Sponsored by CA Technologies
Independently conducted by Ponemon Institute LLC Publication Date: April 2011
Ponemon Institute© Research Report
Security of Cloud Computing Providers Study
Presented by Ponemon Institute, April 2011
I. Executive Summary CA Technologies and Ponemon Institute are pleased to present the results of the Security of Cloud Computing Providers Study. This paper is the second in a two-part series about the state of security in the cloud. The first study released in May 2010 was entitled, Security of Cloud 1 Computing Users. The purpose of both studies is to learn how users and providers of cloud computing applications, infrastructure and platforms are addressing the need to safeguard information in the cloud. In Parts I and II of this report (Executive Summary and Key Findings), we present the results of the cloud provider study. In Part III, we compare and analyze the results of the cloud provider and cloud user studies. Cloud computing has been defined as the use of a collection of distributed services, applications, information and infrastructure comprised of pools of computer, network, information and storage resources. These components can be rapidly orchestrated, provisioned, implemented and 2 decommissioned using an on-demand utility-like model of allocation and consumption. Cloud service delivery models are Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). We surveyed 103 cloud service providers in the US and 24 in six European countries for a total of 127 separate providers. Respondents from cloud provider organizations say SaaS (55 percent) is the most frequently offered cloud service, followed by IaaS (34 percent) and PaaS (11 percent). Sixty-five percent of cloud providers in this study deploy their IT resources in the public cloud environment, 18 percent deploy in the private cloud and 18 percent are hybrid. Cloud computing providers: Most salient findings Following is a summary of the most salient findings from our study of cloud computing providers. We expand upon these findings in the next section of the paper. The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers. The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers. Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met. Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.
See Security of Cloud Computing Users, Ponemon Institute, May 2010. See Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Computing Architectural Framework, Cloud Security Alliance, p.15, April 2009.
Ponemon Institute©: Research Report
The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms. Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than...