The study, conducted by the Ponemon Institute and sponsored by San Jose, Calif-based encryption provider Vormetric, surveyed 613 IT and infosecurity pros and 405 compliance and privacy professionals. While 49% of the compliance respondents believe IaaS (Infrastructure as a Service) providers are as secure as their organizations’ on-premise IT infrastructure, only 33% of the IT respondents think that’s the case.
Also, while 52% of compliance pros think their organization has sufficient policies and procedures to enable IaaS security, only 34% of IT pros think so.
Larry Ponemon, chairman and founder of the Ponemon Institute, said in an interview he expected compliance practitioners would be more concerned about cloud security issues. “It’s really hard to manage compliance, especially for privacy and data protection in the cloud environment, so we assumed they’d be more skeptical about security in the cloud. What we found is pretty much the opposite,” he said.
IT and security professionals are closer to cloud security issues than compliance pros, who aren’t necessarily dealing with the potential new security challenges cloud environments bring, he said.
The study also indicated that organizations haven’t clearly defined who is responsible for defining, implementing and enforcing cloud security requirements. Twenty-one percent of compliance officers said they are responsible for defining the requirements, while 22% of IT respondents point to business unit leaders. Both groups said business unit leaders are responsible for enforcing cloud security requirements and no one business role has responsibility for implementing cloud security.
“One of the responses that was frequently cited [by survey participants] was no one party or group has the responsibility,” Ponemon said. “When you don’t have a point person or organization with that responsibility, it tends not to get done.”
There were some areas where both IT and compliance respondents agreed. The majority (75%) of survey participants said their organizations either have selected or are likely to select cloud vendors without vetting the vendors’ security practices. And more than half of respondents said their organizations’ internal auditors do not review or provide feedback on the security in the cloud infrastructure environment.
This study was the fourth conducted by the Ponemon Institute on cloud security issues and cloud governance. One released in the spring indicated that cloud service providers don’t view security as a priority.
Ponemon said cloud providers, especially ones that supply IaaS, continue to focus on cost and convenience, but he sees cloud security improving as companies implement more technologies such as encryption, tokenization and security tools designed for the cloud environment. Until then, though, he expects there will be “some mega data breaches or security exploits” involving the cloud.
“There needs to be a lot of pain before a there’s lot of gain,” he added.