Brian Pennington

A blog about Cyber Security & Compliance


Cloud computing

500 European Business Leaders attend the PCI Security Standards Council Community Meeting

This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe. 

Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond, 

These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security

With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry. 

A significant amount of the conference was spent on new and developing technologies including::

  • Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
  • Mobile – several presentations including the Smart Payments Association
  • Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
  • Tokenisation – A presentation by Lufthansa Systems 

Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security 

We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.

Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.

The five cloud personas

NTT Integralis have produced a report highlighting the acceptance of Cloud Solutions.  The full report can be found here.  

The report characterises organisations as fitting five cloud ‘personas’ defined by their level of enthusiasm for cloud computing and maturity of adoption.

Ranging from Embracers at one end of the scale (very active in new technologies for over three years) to ‘Controllers’ at the other (characterized by their lack of cloud deployments), the personas also include Accepters, Experimenters and Believers.

The five cloud personas

  1. The Embracer – using cloud for 3+ years, very active in seeking out new technologies, dedicates over half budget and is very likely to see an increase in revenues and profits from cloud
  2. The Believer – very likely to actively seek out new technologies and to have moved the majority of services into the cloud over the next year. Critical to the deployment of services with a third of budget allocated
  3. The Experimenter – likely to experiment with new technologies and to move the majority of services into the cloud in the next year. Used in half or more departments with a quarter of budget dedicated to cloud
  4. The Accepter – adopted cloud in the past two years and most likely to adopt technology when there is a clear business case. Cloud is not central to IT strategy
  5. The Controller – least likely to be using cloud and emerging technologies, more reliant on data centres. Cloud is not currently part of their IT strategy

For them to have completed the survey the respondents must have at least understood the concept of the “Cloud” which is a step in the right direction.

Schools are concerned about cloud security and the Ponemon Institute have released the results of a survey of UK schools designed to measure the views of school staff on the rapidly rising use of cloud services in the education sector and the potential risks to student privacy.

The study focused on cloud versions of email and document collaboration tools:

  • a majority of schools expect to migrate to such services in the near future
  • 81% of respondents object strongly to the mining of student emails, web browsing and online behaviour for profit by cloud providers
  • 84% say providers should never profile students
  • 70% say that even the option to turn on ad serving, or the delivery of advertisements to users online, should be completely removed from school-provided cloud services

The findings also show that schools are increasingly looking to move to cloud services because they expect them to bring significant educational and social benefits to students, as well as being cheaper and easier to manage. commissioned the Ponemon Institute to conduct the survey of senior staff and IT practitioners in primary and secondary schools and related administrative organisations in the UK.  Respondents were asked to describe their schools’ current and expected use of cloud-based services such as email and document collaboration, and to give their views about student online privacy and cloud provider business models based on data mining for profit.

Key findings of the research include the following:

  • Schools believe cloud services will offer many benefits, helping students to acquire skills needed for employment (78%), thrive in modern society (63%), and obtain better results on national exams (51%)
  • Cloud deployment in UK schools is growing rapidly: 68% of respondents expect to provide cloud email or document creation in the foreseeable future, while 25% already provide such services to their students
  • Schools recognise that cloud services have a dark side: 74% see threats to student privacy as the top risk of cloud, followed by security breaches (70%)
  • But the vast majority reject for-profit data mining of student information: 84% say cloud providers should never profile students for profit, while 70% say ad serving should never be an option •Some schools admit to a conflict of interest regarding student privacy, but want to give parents the tools to protect their children: 47% say they might be tempted to trade student privacy for lower costs, but 44% also say parents should have the right to opt-out of data mining for their children

We’re very impressed and pleased to find that UK schools are rapidly adopting cloud services and see significant educational and social benefits in doing so, as well as cost savings,” said Jeff Gould , President of “But our study also shows that UK schools clearly recognise the dark side of cloud computing, especially when cloud providers are allowed to data mine student emails and documents in order to create profiles that can be used for ad serving and other commercial purposes. As the migration to cloud services continues, UK schools, local councils and education authorities as well as the Department for Education at the national level need to develop concrete measures to ensure that strong privacy protections for students and school staff are put in place. Above all, we call on parents to recognise the risks to their children and to take action to ensure that the authorities adopt the proper response

