Also, more than half of IT professionals surveyed said their organizations’ IT staff is not knowledgeable about the potential risk of open firewall ports in cloud environments, according to the survey of 682 IT professionals in working in US organizations that use hosted or cloud servers.
A majority of respondents rated their organizations’ overall management of cloud server security as fair or poor; only 9% rated it as excellent, according to the survey.
“The study’s findings are, number one most organizations' cloud servers are vulnerable….[Second] it appears that IT security personnel don’t fully understand the risk. Finally, securing and generating reports for cloud servers may be a problem. It is this whole issue of how do we establish a level of control when the server is in someone else’s custody”, Larry Ponemon, chairman of the Ponemon Institute, told Infosecurity.
In addition, there was considerable confusion about who is responsible for cloud security. According to the survey, 36% of respondents said that the cloud provider is responsible for security, 31% said the customer is responsible, and 33% said both are responsible.
Respondents had similar confusion about who is responsible for cloud security within their own organizations. Only 17% said that the IT security personnel were responsible for cloud security, 41% said IT operations was responsible, 20% said the managed service provider was responsible, and 15% said the particular business unit that was contracting with the cloud providers was responsible.
“For an IT person to say the person who is responsible for IT security 15% of the time is a business unit person…is interesting. Typically, IT likes to take responsibility for any IT resources, not give it up. This finding correlates to something we see quite often, which is the business units are adopting cloud more rapidly than IT itself….In many cases, IT might not be involved or even know about [a cloud services contract]….So IT might be saying, 'We are not going to accept the risk if we are not going to manage it'”, Dave Meizlik, vice president of marketing at Dome9, told Infosecurity.
Close to three-quarters of respondents said automation is important to cloud firewall policy management; 78% of respondents said the most important feature to cloud server security is the ability to close ports automatically, so they do not have to manually reconfigure their firewall.
“A large portion of our respondents recognize that automated tools are absolutely essential in dealing with the cloud security issue”, Ponemon said.
More than one-third of respondents reported that their organizations could not manage access to the cloud or generate reports efficiently; 29% said they manage access through the cloud provider’s tools but could not see the access reports.
A full 42% of respondents fear they would not know if their organizations’ applications or data were compromised by a security exploit or data breach involving an open port on a cloud server; 39% think that their cloud provider would tell them if they were hacked; and 19% said that their internal system would let them know.
“We have the fast and furious push to the cloud environment. But there are these potential security holes that exist that need to be filled. A lot of organizations don’t understand the type of risk that occurs because they are not managing firewalls on the provider’s side”, Ponemon concluded.