Cloud Computing. Overcoming the Apprehension of REPORT. Results from the 2012 Cloud Computing Security Survey ALSO

Transcription

1 SURVEY RESULTS REPORT Overcoming the Apprehension of Cloud Computing Results from the 2012 Cloud Computing Security Survey ALSO Analysis and Insights Top Security Concerns Success Factors Confronting Risk Vetting Vendors Ultimate Responsibility

2 From the Editor Confronting Cloud Computing Anxiety Ask IT security practitioners what s their No. 1 concern about cloud computing, and their most common answer, by far, is data protection. That concern along with others such as enforcing security policies, maintaining an audit trail and meeting regulatory requirements makes many organizations anxious about moving critical information and operations to the cloud. Eric Chabrow Executive Editor No wonder many of the respondents to Information Security Media Group s Cloud Computing Security Survey express hesitation about putting on the cloud credit card, financial, health, personally identifiable and proprietary information, as well as intellectual property and trade and government secrets. Despite their jitters, many IT security practitioners feel they have little choice but to pursue cloud computing options. Because of the perceived cost savings the cloud provides, their bosses see the cloud as a way to reduce IT expenses. Besides, IT security practitioners recognize that the cloud will play a crucial role in the future of enterprise computing, so they must identify and implement secure cloud computing practices. In fact, it s already happening. As you review the 2012 survey results, think about how to turn apprehension into resolve. In reality, many of the practices employed to secure data and systems can be used to provide cloud security. Questions to consider: What proven IT security practices can be adapted to work on the cloud? With whom should you partner from within your own enterprise, third parties, industry colleagues and cloud providers to safeguard your digital assets on the cloud? How can you use cloud computing contracts with vendors to protect your interest in safeguarding data on the cloud? Please let me know how you answer these questions, and share other thoughts you have about the survey and cloud computing security. Your ideas are important in helping all of us at ISMG shape our evolving cloud computing security coverage. Eric Chabrow Executive Editor Information Security Media Group echabrow@ismgcorp.com Information Security Media Group

3 Contents Overcoming the Apprehension of Cloud Computing Results from the 2012 Cloud Computing Security Survey Survey Results Fundamental Concerns The Bottom Line Vetting the Vendor Confronting Risk Ultimate Responsibility Implementing cloud computing effectively requires protecting information and preventing its loss Introduction: What s the Survey About? Hot Topics Sponsor s Perspective Scrutinizing the Cloud Provider 6 Principles for Effective Cloud Computing The Agenda Action Items Resources Sponsored by CSC (NYSE: CSC), a trusted global leader in cybersecurity solutions, protecting some of the nation s and the world s most sensitive government and business systems and networks. 3

4 Introduction: What Is This Survey About? No longer an emerging technology, cloud computing is taking off globally as a way to gain efficient access to critical applications, processes and storage. Security on the cloud is what worries most IT security practitioners. Nearly three-quarters of our respondents cite security as preventing their organizations from adopting cloud services. Not Very Anxious Do concerns about security prevent your organization from adopting cloud services? Still, as the 2012 Cloud Computing Security Survey Overcoming the Apprehension of Cloud Computing shows, cloud initiatives are relatively new for many organizations. Nearly 1 in 3 survey respondents say their organizations are not using the cloud, a strikingly high percentage considering how quickly the computing platform is maturing. Distrust for its ability to secure data remains a high barrier for many organizations. Yes No 28% 72% Types of Clouds What cloud environments has your organization employed? (multiple answers allowed) Private 54% None 31% And, because of their unease with the cloud, the promises the cloud presents in providing efficient and less costly secure IT solutions have fallen short. More than half of our respondents say their organizations have yet to achieve their cloud computing goals. Public Hybrid 24% 24% Community 15% Information Security Media Group

5 Achieving Objectives Have your organization s cloud goals been met? Popular Offerings What cloud services does your organization have or will shortly deploy? (only top 5 listed) No Not much Yes 18% 22% 30% Application hosting /messaging Data storage 34% 34% 29% Some 18% Collaboration software 25% Many 12% Application development/testing 23% Despite jittery responses about the cloud s security from many of the IT security professionals we questioned, the survey reveals that organizations are beginning to turn to the cloud to do much of what they ve been doing all along, whether internally or contracting out to vendors using private networks to make the connection. Application hosting and / messaging are among the earliest offerings by cloud providers. The demand for data storage will only increase as the amount of data soars. Organizations are beginning to turn to the cloud to do much of what they ve been doing all along. 5

