The majority of cloud providers (69%) believe security is primarily the responsibility of the cloud user; this contrasts with 35% of cloud users who believe security is their responsibility, according to the survey. Just 16% of cloud providers feel security is a shared responsibility, compared to 33% of cloud users who believe the duty should be shared.
“We are at the finger pointing stage where it is unclear from the security perspective who is responsible…The right answer is joint responsibility”, said Matthew Gardiner, director of security business at CA Technologies.
“At the end of the day, for the system which has both on-premise and off-premise applications, a joint set of security controls needs to occur….Until both sides recognize the responsibility is joint, there will be this gulf between the needs and expectations of one side and the other”, he told Infosecurity.
Ponemon Institute surveyed 103 cloud service providers in the US and 24 in six European countries for a total of 127 separate providers.
Gardiner said he believes confusion over who has responsibility for security in the cloud will affect deployment of cloud services in the long term.
“You are seeing a lot of companies doing a little bit of cloud, which means from the cloud providers perspective, they are getting a lot of business. But when you start moving from the less sensitive data and applications to the more sensitive, rational organizations will look at the trade-off between storing them inside or outside, and security is one of the things they look at. If they don’t find a satisfactory answer, they stay inside. This inhibits cloud adoption”, Gardiner said.
The survey also found that cloud providers and cloud users disagree on the degree to which they see intellectual property (IP) being too sensitive for the cloud; 68% of cloud users felt their IP was too risky for cloud use, compared to just 42% of cloud providers.
Less than 20% of cloud providers across the US and Europe view security as a competitive advantage. Fewer than 30% of respondents consider security as an important responsibility. Less than 27% of respondents feel their cloud services substantially protect and secure customer information.