Larry Ponemon , chairman and founder, Ponemon Institute, added:

These results demonstrate significant potential for cloud services in UK schools, with IT administrators contemplating deployments in the immediate to near future, but at the same time overwhelming concerns regarding mining of student data for commercial use. The numbers indicate that these practices must be tackled before the full benefits of cloud computing can be realised

  • Most schools already provide email to staff (85%) and students (59%)
  • 25% already offer students cloud email
  • 61% of schools that don’t yet provide email expect to offer cloud email in the foreseeable future Schools believe cloud tools will help students improve skills, thrive in modern society, obtain better exam results

But schools also see a darkside in Cloud: Data Mining

Schools overwhelmingly recognise that data mining for profit by cloud providers is a threat to student privacy and strongly object to the practice. But some schools admit they are tempted to trade student privacy for lower costs. A solution to this conflict of interest is to let parents opt-out of cloud data mining for their children. – Schools believe cloud email will be easier to manage and cheaper, but not necessarily safer or more secure

  • Schools see threats to student privacy as top risk of cloud (74%), followed by security breaches (70%)
  •  Vast majority of schools (81%) object to cloud providers that data mine student online behavior (i.e. analyse emails or track web browsing) for profit
  • 84% of schools say cloud providers should never profile students for profit, 70% say ads should not be an option
  • Conflict of interest? 47% of schools admit they might trade student privacy for lower costs, but 44% also say parents should have right to opt-out for children


PCI SSC releases PCI DSS Cloud Computing Guidelines

The PCI Security Standards Council has published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG).

The guide is an excellent introduction to the “cloud” and offers specific and helpful guidance on what to consider when processing payments involving the cloud as well as the storage of sensitive data.

One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud. 

The PCI DSS Cloud Computing Guidelines Information Supplement builds on the work of the 2011 Virtualization SIG, while leveraging other industry standards to provide guidance around the following primary areas and objectives:

  • Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
  • Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
  • PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
  • PCI DSS Compliance Challenges– describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.

The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including: additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client; and a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.

Merchants who use or are considering use of cloud technologies in their cardholder data environment and any third-party service providers that provide cloud services or cloud products for merchants can benefit from this guidance. This document may also be of value for assessors reviewing cloud environments as part of a PCI DSS assessment.

At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” said Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.

For a link to the full document please use my PCI Resources page here.


Cloud maturity study reveals the top 10 issues eroding cloud confidence

Website: www.isaca.orgThe Cloud Security Alliance (CSA) and ISACA have issued the results of their survey of how organisations feel about the “cloud”.

The report provides detailed insight on the adoption of cloud services among all levels within today’s global enterprises and businesses. I have summarised the report below.

The study reveals that cloud users in 50 countries were least confident about the following issues (ranked from least confident to most confident):

  1. Government regulations keeping pace with the market (1.80)
  2. Exit strategies (1.88)
  3. International data privacy (1.90)
  4. Legal issues (2.15)
  5. Contract lock in (2.18)
  6. Data ownership and custodian responsibilities (2.18)
  7. Longevity of suppliers (2.20)
  8. Integration of cloud with internal systems (2.23)
  9. Credibility of suppliers (2.30)
  10. Testing and assurance (2.30)

While there are many positive indicators that support the planned adoption and perceived use and value of cloud services in the years ahead, there remains much progress to be made to engage and gain the buy-in among business leaders.

“As a first step, we as an industry must still work to provide a clearer definition of what cloud is and how the many innovative and secure services can help positively impact today’s businesses,” said J.R. Santos, global research director at CSA. “But, we need to start at the top and engage senior management. Cloud needs can no longer be thought of as a technical issue to address, but rather a business asset to embrace.”

