Brian Pennington

A blog about Cyber Security & Compliance


Cloud computing security

Who is responsible for data protection in the cloud?

Encryption in the Cloud is a Ponemon Institute report sponsored by Thales.

The study considers how encryption is used to ensure sensitive or confidential data is kept safe and secure when transferred to external-based cloud service providers. 4,140 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan and Brazil were surveyed.

Following is a summary of key findings relating to data protection, encryption and key management activities in the cloud.

  1. Currently, about half of all respondents say their organizations transfer sensitive or confidential data to the cloud environment. Within the next two years, another one-third of respondents say their organizations are very likely to transfer sensitive or confidential to the cloud. At 56%, German companies appear to have the highest rate of sensitive or confidential data transferred to the cloud.
  2. 39% of respondents believe cloud adoption has decreased their companies’ security posture. However, 44% of respondents believe the adoption of cloud services has not increased or decreased their organization’s security posture. Only 10% of respondents believe the move to the cloud has increased their organization’s security posture. With respect to country differences, results suggest that French organizations are most likely to view cloud deployment as diminishing the effectiveness of data protection efforts.
  3. 44% of respondents believe the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud environment and 30% believe it is the cloud consumer. There are also differences among countries as to who is most responsible. 67% of French companies appear to be the most likely to hold the cloud provider responsible for data protection activities. In contrast, 48% of Japanese companies hold the cloud consumer primarily responsible for data protection.
  4. Companies that currently transfer sensitive or confidential data to the cloud are much more likely to hold the cloud provider primarily responsible for data protection. In contrast, companies that do not transfer sensitive or confidential information to the cloud are more likely to hold the cloud consumer with primary responsibility for data protection.
  5. 63% of respondents say they do not know what cloud providers are doing to protect the sensitive or confidential data entrusted to them. Once again, French respondents (76%) are least likely to say they know what their cloud providers do to safeguard their organization’s information assets.
  6. In general, respondents who select the cloud provider as the most responsible party for protecting data are more confident in their cloud provider’s actual ability to do so (51%) compared to only 32% of respondents who report confidence in their own abilities to protect data even though they consider their own organization to be primarily responsible for protecting data.
  7. Where is data encryption applied? According to 38% of respondents, their organizations rely on encryption of data as it is transferred over the network (typically the internet) between the organization and the cloud. Another 35% say the organization applies persistent encryption data before it is transferred to the cloud provider. Only 27% say they rely on encryption that is applied within the cloud environment.
  8. Among the companies that encrypt data inside the cloud, nearly 74% believe the cloud provider is most responsible for protecting that data. However, only 34% of organizations that encrypt data inside their organization prior to sending it to the cloud hold the cloud provider primarily responsible for data protection.
  9. Who manages the encryption keys when sensitive or confidential data is transferred to the cloud? 36% of respondents say their organization is most responsible for managing the keys. 22% say the cloud provider is most responsible for encryption key management. Another 22% says a third party (i.e. another independent service provider) is most responsible for managing the keys. Even in cases where encryption is performed outside the cloud, more than half of respondents hand over control of the keys. With respect to country differences, German organizations appear to be the least likely to relinquish control of encryption keys to the cloud provider. Companies in Australia and Brazil appear to be the most likely to transfer control of encryption keys to the cloud provider.
  10. Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture. In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security aware organizations are the more skeptical of cloud security and that it is the less security aware organizations are willing to overlook a perceived lack of security. Here, we use the Security Effectiveness Score (SES) as an objective measure of each organization’s security posture.

Larry Ponemon, chairman and founder, Ponemon Institute, says:

“It’s a rather sobering thought that nearly half of respondents say that their organization already transfers sensitive or confidential data to the cloud even though thirty-nine percent admit that their security posture has been reduced as a result. This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns. However, it is particularly interesting to note that it is those organizations that have a strong overall security posture that appear to be more likely to transfer this class of information to the cloud environment – possibly because they most understand how and where to use tools such as encryption to protect their data and retain control . What is perhaps most surprising is that nearly two thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data. This represents an enormous opportunity for cloud providers to articulate what they are doing to secure data in the cloud and differentiate themselves from the competition.”

Richard Moulds, vice president, strategy, Thales e-Security, says:

“Staying in control of sensitive or confidential data is paramount for most companies today. For any organization that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data. However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately. Effective key management is emblematic of control and the need for centralized and automated key management integrated with existing IT business processes is a necessity. Even if you allow your data to be encrypted in the cloud, it’s important to know you can still keep control of your keys. If you control the keys, you control the data.”


Survey: 99% rate Security is a major consideration when choosing the Cloud

Intel have produced a very interesting survey on the way businesses perceive the Cloud, what they are looking for whether it is Private or Public and who seems to be the most secure.Below is my summary of the survey’s results.

Intel surveyed 200 IT professionals about a wide variety of cloud topics, including the key business and technology drivers behind their implementation plans, the importance of security in determining how the cloud is implemented, and their level of investment in security as part of cloud initiatives. The respondents were IT professionals in organizations of 100 to 1,000-plus employees across a variety of industries.

  • 18% of the companies surveyed already offering cloud services
  • 42% are currently in the process of implementing
  • 38% are in the evaluation stage
  • 4% are planning to evaluate cloud initiatives

Security plays a major role in the selection of a deployment model for 99% of the companies surveyed but only 44% sited security issues as the foundation for their decision making in selecting a private versus public cloud delivery model.

  • 80% said the most common drivers of security plans for cloud initiative issues are related to protecting customer, vendor, and employee data
  • 76% said protecting servers and other platform/infrastructure resources from attack was the most important
  • 72% said it was protecting financial data
  • 48% believed that the overall organizational investment in cloud initiatives is security related.
  • 52% are deploying the private cloud (or most likely to be utilized)
  • 31% prefer a hybrid cloud 11% prefer a public cloud

Security was cited as the biggest concern by 66% of those surveyed about outsourcing some IT to a cloud service provider

Other key findings from the survey include the following:

Implementing security is no easy task

  • 60% have experienced moderate challenges
  • 22% have experienced major challenges

Security concerns are similar for outsourcing

  • For 66% data loss and compromised platform or infrastructure assets are the biggest concerns for IT professionals when it comes to outsourcing to a cloud provider
  • For 60% the security capabilities and assurances offered are extremely important to 60% of IT professionals when making a selection.

Trust in cloud service providers is mixed

  • 54% of IT professionals have some trust in the ability of their cloud service provider to secure assets in the cloud
  • 43% have a great deal of trust

Hardware-based security provides greater assurance

  • A cloud service provider with additional hardware-based security measures is viewed as delivering a higher level of security by 78%.

Minor differences by company size

  • Data reveals no significant differences in results amongst the range of company sizes in their survey. However, of those companies with 1,000 or more employees, 24% are already offering cloud services, compared to 10% for each of the other segments

Intel asked IT professionals to tell us about security in their current IT environment

  • 31% are regularly thwarting 100 or more virus or malware attacks every month
  • Companies with 500 or more virtualized servers are more likely to be thwarting an even greater volume of attacks. In this category, approximately 31% report thwarting more than 500 attacks every month, and 24% are thwarting 1,000 or more attacks.

IT professionals report a wide variety of potential security concerns to keep them up at night. Three top the list:

  1. 62%, attacks targeting specific data types
  2. 61% attacks of server, platform, and data centre infrastructure assets
  3. 60% and hackers seeking to gain control of software assets 4. Almost half are concerned about rootkit attacks at the hypervisor level or below, network attacks, and attacks targeting end-point devices

For those organizations with a cloud vendor already in place, controlling access to cloud resources becomes a more significant concern (70% versus 51%).

Cloud computing is considered an important strategic investment by almost all the companies surveyed with

  • 18% is already offering cloud services or capabilities
  • 76% of those currently evaluating or planning to evaluate expect to implement cloud services within the next year

They asked IT professionals to tell us what technologies they were currently deploying that support a current or planned cloud environment

  • 73% are currently using virtualization to consolidate servers and enabling virtual machine (VM) mobility across multiple servers in order to support a cloud
  • Nearly half offer automation and metering and chargeback based on usage and enable business units to self-provision resources.

Choice of a Private Cloud

  • For 52% of those surveyed a private cloud is the leading deployment model, no matter what phase of implementation
  • The Private Cloud is the preference for 63% of those already offering cloud computing
  • 51% of those in the implementation phase prefer the Private Cloud
  • For those still evaluating the cloud 49% prefer Private Cloud

Public clouds are more likely to get consideration from companies with:

  • 500–999 employees (29% versus 5% among smaller and larger companies) Less than 10 worldwide locations (17% versus 5% among companies with 10 or more locations)
  • 250–499 virtual servers (31% versus 3% among companies with 500 or more virtual servers)
  • Less than $10 million U.S. dollars (USD) in revenue (21% versus 7% among companies with USD $10 million or more)

Although there is a clear preference for delivery model, the same is not true for the cloud service being considered or already implemented. All three of the major services get equal consideration across the survey sample:

  • 58% Software as a Service (SaaS)
  • 57% Infrastructure as a Service (IaaS)
  • 56% Platform as a Service (PaaS)

The IT professionals they surveyed recognized the importance of security across delivery models and for both internal and external implementations. They back up their concern with a high level of investment in security as part of the overall investment in cloud initiatives. For example, when averaged across the sample group 48% of the investment in cloud initiatives is related to security.