6 Cloud computing is revolutionizing the way businesses, not for profits and governments manage their information technology assets because of its potential to save organizations a significant amount of money and enable them to adopt new applications and scale systems to meet their computing needs. We report a lot about cloud computing security on all of our editorial websites, and we wanted to examine not only cloud security concerns, but how security leaders addressed these concerns through policy, technology and improved vendor management. We asked survey respondents about their: Top Security Concerns: Were they more anxious about where their data are stored or whether a malicious insider might be a threat to it? Success Factors: On a scale with cost savings and availability of services, how did security rank among elements critical to a successful cloud computing implementation? Protective Measures: What were some of the practices organizations employed, from instituting more stringent contracts to enforcing third-party audits and participating in mock security exercises with cloud service providers? Ultimate Responsibility for Cloud Security: Lots of parties have roles in cloud computing: The IT and IT security organizations, business information owners and cloud providers. Who should be in charge to assure security? The survey also covered cloud computing trends by industry and region, how senior leaders made their cloud decisions and top cloud-service investments projected for the coming year. This survey was developed by the editorial staff of Information Security Media Group with the help of members of our brands Boards of Advisers, which include some of the most prominent experts in IT security and risk management. The global survey was fielded during the first quarter of Our respondents are involved with cloud computing decision-making within their organizations, determining strategies, establishing priorities, evaluating performance and picking providers; many also help determine their organizations IT and/or IT security budgets. Cloud computing is revolutionizing the way businesses, not for profits and governments manage their information technology assets Information Security Media Group

7 Hot Topics Survey results unveil five key topics that will be explored in depth in this report: Fundamental Concerns Survey respondents cite security (27 percent) and costs (24 percent) as the primary considerations when organizations mull cloud use. We explore IT security practitioners greatest reservations as well as the knowledge and expertise most lacking in their organizations regarding the cloud. Taking Responsibility Slightly more than half of our survey takers say the end-user organization either the business-side/data owners or IT or IT security organization and not cloud providers have ultimate responsibility to ensure the security of cloud resources. We show 37 percent of respondents either have moved or plan to move critical systems to the cloud. The Bottom Line The upside of cloud computing are cost savings: 76 percent of respondents say the cloud will save their organizations money. The survey reveals other benefits of the cloud, including better scalability and improved computing flexibility. Vetting the Vendor More than one-third of survey respondents say they employ a third party to attest to the security a cloud provider offers. As we show, organizations employ other ways to vet cloud providers, including conducting their own assessments. Confronting Risk Nearly 80 percent of survey respondents say security is a high priority when evaluating a cloud provider. Other risk factors organizations consider include not only whether, but how cloud providers employ encryption. 7

8 SPONSOR S PERSPECTIVE A Perspective on the 2012 Cloud Computing Security Survey Samuel Sanders Visner, Vice President and Cyber Lead Executive, CSC The 2012 Cloud Computing Security Survey conducted by Information Security Media Group reveals persistent concerns regarding the cybersecurity of cloud architectures and cloud adoption. At the same time, particularly in today s economic environment, it is becoming increasingly difficult for information technology professionals to deny the cost advantages and avoid completely the use of cloud architectures and infrastructures. Gaining these benefits means that we must understand these security concerns, and we must address them. For those IT professionals and organization leaders responsible for the security of vital and sensitive information, cloud cybersecurity is an important challenge, serious enough that nearly one third of the survey s respondents indicated that their organization had not employed any cloud architecture whatsoever, despite the powerful lure of cloud s economic model. Respondents cited a number of concerns, including worries about data protection, issues related to the enforcement of security policy, and fears about data loss. Data protection is a particularly important concern. Even data that s publicly available should be protected if it s used by companies, individuals, and governments to make daily and, in the case of big data, strategic decisions. Imagine the damage if that information suddenly became unreliable. Organizations need to ensure that their cybersecurity policies and protections cover information assurance particularly as they seek to unlock the value of information and big data and use it to make high-value decisions regarding customer strategy, public policy, and national security. The survey shows we still have some way to go to allay these types of cybersecurity concerns. The challenges cited in this survey are consistent with the larger need to define cloud architectures capable of dealing with the security challenges of embedded, industrial control systems and supervisory control and data acquisition (SCADA) systems that are the bedrock of utilities such as power, water, and transportation, as well as manufacturing. It s noteworthy that even the Department of Defense Advanced Research Projects Agency (DARPA) has asked for ideas about how to securely extend cloud architectures to embedded systems used in military critical computing. How can we best address the security concerns of these diverse organizations and help them gain the wide variety of benefits (cost, flexibility, scalability, advanced technology, etc.) offered by cloud? Here are some things to keep in mind: First, cloud providers must take a rigorous approach to cloud cybersecurity. Meeting strict security standards, such as those associated with the Federal Information Security Management Act, or FISMA, will take time and careful work. Providers should commit themselves to a disciplined and well-documented approach to meeting those controls. Second, information technology professionals in general, and CIOs in particular, need to be informed about the controls necessary to protect their operations and the providers approach to meeting those controls. One way to be well informed regarding the controls required is to conduct a risk-based analysis of the value of critical information and systems, as well as the threats that exist to Information Security Media Group