“One of the most interesting findings is that governance issues recur repeatedly on the list of the top 10 concerns. Cloud users recognize the value of this model, but are wrestling with such questions as data ownership, legal issues, contract lock-in, international data privacy and government regulations,” said Greg Grocholski, CISA, international president of ISACA. “As cloud services continue to evolve, it is critical that we work together as an industry to provide insights and recommendations on these issues so that service and solution providers can look to innovate and deliver what the cloud services market needs to advance and what enterprises need to succeed.”

Survey Overview

Results of the study provide much insight on the progression of cloud adoption. For example,

  • Business enablers (score 4.08) rather than financial considerations (score 3.5) are the primary factors in making cloud decisions, with the least important factor being the ability to reduce the environmental footprint of the organization (score 2.67)
  • The business enablement factors that most influence cloud computing decision making are related to the reliability and availability of services (mean score 4.59) and quality of service (score 4.29)

Respondents feel there is room for improvement when it comes to innovation in the cloud.

  • 24% survey takers indicate that there is no or limited levels of innovation in the market
  • 43% of respondents believe there is a moderate level of innovation
  • 33% report that the level of innovation in terms of products, services and business use is significant

“Survey results show that CIOs and IT management understand cloud best and are most involved in driving cloud innovation in their organizations. This limits cloud maturity and innovation since cloud continues to be viewed as a technical solution and not as a business enabler,” said Yves Le Roux, a member of CSA and the ISACA Guidance and Practices Committee. “Cloud can provide business-building innovation, but to get to that point, there needs to be more buy-in and a better understanding among business leaders and C-level executives of the cloud’s value and risk.”

Nearly all respondents feel that cloud computing is far from reaching maturity, with only software as a service (SaaS) cautiously placed at the earliest state of growth level, with infrastructure and platform services still considered in the infancy stages.

Respondents remain moderately confident that cloud services are meeting service and strategy expectations and that problems are being addressed. Many rated cloud services as providing confidence in strategy and problem resolution (means score 3.47), indicating cautious optimism that cloud will advance in maturity and problems limiting its adoption will be addressed.


Information Commissioner publishes guidance on cloud computing

The UK’s Information Commissioner’s Office (ICO) has published guidelines to on how business treat personal information in the cloud whether that is a private or public cloud.

The data protection regulator ICO is concerned that many businesses do not realise they remain responsible for how the data is handled whilst it is in the cloud.

This has resulted in the ICO publishing a guide to cloud computing, to help businesses comply with the law.

The guide gives tips including:

  • Seek assurances on how your data will be kept safe. How secure is the cloud network, and what systems are in place to stop someone hacking in or disrupting your access to the data?
  • Think about the physical security of the cloud provider. Your data will be stored on a server in a data centre, which needs to have sufficient security in place.
  • Have a written contract in place with the cloud provider. This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.
  • Put a policy in place to make clear the expectations you have of the cloud provider. This is key where services are funded through adverts targeted at your customers: if they’re using personal data and you haven’t asked your customers’ permission, you’re breaking data protection law.
  • Don’t forget that transferring data internationally brings a number of obligations – that includes using cloud storage based abroad.

Speaking as the guide was launched, author Dr Simon Rice, ICO technology policy advisor, said:

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws”


Who is responsible for data protection in the cloud?

Encryption in the Cloud is a Ponemon Institute report sponsored by Thales.

The study considers how encryption is used to ensure sensitive or confidential data is kept safe and secure when transferred to external-based cloud service providers. 4,140 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan and Brazil were surveyed.

Following is a summary of key findings relating to data protection, encryption and key management activities in the cloud.

  1. Currently, about half of all respondents say their organizations transfer sensitive or confidential data to the cloud environment. Within the next two years, another one-third of respondents say their organizations are very likely to transfer sensitive or confidential to the cloud. At 56%, German companies appear to have the highest rate of sensitive or confidential data transferred to the cloud.
  2. 39% of respondents believe cloud adoption has decreased their companies’ security posture. However, 44% of respondents believe the adoption of cloud services has not increased or decreased their organization’s security posture. Only 10% of respondents believe the move to the cloud has increased their organization’s security posture. With respect to country differences, results suggest that French organizations are most likely to view cloud deployment as diminishing the effectiveness of data protection efforts.
  3. 44% of respondents believe the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud environment and 30% believe it is the cloud consumer. There are also differences among countries as to who is most responsible. 67% of French companies appear to be the most likely to hold the cloud provider responsible for data protection activities. In contrast, 48% of Japanese companies hold the cloud consumer primarily responsible for data protection.
  4. Companies that currently transfer sensitive or confidential data to the cloud are much more likely to hold the cloud provider primarily responsible for data protection. In contrast, companies that do not transfer sensitive or confidential information to the cloud are more likely to hold the cloud consumer with primary responsibility for data protection.
  5. 63% of respondents say they do not know what cloud providers are doing to protect the sensitive or confidential data entrusted to them. Once again, French respondents (76%) are least likely to say they know what their cloud providers do to safeguard their organization’s information assets.
  6. In general, respondents who select the cloud provider as the most responsible party for protecting data are more confident in their cloud provider’s actual ability to do so (51%) compared to only 32% of respondents who report confidence in their own abilities to protect data even though they consider their own organization to be primarily responsible for protecting data.
  7. Where is data encryption applied? According to 38% of respondents, their organizations rely on encryption of data as it is transferred over the network (typically the internet) between the organization and the cloud. Another 35% say the organization applies persistent encryption data before it is transferred to the cloud provider. Only 27% say they rely on encryption that is applied within the cloud environment.
  8. Among the companies that encrypt data inside the cloud, nearly 74% believe the cloud provider is most responsible for protecting that data. However, only 34% of organizations that encrypt data inside their organization prior to sending it to the cloud hold the cloud provider primarily responsible for data protection.
  9. Who manages the encryption keys when sensitive or confidential data is transferred to the cloud? 36% of respondents say their organization is most responsible for managing the keys. 22% say the cloud provider is most responsible for encryption key management. Another 22% says a third party (i.e. another independent service provider) is most responsible for managing the keys. Even in cases where encryption is performed outside the cloud, more than half of respondents hand over control of the keys. With respect to country differences, German organizations appear to be the least likely to relinquish control of encryption keys to the cloud provider. Companies in Australia and Brazil appear to be the most likely to transfer control of encryption keys to the cloud provider.
  10. Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture. In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security aware organizations are the more skeptical of cloud security and that it is the less security aware organizations are willing to overlook a perceived lack of security. Here, we use the Security Effectiveness Score (SES) as an objective measure of each organization’s security posture.

Larry Ponemon, chairman and founder, Ponemon Institute, says:

“It’s a rather sobering thought that nearly half of respondents say that their organization already transfers sensitive or confidential data to the cloud even though thirty-nine percent admit that their security posture has been reduced as a result. This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns. However, it is particularly interesting to note that it is those organizations that have a strong overall security posture that appear to be more likely to transfer this class of information to the cloud environment – possibly because they most understand how and where to use tools such as encryption to protect their data and retain control . What is perhaps most surprising is that nearly two thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data. This represents an enormous opportunity for cloud providers to articulate what they are doing to secure data in the cloud and differentiate themselves from the competition.”

Richard Moulds, vice president, strategy, Thales e-Security, says:

“Staying in control of sensitive or confidential data is paramount for most companies today. For any organization that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data. However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately. Effective key management is emblematic of control and the need for centralized and automated key management integrated with existing IT business processes is a necessity. Even if you allow your data to be encrypted in the cloud, it’s important to know you can still keep control of your keys. If you control the keys, you control the data.”


Survey: 99% rate Security is a major consideration when choosing the Cloud

Intel have produced a very interesting survey on the way businesses perceive the Cloud, what they are looking for whether it is Private or Public and who seems to be the most secure.Below is my summary of the survey’s results.

Intel surveyed 200 IT professionals about a wide variety of cloud topics, including the key business and technology drivers behind their implementation plans, the importance of security in determining how the cloud is implemented, and their level of investment in security as part of cloud initiatives. The respondents were IT professionals in organizations of 100 to 1,000-plus employees across a variety of industries.

  • 18% of the companies surveyed already offering cloud services
  • 42% are currently in the process of implementing
  • 38% are in the evaluation stage
  • 4% are planning to evaluate cloud initiatives

Security plays a major role in the selection of a deployment model for 99% of the companies surveyed but only 44% sited security issues as the foundation for their decision making in selecting a private versus public cloud delivery model.

  • 80% said the most common drivers of security plans for cloud initiative issues are related to protecting customer, vendor, and employee data
  • 76% said protecting servers and other platform/infrastructure resources from attack was the most important
  • 72% said it was protecting financial data
  • 48% believed that the overall organizational investment in cloud initiatives is security related.
  • 52% are deploying the private cloud (or most likely to be utilized)
  • 31% prefer a hybrid cloud 11% prefer a public cloud

Security was cited as the biggest concern by 66% of those surveyed about outsourcing some IT to a cloud service provider

Other key findings from the survey include the following:

Implementing security is no easy task

  • 60% have experienced moderate challenges
  • 22% have experienced major challenges

Security concerns are similar for outsourcing

  • For 66% data loss and compromised platform or infrastructure assets are the biggest concerns for IT professionals when it comes to outsourcing to a cloud provider
  • For 60% the security capabilities and assurances offered are extremely important to 60% of IT professionals when making a selection.

Trust in cloud service providers is mixed

  • 54% of IT professionals have some trust in the ability of their cloud service provider to secure assets in the cloud
  • 43% have a great deal of trust

Hardware-based security provides greater assurance

  • A cloud service provider with additional hardware-based security measures is viewed as delivering a higher level of security by 78%.

Minor differences by company size

  • Data reveals no significant differences in results amongst the range of company sizes in their survey. However, of those companies with 1,000 or more employees, 24% are already offering cloud services, compared to 10% for each of the other segments

Intel asked IT professionals to tell us about security in their current IT environment

  • 31% are regularly thwarting 100 or more virus or malware attacks every month
  • Companies with 500 or more virtualized servers are more likely to be thwarting an even greater volume of attacks. In this category, approximately 31% report thwarting more than 500 attacks every month, and 24% are thwarting 1,000 or more attacks.

IT professionals report a wide variety of potential security concerns to keep them up at night. Three top the list:

  1. 62%, attacks targeting specific data types
  2. 61% attacks of server, platform, and data centre infrastructure assets
  3. 60% and hackers seeking to gain control of software assets 4. Almost half are concerned about rootkit attacks at the hypervisor level or below, network attacks, and attacks targeting end-point devices

For those organizations with a cloud vendor already in place, controlling access to cloud resources becomes a more significant concern (70% versus 51%).

Cloud computing is considered an important strategic investment by almost all the companies surveyed with

  • 18% is already offering cloud services or capabilities
  • 76% of those currently evaluating or planning to evaluate expect to implement cloud services within the next year

They asked IT professionals to tell us what technologies they were currently deploying that support a current or planned cloud environment

  • 73% are currently using virtualization to consolidate servers and enabling virtual machine (VM) mobility across multiple servers in order to support a cloud
  • Nearly half offer automation and metering and chargeback based on usage and enable business units to self-provision resources.

Choice of a Private Cloud

  • For 52% of those surveyed a private cloud is the leading deployment model, no matter what phase of implementation
  • The Private Cloud is the preference for 63% of those already offering cloud computing
  • 51% of those in the implementation phase prefer the Private Cloud
  • For those still evaluating the cloud 49% prefer Private Cloud

Public clouds are more likely to get consideration from companies with:

  • 500–999 employees (29% versus 5% among smaller and larger companies) Less than 10 worldwide locations (17% versus 5% among companies with 10 or more locations)
  • 250–499 virtual servers (31% versus 3% among companies with 500 or more virtual servers)
  • Less than $10 million U.S. dollars (USD) in revenue (21% versus 7% among companies with USD $10 million or more)

Although there is a clear preference for delivery model, the same is not true for the cloud service being considered or already implemented. All three of the major services get equal consideration across the survey sample:

  • 58% Software as a Service (SaaS)
  • 57% Infrastructure as a Service (IaaS)
  • 56% Platform as a Service (PaaS)

The IT professionals they surveyed recognized the importance of security across delivery models and for both internal and external implementations. They back up their concern with a high level of investment in security as part of the overall investment in cloud initiatives. For example, when averaged across the sample group 48% of the investment in cloud initiatives is related to security.

Do high-profile security breaches reported in the news have any impact on cloud decision making? When asked to recall recent newsworthy breaches or attacks

  • 24% mention the high-profile public security breach of the Sony* PlayStation* Network
  • 70% say the breaches they recall have no impact on their decision to move forward with cloud initiatives.
  • 30% are on hold while they deepen their evaluation of their security plans and controls

The survey asked respondents to say what they experienced as the greatest challenges to implementing security

  • 95% who are already implementing or offering cloud services have experienced slight challenges in implementing security for a private or hybrid cloud
  • 22% indicated that they had experienced major challenges

The biggest headache? Data Protection challenges, experienced by 44% of those surveyed

Asked how they overcame their challenges, those surveyed reported that their top method was to increase or upgrade security measures, as well as to research thoroughly and leverage vendor relationships. Other approaches included training, hiring consultants, and increasing budget. A number of companies continue to grapple with unresolved issues.

64% of companies surveyed have had their planning efforts influenced by the following organisations, number 1 being the highest influencer

  1. Cloud Security Alliance (CSA)
  2. Open Data Centre Alliance (ODCA) – more than a third
  3. Trusted Computing Group (TCG)
  4. Distributed Management Task Force (DMTF)

Of the IT professionals surveyed

  • 61% are currently evaluating a cloud service provider
  • 23% have selected a cloud service provider
  • Most reported that the security component offered by the cloud service provider is important, with 60% considering it extremely important.

The leading concern of those surveyed about outsourcing some IT to a cloud service provider is security – 66%

One in three cited compliance issues related to privacy and regulations as one of their greatest concerns

Among IT professionals who are evaluating or have already chosen a cloud provider

  • 54% have some trust in the ability of their cloud service provider to secure assets in the cloud
  • 43% have a great deal of trust
  • 60% reported that they were extremely or very concerned about the infrastructure their cloud provider uses
  • This is even higher for those thwarting 10 or more attacks a month (35% versus 15% for those fighting off fewer attacks)

In this same group

  • 68% are concerned about rootkit hypervisor attacks
  • 35% are extremely concerned
  • Those IT professionals thwarting 10 or more malware attacks per month are twice as likely as those fighting off fewer attacks to be extremely concerned about rootkit hypervisor attacks (40% versus 19%)

Providing the right security assurances goes a long way toward building trust in a cloud service provider

  • According to those who have chosen or are evaluating cloud providers, security controls in the platform (74%) are the most common security assurances provided
  • Those already using a cloud service provider are significantly more likely to be assured of security controls in the platform than those IT professionals still evaluating vendors (85% versus 70%).

78% believe a cloud service provider with additional hardware-based security measures to reduce some forms of malware provides a higher level of security. This was higher for those companies thwarting 10 or more attacks per month (62% versus 42% for those fighting off fewer attacks).

48% IT professionals report that cloud service providers make their security assurances moderately visible whilst 45% report them as highly visible.

Regular, periodic reports on security incidents (73%) are the most common methods used by vendors to document compliance with privacy or other regulatory requirements, followed by specified level of responsibility for a security breach (60%) and the ability for the organization to conduct compliance audits (60%).

Security Is Foundational to Those Offering Cloud Computing

By far the biggest business and IT drivers for security are protection of data and server platforms. Compared with companies implementing or evaluating cloud computing, those companies already providing cloud-based services are more likely to:

  • List their top two IT drivers as the need to protect data (74%) and the need to protect servers and other platform and infrastructure resources from attack (66%)
  • Say security was the foundation of their decision for implementing a private cloud initiative versus a public cloud (57% versus 41%
  • Report high visibility into the security assurance provided by cloud service providers (67% versus 40%)
  • Have considered or implemented SaaS over PaaS or IaaS (86% versus 52% of those implementing or evaluating cloud services)
  • Be deploying technology that enables business units to self-provision resources (71% versus 44%)
  • Have an enterprise-class data centre (60% versus 21%) with more than 500 virtualized servers (34% versus 13%)
  • Be from companies with more than 1,000 employees (24% versus 10%)

High Level of Concern about Security in the Early Planning Stages

Those evaluating or planning to evaluate cloud computing are inclined to be significantly more worried about security than those already offering services or in the implementation stage. Those in the earlier stages tend to be:

  • Driven most by the need to protect data (87%) and to protect servers and other platform and infrastructure resources from attack (76%)
  • Least confident that their current network and data centre assets are adequately protected (43% very confident versus 64% not confident)
  • Able to recall more high-profile breaches and attacks (55% versus 33%)
  • Least trusting of the ability of cloud service providers to secure their assets in the cloud (20% have a great deal of trust versus 58%)
  • Least likely to be influenced by industry standards groups

Midsize Companies Are Implementing Cloud Initiatives

Now In the sample group, those in the process of implementing cloud computing are inclined to be from midsize companies with 100–999 employees. They tend to be:

  • Driven more than any other stage of implementation category by the need to protect servers and other platform and infrastructure resources from attack (81%) and to protect data (75%)
  • More likely to consider a public cloud (23% versus 2% of those already offering services or in the planning and evaluation stage)
  • More likely to have a localized or regional data centre (57% versus 41% of those already

For further information visit the Intel web site here.


Security is still the biggest technology challenge for retailers

In a communications survey of 60 retailers conducted by Iconnyx the number one challenge to retailers is Security with 47% identifying it as their biggest issue.

The full list of technology challenges for retailers are:

Challenge %
Security 47%
Data storage 20%
Mobile 17%
Ecommerce 10%
Cloud 7%

57% of respondents ranked PCI compliance as a very important business issue.

Other reported business issues were listed

  • answering customer calls
  • synchronisation between Point of Sale and card payment machines
  • reducing the overall cost of connectivity to stores

Tim Walker, Iconnyx Managing Director explains:

 “It’s surprising to see that cloud is low on the list of retailer concerns, given that security and PCI compliance is top of the list.

This signals that for retailers, cloud-based technologies are neither seen as a solution or an issue. In either instance, use of the cloud can resolve security concerns and could be explored as a reliable means of addressing retailers’ issues,

The full press release can be found here.


Cloud Computing Risk Assessment from ENISA

European Network and Information Security Agency
Image via Wikipedia

In November 2009 The European Network and Information Security Agency (ENISA) published a document title “Cloud Computing Risk Assessment” the “Benefits, risks and recommendations for information security“.

The document maybe 15 months old but it is an excellent starting point for any organisation looking to invest in the CLOUD.

The official ENISA wording is below.

ENISA, supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations.Produced by ENISA with contributions from a group of subject matter expert comprising representatives from Industry, Academia and Governmental Organizations, a risk assessment of cloud computing business model and technologies. This is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations. It is produced in the context of the Emerging and Future Risk Framework project.

Download the document from the ENISA site here.

Blog at

Up ↑

%d bloggers like this: