12:16 AM
Connect Directly

Cloud Security Measures Too Opaque For Customers

With nearly half of IT managers avoiding cloud services over worries that their data will be leaked, it is time for cloud providers to become more transparent

The apparent cost benefits and flexibility of cloud services may have convinced companies' front offices to dive into the cloud, but convincing corporate security teams is another matter.

Nearly seven out of eight information-technology professionals do not trust cloud providers to protect their companies' most sensitive data, according to a recent survey conducted by Lieberman Software, a provider of privileged access management products. The majority would not trust cloud providers with their own personal data, either.

It's not necessarily about hackers and cybercriminals. Security-sensitive firms are concerned that a rogue employee at a cloud service provider or a government agency could access their data without their knowledge, says Philip Lieberman, president of the firm.

"The big problem is there is a lot of opaqueness in what cloud providers do," he says. "Companies want transparency, access to audit log data, and visibility into internal controls that go beyond best practices."

The survey, conducted at the Cloud Security Alliance (CSA) Summit in November and released last week, collected responses from 300 IT professionals, with 70 percent representing companies with more than 1,000 employees and half working at companies with more than 5,000 employees.

The disconnect between cloud providers and their customers on the topic of security has been highlighted by other studies as well. In a 2011 study by the Ponemon Institute, more than two-thirds of IT managers placed responsibility for the security of their data with the cloud provider, while only one-third of providers agreed. A more recent Ponemon survey (pdf) found that IT professionals nearly equally split over who should take responsibility for the security of applications in the cloud: A third tasked cloud providers with the security of their applications, a third responded that security was a shared responsibility, and a bit less than a third placed the onus on the company to secure their own applications in the cloud.

[Anyone with access to your cloud providers' servers has access to your data. Don't think burglars or Ethan Hunt of 'Mission Impossible': think insiders and search warrants. See The Physical Security Factor With Cloud Providers.]

While customers are gaining trust in their cloud providers, the process is extremely slow because cloud services have failed to give customers visibility into their security measures, says John Howie, chief operating officer for the Cloud Security Alliance.

"Cloud providers can only really win the hearts and minds of their customers if they are open and transparent," Howie says. "Don't treat the cloud as a black box and tell the customers, no, you can't see the inner workings."

Through its Security, Trust and Assurance Registry (STAR), the Cloud Security Alliance gives cloud providers a way to publicly state some of their security measures to satisfy concerns. To date, more than a score of companies have published their answers to a self-assessment questionnaire to provide more information to customers.

However, the CSA believes that more is needed--but not too much more. A combination of certifications, standards, and audit reports could give cloud consumers enough information to gauge a provider's security without giving up too much information about security measures to potential attackers. At the RSA Conference at month's end, the CSA plans to publish a position paper that will discuss how much detail cloud services should share with their customers.

For that to work, however, companies need to talk to their security teams to gauge their needs as well. Many firms subscribe to a cloud service as an end run around the information-technology department with little thought about security, says Larry Ponemon, chairman of the Ponemon Institute, a business intelligence and survey firm.

"The security people are out of the loop," he says. "A lot of the companies we talk to don't even talk to their CISOs about moves to the cloud."

Adding security through a cloud security broker or hybrid cloud infrastructure can help mitigate risk and significantly reduces the level of trust a company needs to have in their service provider. Yet, such technologies can undermine the cost advantage that convinced the company to move to the cloud in the first place, says Ponemon.

Unless companies indicate their displeasure at cloud providers' lack of security--or at least, the lack of visibility into cloud providers' security--change will continue to be slow, says Lieberman.

"Cloud providers are not going to provide security until customers demand it, and it becomes a roadblock to revenue," he says. "It is a chicken-and-the-egg problem: Cloud providers don't want to provide security and large companies don't want to deploy it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/14/2013 | 5:10:01 PM
re: Cloud Security Measures Too Opaque For Customers
This is great information and these are issue that are real and looming for businesses contemplating the cloud. Your provider's security matters as long as they can see your data, but if you use end-to-end encryption such that your data is not-ádecrypt-able-áby your provider you don't have to worry about confidentiality or integrity - only availability. We call what is described here the Cloud Gap (
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before IF28, 7.3 before IF30, and 7.4 before IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.