9 Organizations should look to cloud less as a way of saving money and more as a way of unlocking value. challenges change frequently. Look for a cloud provider, therefore, that keeps up to speed regarding these challenges and has the means in place to adapt and address them. And, finally, have a long-term strategy that encompasses using the cloud incrementally. While the use of cloud for applications associated traditionally with the desktop is a good starting point, eventually organizations should look to cloud less as a way of saving money and more as a way of unlocking value. Consider things like what cloud can do over time to make it easier to aggregate, analyze, and exploit big data. Think about how cloud can enable enterprise integration of global supply chains. In other words, think of cloud in combination with other emerging needs and opportunities. While the protection of IP is today s biggest concern, don t overlook your organization s other potential uses of cloud and the need to protect those uses. Sam Visner that information and those systems. Those contemplating the acquisition of cloud services should look carefully at how security certification or attestation is being performed, and who is performing it. Remember, too, that while security standards will likely stay consistent, security The ISMG survey shows that information technology providers want to claim the cloud s benefits, but they are aware of the cybersecurity challenges that must be met to meet those benefits, even in the private cloud context. Organizations should couple this awareness with strategies that are carefully considered and with the selection of cloud and cybersecurity partners who will share and support an enterprise s strategy. 9

10 Survey Results Fundamental Concerns Organizations must weigh the benefits against the risks when determining whether to implement a cloud computing solution. Under Deployment What are the top 5 factors mulled when deciding to develop/deploy a cloud solution? time. Often, computing resources are needed now, and getting them quickly is a significant reason to turn to a cloud provider. Second Thoughts What is your greatest reservation about secure cloud computing? Data protection Enforcing security policies Data loss Audit trail Meeting regulatory requirements 9% 8% 7% 14% 22% Security 27% Cost Ability to share data Resources Need computing resources quickly 9% 8% 12% When exploring a cloud initiative, security is the No. 1 concern. If the data or system can t be secured, then why do it? It s a logical question, and one that must be addressed before organizations employ a cloud solution. 24% All organizations are under considerable pressure to rein in costs, so seeking a solution that could save money is being pushed by the bosses of those responsible for securing IT. Resources are costly. Getting additional IT resources on the cheap is an objective everyone seeks. But it s also a matter of The survey confirms that data protection is the No. 1 reservation about cloud computing. That s understandable in an era where data are vital assets for many organizations. As IT security lawyer Françoise Gilbert points out, if a cloud provider loses an organization s data, compensation would likely be based on the amount the client paid for the service, not the value of the information to the enterprise. What you re going to get back is very small it s dollars, tens of dollars, but it s not millions of dollars, she says. You get what you pay for. You pay a small amount to hold your data, but in exchange you have to be aware of the risk. Be prepared to be a victim. The other survey responses here reflect a major problem with having someone else house your data knowing how it s being protected. How to enforce security policies and/or meet regulators requirements just adds more complexity to the use of cloud services. There are ways to address these concerns, but they often involve time, money and a good lawyer Information Security Media Group

11 No Shows What data are too risky to put on a private cloud? Credit card Intellectual property/ trade secrets Financial Health State/government secrets Proprietary/sensitive Personally identifiable 54% 51% 49% 49% 46% 45% 45% This question focuses on the private cloud, an offering that s perceived as being more secure than public, community and hybrid clouds. Even with extra security, either a majority or a sizeable plurality of our respondents feel it is too risky to put some very common data on a private cloud. This attitude must change if the cloud is to become a critical platform for IT. Another reason organizations have shown a reluctance to adopt the cloud at a faster pace is the lack of staff expertise and knowledge about the technology on their own staffs. Another reason organizations have shown a reluctance to adopt the cloud at a faster pace is the lack of staff expertise and knowledge about the technology on their own staffs. About three-quarters of the respondents say their technical staffs lack the know-how to deploy cloud solutions. Only 1 in 20 respondents feel his or her staffs are totally versed on the cloud. 11

12 Missing Links What types of knowledge or expertise is most lacking in your organization regarding secure cloud computing? (top five answers shown) Security 28% Technology/ Implementation 17% Compliance 14% Legal Standards 10% 10% What knowledge is most absent? Security, technology and implementation, compliance, legal and standards, respondents replied. This list of varying skills illustrates why the cloud needs buy-in, not just from the technical staff, but from various parts of the enterprise. Plus, it also shows how complex proper execution of a cloud initiative is. The cloud needs buy-in, not just from the technical staff, but from various parts of the enterprise Cloud Security Agenda: Expert Insights on Security and Privacy in the Cloud Join a distinguished panel of cloud computing experts for the first look at the findings of this perceptive study and how organizations can improve the security of their cloud computing initiatives, including: Understanding risks cloud computing presents; Mitigating these risks; Steps to take to employ cloud computing securely and effectively. Register now Information Security Media Group

13 The Bottom Line Cloud computing investments remain a very small percentage of most organizations IT budgets. Our survey shows that just over 40 percent of respondents organizations divvied 10 percent or less of their IT budgets on public, community and hybrid clouds, with just over one-third earmarking money for private clouds. Nearly 40 percent of respondents say their organizations didn t allocate any money for public/community/hybrid clouds; less than a quarter didn t apportion any funds for the private cloud. The Upside Why the cloud? Ask anyone involved in cloud computing, and they ll say cost is the primary reason to adopt the technology. Indeed, three-quarters of our respondents say cloud computing will save their organizations money. But there are many other benefits, some that could have a profound impact on how organizations fund IT initiatives. Advantages What are the benefits of cloud computing? Still, cloud computing is perceived to lower costs and provide other benefits to the organization. Cost savings Better scalability 16% 23% Improved flexibility 10% Wrong Impression Will cloud computing save your organization money? Switch from CapEx to OpEx Advanced technology Compliance 5% 5% 5% Faster development time 5% Yes 24% No 76% It s not just that the cloud is seen as a money saver; it provides opportunities to try out new solutions without a hefty investment, or buy storage or processing time, when needed, without a significant investment. Though only 5 percent of our respondents identified the switch from capital expenditure to operational expenditure as the prime benefit of cloud computing, it s a factor that will change the way enterprises approach the funding of IT and IT security. The cloud provides organizations with IT without significant upfront costs. And, as some of our respondents note, the cloud gives organizations access to advanced technology, also without a significant initial outlay. 13

14 Vetting the Vendor Checking Out Cloud Providers What are the primary ways your organization verifies the security your cloud provider offers? (top six answers shown) Third-party attestation Conduct own assessment Joint vulnerability testing with provider Accept word of provider We don t verify Follow lead of another company similar to yours 5% 7% 7% IT security managers don t agree on the best ways to verify cloud security providers, but a majority of them agree that some type of formal assessment must be done, whether provided by a third party, done themselves or jointly with the cloud provider. Getting Outside Help 16% 28% Does your organization employ a third-party organization to certify or attest the security of the cloud provider? 35% Trusting a cloud provider is crucial. In its guidance, the National Institute of Standards and Technology observes that a lack of visibility of the cloud makes it difficult for users to be confident that providers are in compliance with regulations unless the provider obtains an independent audit from a trusted third party. Even here, the frequency of third-party audits may limit the overall assurance offered, since a cloud system could quietly drift out of compliance. Due Diligence Who Does the Vetting in Government? (Asked of government respondents only) Third-party provider 57% Own agency 22% Another agency 20% In the U.S. federal government, a new initiative called FedRAMP it stands for the Federal Risk and Authorization Management Program provides for a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The idea is that if one agency vets a cloud provider, other agencies can use that evaluation for their own provider assessment, saving time and money. Yes No 34% 66% Under FedRAMP, third-party assessment organizations perform initial and periodic assessments of cloud provider systems, provide evidence of compliance and play a continuing role in ensuring cloud providers meet requirements. The federal government won t allow agencies to employ a cloud service unless it passes an audit by a third-party assessor to validate and verify it meets FedRAMP requirements Information Security Media Group

15 Trustworthiness Would external certification of a cloud provider increase trust in cloud computing? Yes, but only if certification data can be reviewed and verified Yes, but only if this certificate is based upon an agreed standard Yes, but only if the certifying body can show accreditation No Yes, in any case 13% 16% 8% 25% 38% It all comes down to trust. External certification of a cloud provider is seen as crucial by more than 85 percent of our respondents. It all comes down to trust. External certification of a cloud provider is seen as crucial by more than 85 percent of our respondents. Yet, for about half of the IT security practitioners we surveyed, external certification works only if the certification data can be reviewed and validated, that the certifying body can show it s accredited and/or if the certificate is based on an agreed standard. 15