Do high-profile security breaches reported in the news have any impact on cloud decision making? When asked to recall recent newsworthy breaches or attacks

  • 24% mention the high-profile public security breach of the Sony* PlayStation* Network
  • 70% say the breaches they recall have no impact on their decision to move forward with cloud initiatives.
  • 30% are on hold while they deepen their evaluation of their security plans and controls

The survey asked respondents to say what they experienced as the greatest challenges to implementing security

  • 95% who are already implementing or offering cloud services have experienced slight challenges in implementing security for a private or hybrid cloud
  • 22% indicated that they had experienced major challenges

The biggest headache? Data Protection challenges, experienced by 44% of those surveyed

Asked how they overcame their challenges, those surveyed reported that their top method was to increase or upgrade security measures, as well as to research thoroughly and leverage vendor relationships. Other approaches included training, hiring consultants, and increasing budget. A number of companies continue to grapple with unresolved issues.

64% of companies surveyed have had their planning efforts influenced by the following organisations, number 1 being the highest influencer

  1. Cloud Security Alliance (CSA)
  2. Open Data Centre Alliance (ODCA) – more than a third
  3. Trusted Computing Group (TCG)
  4. Distributed Management Task Force (DMTF)

Of the IT professionals surveyed

  • 61% are currently evaluating a cloud service provider
  • 23% have selected a cloud service provider
  • Most reported that the security component offered by the cloud service provider is important, with 60% considering it extremely important.

The leading concern of those surveyed about outsourcing some IT to a cloud service provider is security – 66%

One in three cited compliance issues related to privacy and regulations as one of their greatest concerns

Among IT professionals who are evaluating or have already chosen a cloud provider

  • 54% have some trust in the ability of their cloud service provider to secure assets in the cloud
  • 43% have a great deal of trust
  • 60% reported that they were extremely or very concerned about the infrastructure their cloud provider uses
  • This is even higher for those thwarting 10 or more attacks a month (35% versus 15% for those fighting off fewer attacks)

In this same group

  • 68% are concerned about rootkit hypervisor attacks
  • 35% are extremely concerned
  • Those IT professionals thwarting 10 or more malware attacks per month are twice as likely as those fighting off fewer attacks to be extremely concerned about rootkit hypervisor attacks (40% versus 19%)

Providing the right security assurances goes a long way toward building trust in a cloud service provider

  • According to those who have chosen or are evaluating cloud providers, security controls in the platform (74%) are the most common security assurances provided
  • Those already using a cloud service provider are significantly more likely to be assured of security controls in the platform than those IT professionals still evaluating vendors (85% versus 70%).

78% believe a cloud service provider with additional hardware-based security measures to reduce some forms of malware provides a higher level of security. This was higher for those companies thwarting 10 or more attacks per month (62% versus 42% for those fighting off fewer attacks).

48% IT professionals report that cloud service providers make their security assurances moderately visible whilst 45% report them as highly visible.

Regular, periodic reports on security incidents (73%) are the most common methods used by vendors to document compliance with privacy or other regulatory requirements, followed by specified level of responsibility for a security breach (60%) and the ability for the organization to conduct compliance audits (60%).

Security Is Foundational to Those Offering Cloud Computing

By far the biggest business and IT drivers for security are protection of data and server platforms. Compared with companies implementing or evaluating cloud computing, those companies already providing cloud-based services are more likely to:

  • List their top two IT drivers as the need to protect data (74%) and the need to protect servers and other platform and infrastructure resources from attack (66%)
  • Say security was the foundation of their decision for implementing a private cloud initiative versus a public cloud (57% versus 41%
  • Report high visibility into the security assurance provided by cloud service providers (67% versus 40%)
  • Have considered or implemented SaaS over PaaS or IaaS (86% versus 52% of those implementing or evaluating cloud services)
  • Be deploying technology that enables business units to self-provision resources (71% versus 44%)
  • Have an enterprise-class data centre (60% versus 21%) with more than 500 virtualized servers (34% versus 13%)
  • Be from companies with more than 1,000 employees (24% versus 10%)

High Level of Concern about Security in the Early Planning Stages

Those evaluating or planning to evaluate cloud computing are inclined to be significantly more worried about security than those already offering services or in the implementation stage. Those in the earlier stages tend to be:

  • Driven most by the need to protect data (87%) and to protect servers and other platform and infrastructure resources from attack (76%)
  • Least confident that their current network and data centre assets are adequately protected (43% very confident versus 64% not confident)
  • Able to recall more high-profile breaches and attacks (55% versus 33%)
  • Least trusting of the ability of cloud service providers to secure their assets in the cloud (20% have a great deal of trust versus 58%)
  • Least likely to be influenced by industry standards groups

Midsize Companies Are Implementing Cloud Initiatives

Now In the sample group, those in the process of implementing cloud computing are inclined to be from midsize companies with 100–999 employees. They tend to be:

  • Driven more than any other stage of implementation category by the need to protect servers and other platform and infrastructure resources from attack (81%) and to protect data (75%)
  • More likely to consider a public cloud (23% versus 2% of those already offering services or in the planning and evaluation stage)
  • More likely to have a localized or regional data centre (57% versus 41% of those already

For further information visit the Intel web site here.


Blog at

Up ↑

%d bloggers like this: