Cloud service providers don’t view security as a priority, spending little on it and shifting the responsibility to their customers, according to a study on cloud provider security released Thursday.
The study, conducted by independent research firm Ponemon Institute and sponsored by Islandia, N.Y.-based CA Technologies, surveyed 103 cloud service providers in the U.S. and 24 in Europe representing a mix of cloud service and deployment models. Seventy-nine percent said they allocate 10% or less of IT resources to security and control-related activity.
Less than 20% view security as a competitive advantage, and fewer than 30% consider security an important responsibility. In fact, 69% said they believe security is primarily the responsibility of the cloud user. Only 29% of public cloud providers are confident the applications and resources they provide are secure.
Instead of security, cloud providers are focused on meeting customer demand for reduced cost and speed of deployment, the study showed. Those surveyed ranked lower costs and faster deployment as the top reasons for their customers to migrate to a cloud computing environment.
Right now, organizations are focused on moving their least sensitive data and applications to the cloud for cost savings and rapid deployment, leading to cloud providers not making security a priority, Matthew Gardiner, director in the security business unit at CA, said in an interview.
“For the cloud to become a really dominate IT architecture, it needs to inherit more sensitive enterprise data and applications,” he said. “There’s the possibility if the market doesn’t mature fast enough on that front, you might run into stall.”
The study was the second part of a two-part series about the state of cloud security by the Ponemon Institute. The first one, released a year ago, surveyed 642 cloud service customers in the U.S. and 283 in Europe. The study showed that cloud users also aren’t willing to assume responsibility for security in the cloud: Only 35% said they believe they are the most responsible for ensuring the security of resources provided by a cloud provider.
The first study also showed that organizations are lagging when it comes to assessing cloud providers. Only 36% of U.S. respondents said their organization is vigilant in conducting audits or assessments of cloud providers before deployment.
A majority of the service providers surveyed (55%) said they offer SaaS; 34% offer IaaS and 11% provide PaaS. Sixty-five percent of the respondents deploy their services in a public cloud environment, while 18% deploy in the private cloud, and 18% are hybrid.
Most of the respondents (91%) don’t offer Security as a Service from the cloud, but about one-third are considering offering a security service in the next couple years.