16 VENDOR RELATIONS Scrutinizing the Cloud Provider A look at how the City of Seattle and Jet Propulsion Laboratory Vet Their Cloud Providers In a roundtable discussion on the Cloud Computing Security Survey, Seattle Deputy Chief Information Security Officer David Matthews and NASA s Jet Propulsion Laboratory Chief Technology Officer/IT Tomas Soderstrom address how their organizations go about vetting their cloud computing providers. What follows is an edited version of that conversation. DAVID MATTHEWS: We have a series of questions that we go through in a procurement process. We ask cloud providers to either provide us with a third-party certification and/or allow us to do our own assessment of their site. We ask them about what their uptime promises are; we ask for warranties on their uptime. We ask for information on their records management and recovery issues and business continuity and disaster recovery. We also use a lot of community connections, too. We talk to other local and state and even federal government partners to try to find out what they re doing and improve their findings if they ve got big solutions that are working. We [also get information from] other states through the MS-ISAC (Multi-State Information Sharing and Analysis Center). We are very much a community-oriented group. In the Pacific Northwest here, we look at who s finding good solutions, who s finding people that they feel like they can trust and that are doing a good job. We do that as well as ask the technical sort of questions and the contract questions. 16 TOMAS SODERSTROM: We vet ourselves first. We don t put everything in one cloud because different clouds are good at different things. If we, for instance, picked one cloud and it was a super, super secure cloud, then we d be paying too much for security, for content that didn t really need to be secured, whereas if we did the other one, we d picked some cloud vendor that s wide open, then we couldn t put secure content in it. The key is to put the appropriate computing and the appropriate storage in the appropriate cloud. We ask a lot of questions from our end users. In fact, we coded it so that when they select a cloud vendor, it does it automatically based on the answers to those questions. It picks it from a short list of cloud vendors. So far we have data in 10 different clouds, and we let the users dictate which one is the stronger. This is fairly new; we created a Cloud Computing Commodity Board. The board consists of people from IT security, the IT department, legal, procurement, acquisition department, billing and invoicing and a lot from the missions the people who actually use the clouds. They vet it. We have some mandatory questions, and then some would-be-nice-to-have questions. That s how we get the cloud providers into the JPL marketplace to be picked from the subservice software. By doing that, we can have them come on or off the short list without having to issue an RFP (request for proposal) each and every time. We can put the appropriate content in the appropriate place. The appropriateness really comes down to cost. If we have two choices for every function, then we make sure we don t get locked into any one vendor and that we pay the least we can possibly do. We also spend a lot of time talking to other entities in the federal government and outside to find out what cloud vendors are doing. Service-level agreements are not a really big thing for us because we collect science data. If we lost that science data from space and we get a few cents back for compute hours, that would not be meaningful. Instead, we look at three strikes and that cloud vendor is out and we ll go somewhere else. We think in terms of servicelevel understanding because the compute costs are really quite low compared to other normal ways of doing it. Perhaps most importantly, we talk to the cloud vendors themselves and set up a lot of face-toface discussions. That s usually through video conference so that our legal people can talk to their legal people, our IT security people can talk to their IT security people and understand how, if we need to do a forensics investigation, how we would do that. We showed them how we get audited and different audits for different types of data and said, How would you help us pass this audit? 2012 Information Security Media Group

17 Confronting Risk As you examine the next three graphs, you ll come away with the impression that many organizations are relatively immature in regards to cloud computing deployment. It s More than Process Does your organization have adequate policies/procedures to enable safe and secure cloud use? Yes 41% The response to the security question of whether internal audits provide appropriate feedback to improve cloud security suggests that internal audits have yet to provide suitable insights into cloud computing. No 59% Audit Lessons Do internal audit reviews provide appropriate feedback to improve cloud security? Yes 50% 50% No The fact that a majority of our respondents say their organizations don t have adequate policies and procedures to enable safe and secure cloud use suggests a lack of sophistication in many organizations cloud initiatives. As organizations rely more on the cloud for applications and as a platform, look for more enterprises to develop processes for how they should address secure cloud computing. Prioritizing Security How much of a priority is security when evaluating a cloud provider? For many organizations, cloud use is nascent, and not many security audits have been conducted. In addition, auditors in some organizations need to get educated about cloud security in order to provide valuable insight. Look for the yes response to grow in the coming years. Auditors in some organizations need to get educated about cloud security in order to provide valuable insight. High priority Neither high nor low priority No/low priority 11% 10% Cost may be the principal driver for organizations to adopt cloud computing, but until it s deemed secure, most 79% organizations will approach the cloud with extreme caution

18 Location, Location, Location How important is the physical location of cloud servers? Important 54% Encryption, these days, is one of the fundamental ways organizations safeguard their data, whether on laptops, mobile devices, servers and, of course, on the cloud. Employing a cloud provider that offers encryption is a must for the large number of IT security practitioners. Unimportant 12% To Encrypt or Not to Encrypt? What unencrypted data would your organization put on a cloud provider s server? (Multiple answers allowed) Specifically, we asked how important is it that your cloud provider s servers be situated in the country where your None Non-regulated 33% 43% organization is based. Regulated 14% We all know that data can be moved around the globe at lightning speed. Data on the cloud can be stored anywhere. That doesn t sit well with most of our respondents. Not knowing where critical assets are stored can be nerve racking. And, there could be legal reasons, too. Each country has its own laws defining who can have access to data, and having data scattered around the world can give an IT manager a headache. Encryption, Of Course Does your cloud provider use encryption to protect data? 22% Yes No 78% Employee 12% Proprietary 11% Nearly half of our respondents can t conceive of putting any data on the cloud without the information being encrypted. Organizations must make sure that their legal contracts with cloud providers assure encryption when appropriate. The best way to mitigate those risks is to really understand who s got what responsibility and what it s going to cost us to have the right kind of security in place, says Seattle Deputy CISO David Matthews, and what kind of data actually belongs in the cloud, what kind of encryption processes we re going to use. The best way to avoid nervousness is really have a good contract up front so everybody knows where everybody else stands Information Security Media Group

19 Taking Responsibility Shared Responsibilities Who should manage encryption keys? 7% User Organization 12% Both 47% 6 Principles for Effective Cloud Computing ISACA Guide Aims to Minimize Cloud Computing Risks ISACA, the professional association focused on IT governance, counsels that organizations adopting cloud computing should adhere to six principles. Doing so will help enterprises avoid the perils of transferring IT decision-making away from technology specialists to business unit leaders. Here are ISACA s definitions of the six principles: Enablement: Plan for cloud computing as a strategic enabler, rather than as an outsourcing arrangement or technical platform. Don t know Cloud Provider 34% Cost/benefit: Evaluate the benefits of cloud acquisition based on a full understanding of the costs of cloud compared with the costs of other technology platform business solutions. A majority of our respondents understand that regardless of the provider they choose, ultimately they re accountable whether by themselves or jointly with the provider to assure their data are encrypted on the cloud. Getting over the Bump Would you move critical systems to the cloud? No, we don t have plans to do so Perhaps, but not within 12 months Yes, we plan to move one or more of our business critical systems to the cloud in the coming months Yes, one or more of our business critical systems are in the cloud The takeaway from this question is that if not now, a majority of organizations either have or will move critical systems to the cloud soon. That bodes well for the future of cloud computing. It suggests a can-do attitude among organizations that they will find a way to employ the cloud for all types of applications and systems. 19% 18% 29% 34% Enterprise risk: Take an enterprise risk management perspective to manage the adoption and use of cloud. Capability: Integrate the full extent of capabilities that cloud providers offer with internal resources to provide a comprehensive technical support and delivery solution. Accountability: Manage accountabilities by clearly defining internal and provider responsibilities. Trust: Make trust an essential part of cloud solutions, building trust into all business processes that depend on cloud computing. Ramsés Gallego, the Quest Software security strategist who serves on ISACA s Guidance and Practices Committee, characterizes cloud computing as a game changer, especially for the small and midsize enterprise. Its availability means that technology infrastructure is not the market differentiator it has been in the past, Gallego says. These principles will enable enterprises to experience the value that cloud can provide and help ensure that internal and external users can trust cloud solutions. Trust is key because many people, including IT security experts, lack confidence in the cloud as a platform that assures security and privacy. The cloud s availability means the technology infrastructure is not the market differentiator it has been in the past. RAMSÉS GALLEGO 19

