B-ponemon Institute Flying Blind in the Cloud WP.en-us

8/9/2019 B-ponemon Institute Flying Blind in the Cloud WP.en-us

http://slidepdf.com/reader/full/b-ponemon-institute-flying-blind-in-the-cloud-wpen-us 1/27

Flying Blind in the Cloud

Flying Blind in the Cloud

The State of Information Governance

Sponsored by SymantecIndependently conducted by Ponemon Institute LLC

Publication Date: April 7, 2010

Ponemon Institute© Research Report



Sponsored by SymantecPonemon Institute©: Research Report

Page 2

The State of Information Governance

Prepared by Ponemon Institute, April 7 2010

I. Executive Summary

Despite widespread interest in adopting cloud computing technologies, many organizations are “flyingblind” with respect to making them secure, potentially putting their operations, intellectual property and

customer information at risk.

Sponsored by Symantec, Ponemon Institute independently conducted this national study, Flying Blind in

the Cloud: the State of Information Governance, to better understand how organizations are securing

their information assets in a cloud computing environment.

The survey was completed by 637 U.S. IT security practitioners and focused on the following issues:

• Organizations’ use of cloud computing applications, platforms and infrastructure services.

• The importance of cloud computing in the organization’s IT and data processing objectives.

• Policies and procedures in place to protect sensitive information in the cloud, especially regulated

data subject to data breach notification.

The following are the major findings of this study:

• Business applications, solution stacks and storage are the most popular cloud computing

applications, platforms and infrastructure services. Seventy-one percent report their

organizations use business applications such as CRM inc., Salesforce.com and webmail. This is

followed by peer-to-peer applications (58 percent) and social media applications (50 percent). Forty-

six percent use computing platforms such as solution stacks (Java, PHP and Python) and 45 percent

use services such as identity management, payments and search. The most popular infrastructure

service is storage (56 percent) followed by computing (43 percent).

• Few organizations take proactive steps to protect both their own sensitive business

information and that of their customers, consumers and employees when they store that

information with cloud computing vendors. In both cases, fewer than 1 in 10 respondents say

their organizations use any kind of product vetting or employee training to determine that the cloud

computing resources meet all appropriate security requirements before deploying cloud applications.

• Organizations are adopting cloud technologies without the usual vetting procedures. Despite

security concerns and the expected growth in cloud computing, most organizations lack the

procedures, policies and tools to ensure that sensitive data they put in the cloud remains secure. Only

27 percent of respondents say their organizations have procedures for approving cloud applications

that use sensitive or confidential data. The main reason organizations permit cloud computing without

vetting vendors for security risks is that they can’t control end users, 76 percent of respondents say,

followed by not enough resources to conduct an evaluation (50 percent), no one is in charge (44

percent) and not considered a priority (43 percent).

• Employees are making decisions without their IT departments’ insights or full knowledge of

the security risks involved. Only 30 percent of respondents vet or evaluate cloud computing

vendors prior to deploying their products and those people rely overwhelmingly – 65 percent – on

word-of-mouth recommendations and market reputation in making their purchase decisions. The

next-most common means were contractual agreements and assurances from the vendor (55 percent

and 53 percent, respectively). Only 23 percent require proof of security compliance such as SAS 70,




Page 3

18 percent rely on in-house security assessments and just 6 percent rely on third-party assessments

by security experts or auditors.

• Our survey reveals a potential explanation for this ad hoc environment: In most organizations,

large gaps exist between which people are most responsible for vetting or evaluating cloud

computing vendors, and which people should be most responsible. End users (45 percent) and

business managers (23 percent) currently carry the brunt of responsibility, while corporate IT (11percent) and information security (9 percent) personnel are far less involved. Overall, respondents

would prefer to see the latter positions take charge (35 percent for information security, 34 percent for

corporate IT), so end users (9 percent) and business managers (11 percent) can focus elsewhere.

• Moreover, only 20 percent of organizations reported that members of their IT security teams

are regularly involved in the decision-making process for allowing the use of cloud

applications or platforms. More than half say they were rarely involved and nearly 1 in 4 say they

never participated at all. Not surprisingly, 49 percent say they are not confident they know about all

cloud computing applications, platforms and infrastructure services their organizations currently use.

These results indicate that many organizations are “flying blind” with regards to securing these

technologies, potentially putting their operations, organizational and customer information at risk.

Other important findings include:

• Two years from now, most respondents plan to use cloud computing much more intensively

than they do today. Eighty percent of respondents – up from 50 percent today – expect cloud

computing to be very important and important to meeting their IT and data processing goals. The

percentage of organizations using cloud computing to meet between 21 and 80 percent of their IT

and data processing requirements is projected to triple, from 24 percent to 72 percent.

• Yet even as momentum for cloud computing builds, doubts about security difficulties of cloud

computing persist. Fifty-one percent of respondents state they saw disadvantages to using cloud

computing in their organizations: increased security risk (56 percent), loss of control over end users

(40 percent) and increased risks of non-compliance and data breaches (33 and 31 percent,

respectively). Two-thirds (66 percent) of respondents say cloud computing makes it more difficult to

protect confidential or sensitive information. The most common difficulties are controlling or restricting

end-user access (80 percent) and directly inspecting cloud computing vendors for security

compliance (77 percent).

