of the most prominent

experts in IT security and risk management. The global survey

was fielded during the first quarter of 2012. Our respondents

are involved with cloud computing decision-making within

their organizations, determining strategies, establishing

priorities, evaluating performance and picking providers; many

also help determine their organizations’ IT and/or IT security

budgets.

Cloud computing is revolutionizing the way businesses, not for profits and governments manage their information technology assets.


7

Survey results unveil five key topics that will be explored in depth in this report:

Fundamental Concerns Survey respondents cite security (27 percent) and costs (24

percent) as the primary considerations when organizations

mull cloud use. We explore IT security practitioners’ greatest

reservations as well as the knowledge and expertise most

lacking in their organizations regarding the cloud.

The Bottom LineThe upside of cloud computing are cost savings: 76 percent of

respondents say the cloud will save their organizations money.

The survey reveals other benefits of the cloud, including better

scalability and improved computing flexibility.

Vetting the Vendor More than one-third of survey respondents say they employ

a third party to attest to the security a cloud provider offers.

As we show, organizations employ other ways to vet cloud

providers, including conducting their own assessments.

Confronting RiskNearly 80 percent of survey respondents say security is a high

priority when evaluating a cloud provider. Other risk factors

organizations consider include not only whether, but how

cloud providers employ encryption.

Taking ResponsibilitySlightly more than half of our survey takers say the end-user

organization – either the business-side/data owners or IT or IT

security organization – and not cloud providers have ultimate

responsibility to ensure the security of cloud resources. We

show 37 percent of respondents either have moved or plan to

move critical systems to the cloud.

Hot Topics


SPONSOR’S PERSPECTIVE

The 2012 Cloud Computing Security Survey conducted by Information Security Media Group reveals persistent concerns regarding the cybersecurity of cloud architectures and cloud adoption.

At the same time, particularly in today’s economic environment,

it is becoming increasingly difficult for information technology

professionals to deny the cost advantages and avoid completely

the use of cloud architectures and infrastructures. Gaining

these benefits means that we must understand these security

concerns, and we must address them.

For those IT professionals and organization leaders responsible

for the security of vital and sensitive information, cloud

cybersecurity is an important challenge, serious enough that

nearly one third of the survey’s respondents indicated that

their organization had not employed any cloud architecture

whatsoever, despite the powerful lure of cloud’s economic

model. Respondents cited a number of concerns, including

worries about data protection, issues related to the enforcement

of security policy, and fears about data loss.

Data protection is a particularly important concern. Even data

that’s publicly available should be protected if it’s used by

companies, individuals, and governments to make daily and, in

the case of “big data,” strategic decisions. Imagine the damage

if that information suddenly became unreliable. Organizations

need to ensure that their cybersecurity policies and protections

cover information assurance – particularly as they seek to

unlock the value of information and big data and use it to make

high-value decisions regarding customer strategy, public policy,

and national security. The survey shows we still have some way

to go to allay these types of cybersecurity concerns.

The challenges cited in this survey are consistent with the

larger need to define cloud architectures capable of dealing

with the security challenges of embedded, industrial control

systems and supervisory control and data acquisition (SCADA)

systems that are the bedrock of utilities such as power, water,

and transportation, as well as manufacturing. It’s noteworthy

that even the Department of Defense Advanced Research

Projects Agency (DARPA) has asked for ideas about how to

securely extend cloud architectures to embedded systems used

in military critical computing.

How can we best address the security concerns of these diverse

organizations and help them gain the wide variety of benefits

(cost, flexibility, scalability, advanced technology, etc.) offered by

cloud? Here are some things to keep in mind:

• First, cloud providers must take a rigorous approach to

cloud cybersecurity. Meeting strict security standards, such

as those associated with the Federal Information Security

Management Act, or FISMA, will take time and careful

work. Providers should commit themselves to a disciplined

and well-documented approach to meeting those controls.

• Second, information technology professionals in general,

and CIOs in particular, need to be informed about the

controls necessary to protect their operations and the

providers’ approach to meeting those controls. One way

to be well informed regarding the controls required is

to conduct a risk-based analysis of the value of critical

information and systems, as well as the threats that exist to

A Perspective on the 2012 Cloud Computing Security SurveySamuel Sanders Visner, Vice President and Cyber Lead Executive, CSC

SPONSOR’S PERSPECTIVE 2012 CLOUD SECURITY SURVEY

9

that information and those systems. Those contemplating

the acquisition of cloud services should look carefully at

how security certification or attestation is being performed,

and who is performing it. Remember, too, that while

security standards will likely stay consistent, security

challenges change frequently. Look for a cloud provider,

therefore, that keeps up to speed regarding these challenges

and has the means in place to adapt and address them.

• And, finally, have a long-term strategy that encompasses

using the cloud incrementally. While the use of cloud for

applications associated traditionally with the desktop is a

good starting point, eventually organizations should look

to cloud less as a way of saving money and more as a way

of unlocking value. Consider things like what cloud can

do – over time – to make it easier to aggregate, analyze,

and exploit big data. Think about how cloud can enable

enterprise integration of global supply chains. In other

words, think of cloud in combination with other emerging

needs and opportunities. While the protection of IP is

today’s biggest concern, don’t overlook your organization’s

other potential uses of cloud and the need to protect those

uses.

The ISMG survey shows that information technology providers

want to claim the cloud’s benefits, but they are aware of the

cybersecurity challenges that must be met to meet those

benefits, even in the private cloud context. Organizations

should couple this awareness with strategies that are carefully

considered and with the selection of cloud and cybersecurity

partners who will share and support an enterprise’s strategy.

Sam Visner

Organizations should look to cloud less as a way of saving money and more as a way of unlocking value.



Survey Results

Fundamental ConcernsOrganizations must weigh the benefits against the risks when determining whether to implement a cloud computing solution.

Under DeploymentWhat are the top 5 factors mulled when deciding to

develop/deploy a cloud solution?

When exploring a cloud initiative, security is the No. 1 concern.

If the data or system can’t be secured, then why do it? It’s

a logical question, and one that must be addressed before

organizations employ a cloud solution.

All organizations are under considerable pressure to rein in

costs, so seeking a solution that could save money is being

pushed by the bosses of those responsible for securing IT.

Resources are costly. Getting additional IT resources on the

cheap is an objective everyone seeks. But it’s also a matter of

time. Often, computing resources are needed now, and getting

them quickly is a significant reason to turn to a cloud provider.

Second ThoughtsWhat is your greatest reservation about secure cloud

computing?

The survey confirms that data protection is the No. 1

reservation about cloud computing. That’s understandable in

an era where data are vital assets for many organizations.

As IT security lawyer Françoise Gilbert points out, if a cloud

provider loses an organization’s data, compensation would

likely be based on the amount the client paid for the service,

not the value of the information to the enterprise. “What you’re

going to get back is very small … it’s dollars, tens of dollars, but

it’s not millions of dollars,” she says. “You get what you pay for.

You pay a small amount to hold your data, but in exchange you

have to be aware of the risk. … Be prepared to be a victim.”

The other survey responses here reflect a major problem

with having someone else house your data – knowing how it’s

being protected. How to enforce security policies and/or meet

regulators’ requirements just adds more complexity to the use

of cloud services. There are ways to address these concerns, but

they often involve time, money and a good lawyer.

Security

Cost

Ability to share data

Resources

Need computing resources quickly

0 5 10 15 20 25 30

27%

24%

12%

9%

8%

Data protection

Enforcing security policies

Data loss

Audit trail

Meeting regulatory requirements

0 5 10 15 20 25

22%

14%

9%

8%

7%


11

No ShowsWhat data are too risky to put on a private cloud?

This question focuses on the private cloud, an offering that’s

perceived as being more secure than public, community and

hybrid clouds. Even with extra security, either a majority or a

sizeable plurality of our respondents feel it is too risky to put

some very common data on a private cloud. This attitude must

change if the cloud is to become a critical platform for IT.

Another reason organizations have shown a reluctance to

adopt the cloud at a faster pace is the lack of staff expertise and

knowledge about the technology on their own staffs. About

three-quarters of the respondents say their technical staffs

lack the know-how to deploy cloud solutions. Only 1 in 20

respondents feel his or her staffs are totally versed on the cloud.

Another reason organizations have shown a reluctance to adopt the cloud at a faster pace is the lack of staff expertise and knowledge about the technology on their own staffs.

Credit card

Intellectual property/trade secrets

Financial

Health

State/government secrets

Proprietary/sensitive

Personally identifiable

0 10 20 30 40 50 60

54%

51%

49%

49%

46%

45%

45%



Missing LinksWhat types of knowledge or expertise is most lacking in

your organization regarding secure cloud computing?

(top five answers shown)

What knowledge is most absent? Security, technology and

implementation, compliance, legal and standards, respondents

replied. This list of varying skills illustrates why the cloud

needs buy-in, not just from the technical staff, but from various

parts of the enterprise. Plus, it also shows how complex proper

execution of a cloud initiative is.

The cloud needs buy-in, not just from the technical staff, but from various parts of the enterprise.

Security

Technology/Implementation

Compliance

Legal

Standards0 5 10 15 20 25 30

28%

17%

14%

10%

10%

2012 Cloud Security Agenda: Expert Insights on Security and Privacy in the Cloud

Register now ≥

Join a distinguished panel of cloud computing experts for the first look at the findings of this perceptive study and how organizations can improve the security of their cloud computing initiatives, including:

• Understanding risks cloud computing presents;

• Mitigating these risks;

• Steps to take to employ cloud computing securely and effectively.

http://www.inforisktoday.com/webinars.php?webinarID=276

http://www.govinfosecurity.com/webinars.php?webinarID=276


13

The Bottom Line

Cloud computing investments remain a very small percentage of

most organizations’ IT budgets. Our survey shows that just over

40 percent of respondents’ organizations divvied 10 percent or

less of their IT budgets on public, community and hybrid clouds,

with just over one-third earmarking money for private clouds.

Nearly 40 percent of respondents say their organizations didn’t

allocate any money for public/community/hybrid clouds; less

than a quarter didn’t apportion any funds for the private cloud.

Still, cloud computing is perceived to lower costs and provide

other benefits to the organization.

Wrong ImpressionWill cloud computing save your organization money?

It’s not just that the cloud is seen as a money saver; it provides

opportunities to try out new solutions without a hefty

investment, or buy storage or processing time, when needed,

without a significant investment.

The UpsideWhy the cloud? Ask anyone involved in cloud computing, and

they’ll say cost is the primary reason to adopt the technology.

Indeed, three-quarters of our respondents say cloud computing

will save their organizations money.

But there are many other benefits, some that could have a

profound impact on how organizations fund IT initiatives.

AdvantagesWhat are the benefits of cloud computing?

Though only 5 percent of our respondents identified the switch

from capital expenditure to operational expenditure as the

prime benefit of cloud computing, it’s a factor that will change

the way enterprises approach the funding of IT and IT security.

The cloud provides organizations with IT without significant

upfront costs. And, as some of our respondents note, the cloud

gives organizations access to advanced technology, also without

a significant initial outlay.

76%

24%Yes

No

Cost savings

Better scalability

Improved flexibility

Switch from CapEx to OpEx

Advanced technology

Compliance

Faster development time

0 5 10 15 20 25

23%

16%

10%

5%

5%

5%

5%



Vetting the Vendor

Checking Out Cloud ProvidersWhat are the primary ways your organization verifies the

security your cloud provider offers? (top six answers shown)

IT security managers don’t agree on the best ways to verify

cloud security providers, but a majority of them agree that some

type of formal assessment must be done, whether provided by a

third party, done themselves or jointly with the cloud provider.

Getting Outside HelpDoes your organization employ a third-party organization

to certify or attest the security of the cloud provider?

Trusting a cloud provider is crucial.

In its guidance, the National Institute of Standards and

Technology observes that a lack of visibility of the cloud

makes it difficult for users to be confident that providers are

in compliance with regulations unless the provider obtains

an independent audit from a trusted third party. Even here,

the frequency of third-party audits may limit the overall

assurance offered, since a cloud system could quietly drift out of

compliance.

Due Diligence Who Does the Vetting in Government?

(Asked of government respondents only)

In the U.S. federal government, a new initiative called FedRAMP

– it stands for the Federal Risk and Authorization Management

Program – provides for a standardized approach to security

assessment, authorization and continuous monitoring for cloud

products and services. The idea is that if one agency vets a cloud

provider, other agencies can use that evaluation for their own

provider assessment, saving time and money.

Under FedRAMP, third-party assessment organizations perform

initial and periodic assessments of cloud provider systems,

provide evidence of compliance and play a continuing role in

ensuring cloud providers meet requirements.

The federal government won’t allow agencies to employ a cloud

service unless it passes an audit by a third-party assessor to

validate and verify it meets FedRAMP requirements.

Third-party attestation

Conduct own assessment

Joint vulnerability testingwith provider

Accept word of provider

We don’t verify

Follow lead of anothercompany similar to yours

0 5 10 15 20 25 30 35

35%

28%

16%

7%

7%

5%

66%

34%Yes

No

Third-party provider

Own agency

Another agency

0 10 20 30 40 50 60

57%

22%

20%


15

TrustworthinessWould external certification of a cloud provider increase

trust in cloud computing?

It all comes down to trust. External certification of a

cloud provider is seen as crucial by more than 85 percent

of our respondents. Yet, for about half of the IT security

practitioners we surveyed, external certification works only

if the certification data can be reviewed and validated, that

the certifying body can show it’s accredited and/or if the

certificate is based on an agreed standard.

It all comes down to trust. External certification of a cloud provider is seen as crucial by more than 85 percent of our respondents.

Yes, but only if certification datacan be reviewed and verified

Yes, but only if this certificate is based upon an agreed standard

Yes, but only if the certifyingbody can show accreditation

No

Yes, in any case

38%

25%

16%

13%

8%



In a roundtable discussion on the Cloud

Computing Security Survey,

Seattle Deputy Chief Information Security

Officer David Matthews and NASA’s Jet

Propulsion Laboratory Chief Technology

Officer/IT Tomas Soderstrom address how

their organizations go about vetting their cloud

computing providers. What follows is an edited

version of that conversation.

DAVID MATTHEWS:

We have a series of

questions that we go

through in a procurement

process. We ask cloud

providers to either provide

us with a third-party certification and/or allow

us to do our own assessment of their site. We

ask them about what their uptime promises are;

we ask for warranties on their uptime. We ask

for information on their records management

and recovery issues and business continuity and

disaster recovery. We also use a lot of community

connections, too. We talk to other local and

state and even federal government partners to

try to find out what they’re doing and improve

their findings if they’ve got big solutions that

are working. “We [also get information from]

other states through the MS-ISAC (Multi-State

Information Sharing and Analysis Center). We

are very much a community-oriented group. In

the Pacific Northwest here, we look at who’s

finding good solutions, who’s finding people that

they feel like they can trust and that are doing a

good job. We do that as well as ask the technical

sort of questions and the contract questions.

TOMAS SODERSTROM:

We vet ourselves first. We

don’t put everything in one

cloud because different

clouds are good at different

things. If we, for instance,

picked one cloud and it was a super, super secure

cloud, then we’d be paying too much for security,

for content that didn’t really need to be secured,

whereas if we did the other one, we’d picked

some cloud vendor that’s wide open, then we

couldn’t put secure content in it. The key is to put

the appropriate computing and the appropriate

storage in the appropriate cloud.

We ask a lot of questions from our end users.

In fact, we coded it so that when they select a

cloud vendor, it does it automatically based on

the answers to those questions. It picks it from a

short list of cloud vendors. So far we have data in

10 different clouds, and we let the users dictate

which one is the stronger.

This is fairly new; we created a Cloud Computing

Commodity Board. The board consists of people

from IT security, the IT department, legal,

procurement, acquisition department, billing and

invoicing and a lot from the missions – the people

who actually use the clouds. They vet it. We

have some mandatory questions, and then some

would-be-nice-to-have questions. That’s how we

get the cloud providers into the JPL marketplace

to be picked from the subservice software. By

doing that, we can have them come on or off the

short list without having to issue an RFP (request

for proposal) each and every time. We can put the

appropriate content in the appropriate place.

The appropriateness really comes down to cost.

If we have two choices for every function, then

we make sure we don’t get locked into any one

vendor and that we pay the least we can possibly

do. We also spend a lot of time talking to other

entities in the federal government and outside to

find out what cloud vendors are doing.

Service-level agreements are not a really big

thing for us because we collect science data. If

we lost that science data from space and we get

a few cents back for compute hours, that would

not be meaningful. Instead, we look at three

strikes and that cloud vendor is out and we’ll go

somewhere else. We think in terms of service-

level understanding because the compute costs

are really quite low compared to other normal

ways of doing it.

Perhaps most importantly, we talk to the cloud

vendors themselves and set up a lot of face-to-

face discussions. That’s usually through video

conference so that our legal people can talk to

their legal people, our IT security people can talk

to their IT security people and understand how,

if we need to do a forensics investigation, how

we would do that. We showed them how we get

audited and different audits for different types of

data and said, “How would you help us pass this

audit?” n

Scrutinizing the Cloud ProviderA look at how the City of Seattle and Jet Propulsion Laboratory Vet Their Cloud Providers

VENDOR RELATIONS


17

Confronting RiskAs you examine the next three graphs, you’ll come away with

the impression that many organizations are relatively immature

in regards to cloud computing deployment.

The response to the security question of whether internal audits

provide appropriate feedback to improve cloud security suggests

that internal audits have yet to provide suitable insights into

cloud computing.

Audit LessonsDo internal audit reviews provide appropriate feedback to

improve cloud security?

For many organizations, cloud use is nascent, and not many

security audits have been conducted. In addition, auditors in

some organizations need to get educated about cloud security in

order to provide valuable insight. Look for the “yes” response to

grow in the coming years.

It’s More than ProcessDoes your organization have adequate policies/procedures

to enable safe and secure cloud use?

The fact that a majority of our respondents say their

organizations don’t have adequate policies and procedures

to enable safe and secure cloud use suggests a lack of

sophistication in many organizations’ cloud initiatives. As

organizations rely more on the cloud for applications and as a

platform, look for more enterprises to develop processes for

how they should address secure cloud computing.

Prioritizing SecurityHow much of a priority is security when evaluating a cloud

provider?

Cost may be the principal driver for organizations to

adopt cloud computing, but until it’s deemed secure, most

organizations will approach the cloud with extreme caution.

Auditors in some organizations need to get educated about cloud security in order to provide valuable insight.

High priority

Neither high nor low priority

No/low priority

0 10 20 30 40 50 60

79%

11%

10%

70 80

50%50%

Yes

No

Yes

No

0 10 20 30 40 50 60

41%

59%



Location, Location, LocationHow important is the physical location of cloud servers?

Specifically, we asked how important is it that your cloud

provider’s servers be situated in the country where your

organization is based.

We all know that data can be moved around the globe at

lightning speed. Data on the cloud can be stored anywhere. That

doesn’t sit well with most of our respondents. Not knowing

where critical assets are stored can be nerve racking. And,

there could be legal reasons, too. Each country has its own laws

defining who can have access to data, and having data scattered

around the world can give an IT manager a headache.

Encryption, Of CourseDoes your cloud provider use encryption to protect data?

Encryption, these days, is one of the fundamental ways

organizations safeguard their data, whether on laptops, mobile

devices, servers and, of course, on the cloud. Employing a cloud

provider that offers encryption is a must for the large number of

IT security practitioners.

To Encrypt or Not to Encrypt?What unencrypted data would your organization put on a

cloud provider’s server? (Multiple answers allowed)

Nearly half of our respondents can’t conceive of putting any data

on the cloud without the information being encrypted.

Organizations must make sure that their legal contracts with

cloud providers assure encryption when appropriate. “The best

way to mitigate those risks is to really understand who’s got

what responsibility and what it’s going to cost us to have the

right kind of security in place,” says Seattle Deputy CISO David

Matthews, “and what kind of data actually belongs in the cloud,

what kind of encryption processes we’re going to use. The best

way to avoid nervousness is really have a good contract up front

so everybody knows where everybody else stands.”

Important

Unimportant

0 10 20 30 40 50 60

54%

12%

78%

22%Yes

No

None

Non-regulated

Regulated

Employee

Proprietary

0 10 20 30 40 50

43%

33%

14%

12%

11%


19

Taking Responsibility

Shared ResponsibilitiesWho should manage encryption keys?

A majority of our respondents understand that regardless of the

provider they choose, ultimately they’re accountable – whether

by themselves or jointly with the provider – to assure their data

are encrypted on the cloud.

Getting over the BumpWould you move critical systems to the cloud?

The takeaway from this question is that if not now, a majority

of organizations either have or will move critical systems to the

cloud soon. That bodes well for the future of cloud computing.

It suggests a can-do attitude among organizations that they will

find a way to employ the cloud for all types of applications and

systems.

6 Principles for Effective Cloud ComputingISACA Guide Aims to Minimize Cloud Computing Risks

ISACA, the professional association focused on IT governance, counsels

that organizations adopting cloud computing should adhere to six

principles. Doing so will help enterprises avoid the perils of transferring IT

decision-making away from technology specialists to business unit leaders.

Here are ISACA’s definitions of the six principles:

• Enablement: Plan for cloud computing as a strategic enabler, rather

than as an outsourcing arrangement or technical platform.

• Cost/benefit: Evaluate the benefits of cloud acquisition based on a

full understanding of the costs of cloud compared with the costs of

other technology platform business solutions.

• Enterprise risk: Take an enterprise risk management perspective to

manage the adoption and use of cloud.

• Capability: Integrate the full extent of capabilities that cloud

providers offer with internal resources to provide a comprehensive

technical support and delivery solution.

• Accountability: Manage accountabilities by clearly defining internal

and provider responsibilities.

• Trust: Make trust an essential part of cloud solutions, building trust

into all business processes that depend on cloud computing.

Ramsés Gallego, the Quest Software security strategist who serves

on ISACA’s Guidance and Practices Committee, characterizes cloud

computing as a game changer, especially for the small and midsize

enterprise.

“Its availability means that technology infrastructure is not the market

differentiator it has been in the past,” Gallego says. “These principles will

enable enterprises to experience the value that cloud can provide and help

ensure that internal and external users can trust cloud solutions.”

Trust is key because many people, including IT security experts, lack

confidence in the cloud as a platform that assures security and privacy.

“The cloud’s availability means the technology infrastructure is not the market differentiator it has been in the past.”– RAMSÉS GALLEGO

No, we don’t have plans to do so

Perhaps, but not within 12 months

Yes, we plan to move one or more of our business critical systems to the

cloud in the coming months

Yes, one or more of our businesscritical systems are in the cloud

0 5 10 15 20 25 30 35

34%

29%

19%

18%

User Organization

Both

Don’t know

Cloud Provider

47%

34%

12%

7%



Allaying ConcernsWhat controls do you implement to mitigate risks?

(multiple answers allowed)

Other controls respondents cite included increased contract

management, onsite inspection, adjusted incident management,

third-party testing, financial penalties and increased liability for

providers.

Among the steps organizations already are taking to secure

cloud data are tried-and-true IT security tools and processes,

including encryption, strong identity and access management

controls and more audits.

The GuardiansWho’s responsible for ensuring security of cloud resources?

In the end, it’s the users’ responsibilities to ensure the security

of their cloud implementations.

Tomas Soderstrom, chief technology officer/IT at NASA’s

Jet Propulsion Laboratory, sees the end-user organization as

ultimately responsible for securing their organization’s IT.

But, he points out, an end-user organization consists of many

different entities – IT, information security, business units,

operations and so on – thus, they must collaborate. “The real

enabler here becomes the IT security people,” Soderstrom says.

“They need to become consultants to show the business how

to secure the data and be able to put it securely in the cloud.

Because if they don’t, all of a sudden there could be a security

breach, and it could shut down the whole organization’s use of

the cloud.”

A slim majority of respondents say it’s their organization, not

the provider, who’s responsible for ensuring the security of

cloud resources. It’s your data and systems, and it wouldn’t be

wise to outsource the responsibility for IT security to someone

else, even if they are the ones who are hosting your IT assets.

The fact that more of our respondents feel the IT or IT security

organization rather than the business or data owners should

assume that responsibility reflects the fact that there isn’t just

one business-side organization employing the cloud in most

enterprises, and that it’s not unusual for enterprises to employ

more than one cloud provider. Someone must be in charge.

Encryption techniques

Stronger ID/accessmanagement controls

Increased due diligenceof provider

More auditing of cloud-service provision

0 10 20 30 40 50 60

60%

43%

42%

37%

Cloud Provider

IT or IT security organization

Business side/ data owner

48%

38%

14%


21

“You could put in a cloud the secret to the atomic bomb and the cloud provider wouldn’t know because that’s not their business.”

– FRANÇOISE GILBERT

ISMG: What are the responsibilities of

the end-user organization, regardless of

the contract, to make sure that its data is

secure?

DAVID MATTHEWS: The

responsibility that you have for securing

your data doesn’t change because you

move into a cloud environment; they’re

exactly the same. You have to treat it that

way from the very beginning. You have

to look at everything that you could do to

classify your information, protect your

information, to be able to have access

to your information. You have to find a

way to do those exact same things and

move into the cloud through contract or

through the vetting processes. The legal

issues have to be well understood as well.

So they really don’t change. One of the

things that people thought [was], “Maybe

we could get out from under some of

this risk if we move things to the cloud.”

We just have to assume that we’ve got, if

anything, maybe more risk, or a different

kind anyway.

FRANÇOISE GILBERT: I would agree

with that. It’s your data, and you’re

responsible for it and it’s irrelevant what

you do with it. Whether you put it in

the cloud or in the trunk of your car,

it’s your responsibility. It may be even

more responsibility than before because

there are situations where the cloud

provider does not have a clue about the

data that you have. You could put in a

cloud the secret to the atomic bomb

and the cloud provider wouldn’t know

because that’s not their business. Their

business is to provide you with, if you

want, a big safe deposit box where you

put your information. What you put in

that safe deposit box they don’t know. If

you have very important information, it’s

your responsibility to make the decision

whether or not you put it there, how

you protect it and what kind of security

measures you can use to protect that

information because the cloud provider

would not know the nature of the

information.

David Matthews is deputy chief

information officer for the City of Seattle.

Françoise Gilbert, a lawyer specializing in

IT security and privacy, is a founder and

managing director of the IT Law Group.

Ultimate Responsibility

Accountability for securing data doesn’t change because of a move into the cloud.

EXPERT INSIGHTS



The AgendaTop officials at businesses, not for profits and governments around the world are pressuring their IT and IT security organizations to adopt cloud computing because of the potential savings it offers.

Technologists know of the security challenges that make

widespread adoption of cloud services difficult, but in many

instances, employing this new technology is doable; the

vulnerabilities can be addressed.

Understanding the current state of cloud computing – whether

at your organization or those of others – will help you address

the evolving challenges of secure cloud computing.

But these challenges can’t be mitigated until enterprises –

including internal business operations as well as IT and IT

security organizations – figure out what they have and how to

improve on it. Cloud will evolve into something much different

in the coming years.

Fundamental ConcernsClues to how organizations will use cloud computing securely in

the coming months and years can be found in the research.

Cutting costs is a major reason why organizations migrate to

the cloud, but other factors are likely to surface, including the

need to quickly obtain additional computer resources. This

will require processes to assure that the adoption of cloud

computing can be done efficiently and securely.

In the end, implementing cloud computing effectively requires

protecting information and preventing its loss. Traditional

means to safeguard data – such as encryption – work in the

cloud environment as well, and should not be ignored.

The Bottom LineCloud computing provides organizations with a lot of flexibility

in how they fund and deploy information technology securely.

The cloud allows organizations to introduce new technologies

with far less upfront costs, as they switch from capital

expenditures to operational expenditures. This will not

only allow organizations to be more flexible with limited

financial resources, but with introducing new applications and

products. The cloud also gives organizations entry to advanced

technologies without considerable initial costs.

Vetting the VendorMost organizations cannot move to the cloud alone. They need

a third-party vendor to help them scrutinize the reliability of

cloud providers.

Trust is a fundamental trait of information risk and IT security,

and that’s amplified in the cloud. And as the vast majority of our

respondents say, external certification of cloud providers builds

trust in them.

Before you get a third-party to vet your cloud providers, make

sure you can trust the organization you retain to conduct

the evaluation. Look to the federal government’s FedRAMP

program, which certifies third-party evaluators, for pre-

approved vetters.

Also, conduct your own due diligence of third-party certifiers

and the cloud providers. The data you protect belong to

you; ultimately, it’s your responsibility, as well as your legal

obligation, to assure the security of information and systems.


23

Confronting RiskThe anxiety many IT security pros express about adopting cloud

services is understandable. But you don’t need Valium to calm

those nerves, just best practices.

And among the best practices to employ is the encryption of

crucial data to be housed on the cloud. Other steps to take

to mitigate risk include employing stronger identity and

access management controls, auditing the cloud provider and

conducting onsite inspections.

In some respects, cloud computing isn’t new. Organizations

have been outsourcing computing services for decades. So use

proven IT security tools and processes to assure the security of

your cloud ventures.

Ultimate ResponsibilityTake responsibility. It’s your data, your systems that are at stake,

and in the end, the buck stops with you.

Ultimately, as IT security professionals, security is your

responsibility. But that doesn’t mean you should do it alone.

Partner with your organization’s IT and business organizations

as well as the cloud provider.

The cloud offers many benefits, and as you become more

comfortable with its security, be the evangelist in your

organization for the technology. Though cloud computing is not

a panacea, at least not yet, enterprise computing is heading to

the cloud. Implemented properly and securely, cloud computing

will add value to your organization’s growing need for safe

computing.