20 Allaying Concerns What controls do you implement to mitigate risks? (multiple answers allowed) Encryption techniques Stronger ID/access management controls Increased due diligence of provider More auditing of cloud-service provision Other controls respondents cite included increased contract management, onsite inspection, adjusted incident management, third-party testing, financial penalties and increased liability for providers. Among the steps organizations already are taking to secure cloud data are tried-and-true IT security tools and processes, including encryption, strong identity and access management controls and more audits. The Guardians Who s responsible for ensuring security of cloud resources? Cloud Provider 37% 43% 42% 60% % In the end, it s the users responsibilities to ensure the security of their cloud implementations. Tomas Soderstrom, chief technology officer/it at NASA s Jet Propulsion Laboratory, sees the end-user organization as ultimately responsible for securing their organization s IT. But, he points out, an end-user organization consists of many different entities IT, information security, business units, operations and so on thus, they must collaborate. The real enabler here becomes the IT security people, Soderstrom says. They need to become consultants to show the business how to secure the data and be able to put it securely in the cloud. Because if they don t, all of a sudden there could be a security breach, and it could shut down the whole organization s use of the cloud. A slim majority of respondents say it s their organization, not the provider, who s responsible for ensuring the security of cloud resources. It s your data and systems, and it wouldn t be wise to outsource the responsibility for IT security to someone else, even if they are the ones who are hosting your IT assets. The fact that more of our respondents feel the IT or IT security organization rather than the business or data owners should assume that responsibility reflects the fact that there isn t just one business-side organization employing the cloud in most enterprises, and that it s not unusual for enterprises to employ more than one cloud provider. Someone must be in charge. IT or IT security organization Business side/ data owner 38% 48% Information Security Media Group

21 EXPERT INSIGHTS Ultimate Responsibility Accountability for securing data doesn t change because of a move into the cloud. You could put in a cloud the secret to the atomic bomb and the cloud provider wouldn t know because that s not their business. FRANÇOISE GILBERT ISMG: What are the responsibilities of the end-user organization, regardless of the contract, to make sure that its data is secure? DAVID MATTHEWS: The responsibility that you have for securing your data doesn t change because you move into a cloud environment; they re exactly the same. You have to treat it that way from the very beginning. You have to look at everything that you could do to classify your information, protect your information, to be able to have access to your information. You have to find a way to do those exact same things and move into the cloud through contract or through the vetting processes. The legal issues have to be well understood as well. So they really don t change. One of the things that people thought [was], Maybe we could get out from under some of this risk if we move things to the cloud. We just have to assume that we ve got, if anything, maybe more risk, or a different kind anyway. FRANÇOISE GILBERT: I would agree with that. It s your data, and you re responsible for it and it s irrelevant what you do with it. Whether you put it in the cloud or in the trunk of your car, it s your responsibility. It may be even more responsibility than before because there are situations where the cloud provider does not have a clue about the data that you have. You could put in a cloud the secret to the atomic bomb and the cloud provider wouldn t know because that s not their business. Their business is to provide you with, if you want, a big safe deposit box where you put your information. What you put in that safe deposit box they don t know. If you have very important information, it s your responsibility to make the decision whether or not you put it there, how you protect it and what kind of security measures you can use to protect that information because the cloud provider would not know the nature of the information. David Matthews is deputy chief information officer for the City of Seattle. Françoise Gilbert, a lawyer specializing in IT security and privacy, is a founder and managing director of the IT Law Group. 21

22 The Agenda Top officials at businesses, not for profits and governments around the world are pressuring their IT and IT security organizations to adopt cloud computing because of the potential savings it offers. Technologists know of the security challenges that make widespread adoption of cloud services difficult, but in many instances, employing this new technology is doable; the vulnerabilities can be addressed. Understanding the current state of cloud computing whether at your organization or those of others will help you address the evolving challenges of secure cloud computing. In the end, implementing cloud computing effectively requires protecting information and preventing its loss. Traditional means to safeguard data such as encryption work in the cloud environment as well, and should not be ignored. The Bottom Line Cloud computing provides organizations with a lot of flexibility in how they fund and deploy information technology securely. The cloud allows organizations to introduce new technologies with far less upfront costs, as they switch from capital expenditures to operational expenditures. This will not only allow organizations to be more flexible with limited financial resources, but with introducing new applications and products. The cloud also gives organizations entry to advanced technologies without considerable initial costs. Vetting the Vendor Most organizations cannot move to the cloud alone. They need a third-party vendor to help them scrutinize the reliability of cloud providers. But these challenges can t be mitigated until enterprises including internal business operations as well as IT and IT security organizations figure out what they have and how to improve on it. Cloud will evolve into something much different in the coming years. Fundamental Concerns Clues to how organizations will use cloud computing securely in the coming months and years can be found in the research. Cutting costs is a major reason why organizations migrate to the cloud, but other factors are likely to surface, including the need to quickly obtain additional computer resources. This will require processes to assure that the adoption of cloud computing can be done efficiently and securely. Trust is a fundamental trait of information risk and IT security, and that s amplified in the cloud. And as the vast majority of our respondents say, external certification of cloud providers builds trust in them. Before you get a third-party to vet your cloud providers, make sure you can trust the organization you retain to conduct the evaluation. Look to the federal government s FedRAMP program, which certifies third-party evaluators, for preapproved vetters. Also, conduct your own due diligence of third-party certifiers and the cloud providers. The data you protect belong to you; ultimately, it s your responsibility, as well as your legal obligation, to assure the security of information and systems Information Security Media Group

23 Confronting Risk The anxiety many IT security pros express about adopting cloud services is understandable. But you don t need Valium to calm those nerves, just best practices. And among the best practices to employ is the encryption of crucial data to be housed on the cloud. Other steps to take to mitigate risk include employing stronger identity and access management controls, auditing the cloud provider and conducting onsite inspections. In some respects, cloud computing isn t new. Organizations have been outsourcing computing services for decades. So use proven IT security tools and processes to assure the security of your cloud ventures. Ultimate Responsibility Take responsibility. It s your data, your systems that are at stake, and in the end, the buck stops with you. Ultimately, as IT security professionals, security is your responsibility. But that doesn t mean you should do it alone. Partner with your organization s IT and business organizations as well as the cloud provider. The cloud offers many benefits, and as you become more comfortable with its security, be the evangelist in your organization for the technology. Though cloud computing is not a panacea, at least not yet, enterprise computing is heading to the cloud. Implemented properly and securely, cloud computing will add value to your organization s growing need for safe computing. Action Items 1. Create a Team Organize stakeholders within and outside your organization to address the security concerns of cloud computing. No single individual or group owns cloud computing, but the IT and IT security organizations are best situated for getting all participants together. 2. Employ What You Know In many respects, cloud computing isn t new; it s just another version of outsourcing that organizations have employed for decades. The same tools and processes you used to secure your systems in the past can be employed to protect your digital assets in the cloud: encryption, stronger identity and access management controls, audits and onsite inspections. 3. Network Talk to other organizations in your field as well as industry groups, such as information sharing and analysis centers, to determine how they approach secure cloud computing. 4. Perform Due Diligence Whether you use a third party, piggyback on other trusted organizations, such as the U.S. federal government s FedRAMP initiative, do it yourself or a combination of all three, it s essential that you vet the security your cloud provider furnishes. Ultimately, it s your responsibility to protect your information and systems. 5. Just Do It Pilot cloud initiatives that contain non-sensitive information. In doing so, you ll learn ways to secure data that will prove useful when you seek to safeguard sensitive data in the cloud. You ll also learn to deal with cloud computing vendors. 23

24 Resources Learn more about the key issues driving secure cloud computing InfoRiskToday features extensive coverage of cloud security. Here s a sampling: NIST Issues Long-Awaited Cloud Guidance NIST has published its long-awaited cloud computing guidance, Special Publication : Cloud Computing Synopsis and Recommendations, which addresses risk management and other security matters. nist-issues-long-awaited-cloud-guidance-a-4810 Tips for Contracting Cloud Services Cloud services contracts often provide little to no wiggle room for organizations. In planning to use cloud computing services, what steps do organizations need to take before signing any contract? IT security lawyer Françoise Gilbert offers some key strategies. tips-for-contracting-cloud-services-a-4797 Linking the Cloud to Continuous Monitoring NIST information risk management evangelist Ron Ross sees continuous monitoring playing a vital role in securing cloud computing. linking-cloud-to-continuous-monitoring-a-4520 FedRAMP Security Controls Unveiled The federal government has issued some 170 controls for FedRAMP, the program designed to vet cloud computing providers for federal government agencies. fedramp-security-controls-unveiled-a Essential Characteristics of Cloud Computing To employ new technologies effectively, such as cloud computing, organizations must understand what exactly they re getting. With this in mind, the National Institute of Standards and Technology has issued its 16th and final version of The NIST Definition of Cloud Computing Realms of Cloud Security Services Security poses a major challenge to the widespread adoption of cloud computing, yet an association of cloud users and vendors sees the cloud as a provider of information security services. Cloud Computing: 5 Topics for the Boss Here are the top five cloud computing security risks and concerns CISOs must discuss with their managers. topics-for-boss-a-3554 Cryptography in the Cloud There s no better way to secure critical data than through cryptography, especially when that data is stored in the cloud, says cryptography expert Ralph Spencer Poore Information Security Media Group

25 2012 Information Security Media Group, Corp. 4 Independence Way Princeton, NJ