Despite their concerns about cloud computing security, cloud computing users aren’t taking all the steps they can to secure cloud computing, according to a recent survey of 1,200 IT pros in the U.S.
The survey by CDW LLC, a national IT solution provider based in Vernon Hills, Ill., polled IT pros from a variety of industries on their companies’ use of cloud computing and found that 28% are using cloud services today. Security continues to be a roadblock for cloud adoption for both non-cloud using organizations (45%) and cloud users (32%), the study showed.
At the same time, however, the results indicated that cloud users aren’t taking advantage of available security features or aren’t verifying their cloud provider’s security. Among the findings: Only 54% said they encrypt data in transit, 50% manage employee access to cloud applications, and 44% require password changes every 90 days.
“Good security practices apply everywhere. The things you should be doing for traditional IT are in many ways the exactly the same things you should be doing in a cloud environment,” David Cottingham, senior director of managed services at CDW, said in an interview.
He acknowledged that some security functions cited in the survey, such as physical security of a data center, are out of the hands of a cloud customer. But he added that the study showed cloud users aren’t taking steps to ensure their cloud providers are doing the security they say they’re doing. Only 31% of cloud users said they certify their cloud provider’s security measures. Customers should conduct high-level audits and ask for proof of a cloud vendor’s security claims, whether that’s PCI DSS certification or a SAS 70 Type II report.
“What are the standards, policies, procedures the cloud provider has in place? If you get a blank stare when you ask those questions, you probably want to move to the next provider,” Cottingham said.
The study showed that companies are using cloud computing mostly for commodity applications such as email, file storage and video conferencing. Cottingham said they may figure the cloud provider’s security is good enough for those types of applications, and are holding back on moving more critical data to the cloud.