Action Items

1. Create a Team

Organize stakeholders within and outside your organization to

address the security concerns of cloud computing. No single

individual or group owns cloud computing, but the IT and IT

security organizations are best situated for getting all participants

together.

2. Employ What You Know

In many respects, cloud computing isn’t new; it’s just another

version of outsourcing that organizations have employed for

decades. The same tools and processes you used to secure your

systems in the past can be employed to protect your digital assets

in the cloud: encryption, stronger identity and access management

controls, audits and onsite inspections.

3. Network

Talk to other organizations in your field as well as industry groups,

such as information sharing and analysis centers, to determine

how they approach secure cloud computing.

4. Perform Due Diligence

Whether you use a third party, piggyback on other trusted

organizations, such as the U.S. federal government’s FedRAMP

initiative, do it yourself or a combination of all three, it’s essential

that you vet the security your cloud provider furnishes. Ultimately,

it’s your responsibility to protect your information and systems.

5. Just Do It

Pilot cloud initiatives that contain non-sensitive information. In

doing so, you’ll learn ways to secure data that will prove useful

when you seek to safeguard sensitive data in the cloud. You’ll also

learn to deal with cloud computing vendors.



NIST Issues Long-Awaited Cloud GuidanceNIST has published its long-awaited cloud computing guidance,

Special Publication 800-146: Cloud Computing Synopsis and

Recommendations, which addresses risk management and other

security matters.

http://www.inforisktoday.com/

nist-issues-long-awaited-cloud-guidance-a-4810

Tips for Contracting Cloud ServicesCloud services contracts often provide little to no wiggle room

for organizations. In planning to use cloud computing services,

what steps do organizations need to take before signing any

contract? IT security lawyer Françoise Gilbert offers some key

strategies.


tips-for-contracting-cloud-services-a-4797

Linking the Cloud to Continuous MonitoringNIST information risk management evangelist Ron Ross sees

continuous monitoring playing a vital role in securing cloud

computing.


linking-cloud-to-continuous-monitoring-a-4520

FedRAMP Security Controls UnveiledThe federal government has issued some 170 controls for

FedRAMP, the program designed to vet cloud computing

providers for federal government agencies.


fedramp-security-controls-unveiled-a-4391

5 Essential Characteristics of Cloud ComputingTo employ new technologies effectively, such as cloud

computing, organizations must understand what exactly they’re

getting. With this in mind, the National Institute of Standards

and Technology has issued its 16th and final version of The NIST

Definition of Cloud Computing.

http://www.inforisktoday.com/5-essential-characteristics-

cloud-computing-a-4189

10 Realms of Cloud Security ServicesSecurity poses a major challenge to the widespread adoption of

cloud computing, yet an association of cloud users and vendors

sees the cloud as a provider of information security services.

http://www.inforisktoday.com/10-realms-cloud-

security-services-a-4097

Cloud Computing: 5 Topics for the BossHere are the top five cloud computing security risks and

concerns CISOs must discuss with their managers.

http://www.inforisktoday.com/cloud-computing-5-

topics-for-boss-a-3554

Cryptography in the CloudThere’s no better way to secure critical data than through

cryptography, especially when that data is stored in the cloud,

says cryptography expert Ralph Spencer Poore.

http://www.inforisktoday.com/cryptography-in-cloud-a-3305

Learn more about the key issues driving secure cloud computing

InfoRiskToday features extensive coverage of cloud security. Here’s a sampling:

Resources

http://www.inforisktoday.com/nist-issues-long-awaited-cloud-guidance-a-4810

http://www.inforisktoday.com/tips-for-contracting-cloud-services-a-4797

http://www.inforisktoday.com/linking-cloud-to-continuous-monitoring-a-4520

http://www.inforisktoday.com/fedramp-security-controls-unveiled-a-4391

http://www.inforisktoday.com/5-essential-characteristics-cloud-computing-a-4189

http://www.inforisktoday.com/10-realms-cloud-security-services-a-4097

http://www.inforisktoday.com/cloud-computing-5-topics-for-boss-a-3554

http://www.inforisktoday.com/cryptography-in-cloud-a-3305


4IndependenceWay•Princeton,NJ•08540•www.ismgcorp.com

© 2012 Information Security Media Group, Corp.

Documents

Overcoming the Apprehension of Cloud Computing