• Organizations most frequently protect themselves through traditional IT security solutions

and legal or indemnification agreements with vendors. Legal or indemnification agreements with

cloud computing vendors are the most common means to protect both sensitive business and

customer data (32 percent for each kind of data). A point of potential concern is that most

organizations (60 percent) use conventional security tools to protect information in the cloud, even

though some of those tools – data loss prevention (DLP) and some encryption technologies come to

mind – sometimes don’t work in cloud environments. This indicates that many respondents don’t

understand the specific security risks and remedies cloud computing environments present.




Page 4

II. Key Findings

Following are the most salient findings of this survey research. Please note that most of the results are

displayed in Figure format. The actual data utilized in each figure and referenced in the paper are also in

the percentage frequency tables attached as the Appendix to this paper.

§1. Business applications, solution stacks and storage are the most popular cloud computingapplications, platforms and infrastructure services. Seventy-one percent report their organizations

use business applications such as CRM Inc., Salesforce.com and Web mail. This is followed by peer-to-

peer applications (58 percent) and social media applications (50 percent). Forty-six percent use

computing platforms such as solution stacks (Java, PHP and Python) and 45 percent use services such

as identity management, payments and search. The most popular infrastructure service is storage (56

percent) followed by computing (43 percent). Accordingly, see Bar Charts 1a and 1b.

Bar Chart 1a: Most popular cloud computing applications

Bar Chart 1b: Most popular cloud computing platform or infrastructure services

Respondents’ primary reasons for using cloud computing resources help explain these results. The

overwhelmingly most popular reason is reducing costs (71 percent), followed by increasing efficiency (49

percent) and faster deployment time (43 percent). The least popular reasons are improving security (11

percent), increasing flexibility and choice (10 percent), improving customer service (9 percent) and

complying with contractual agreements or policies (6 percent).




Page 5

Bar Chart 2: Primary reasons for choosing cloud computing resources

Analysis of these statistics reveals several interesting points. Respondents are concerned about security

and don’t use the cloud for mission-critical applications and information, while simultaneously viewing the

benefits of cloud computing as so compelling that they’re willing to accept the risks. For the cloud model

to grow, cloud vendors must assure customers that operating in the cloud is secure.

Another possible reason could be that individual business units can deploy cloud computing applications

without coordinating with IT staff or buying and configuring their own equipment. All three factors can slow

deployment of cloud computing technologies and thus cause a perceived competitive disadvantage.

§2. Few organizations take proactive steps to protect both their own sensitive business

information and that of their customers, consumers and employees when they store that

information with cloud computing vendors. In both cases, the most popular action (32 percent) is legal

or indemnification agreements with cloud computing vendors. Fewer than 1 in 10 respondents say their

organizations uses any kind of product vetting or employee training to determine that cloud computing

resources meet all appropriate security requirements before deploying cloud resources. See Bar Chart 3.

Bar Chart 3: Steps taken to protect sensitive or confidential information

These results suggest that organizations are relying mostly on bureaucratic and passive means to

educate employees about cloud computing security policies, as the most popular responses don’t require




Page 6

active end-user participation. Only 16 percent offer any kind of employee training, while 43 percent just

incorporate cloud computing security policies in their overall enterprise security policies and 23 percent

offer internal awareness programs that include emails to employees. Only 29 percent of respondents

have policies that restrict or limit the use of certain cloud computing applications. This data suggests huge

defects in how organizations communicate internally about securely using cloud computing.

Pie Chart 1: Does your organization have a policythat restricts the use of certain cloud applications?

Table 1: If yes, how is this policy communicated toend-users in the company?

It is part of the enterprise security policy 43%

Internal awareness including email to

employees 23%

Don’t know 18%

Informal process 11%

Formal in-house training 5%

The survey results also suggest that organizations’ training programs may not sufficiently prepare

employees to sufficiently protect sensitive or confidential information in the cloud. The largest number of

respondents (42 percent) offer general data security training without specifically discussing cloud

applications, followed by general data security training that does discuss cloud applications (19 percent).

Only 5 percent – 1 in 20 – of organizations offer specialized training for each cloud application.

Bar Chart 4: Methods for training employees about safeguarding sensitive or confidential information when using

cloud applications and resources.

§3. Organizations are adopting cloud technologies without the usual vetting procedures. Despite

security concerns and the expected growth in cloud computing, most organizations lack the procedures,

policies and tools to ensure that sensitive information they put in the cloud remains secure. Fifty-three

percent of respondents say their organizations do not have vetting procedures for approving cloud

applications that use sensitive or confidential data. The main reason organizations permit cloud

computing without vetting vendors for security risk is that they can’t control end users, 76 percent of




Page 7

respondents say there are not enough resources to conduct an evaluation (50 percent), no one is in

charge (44 percent) and is not considered a priority (43 percent).

Pie Chart 2: Are cloud computing services evaluated

for security prior to deployment or engagement?

Table 2: If no, why does your organization permit

cloud computing resources without vetting or

evaluation for security?

Not able to control end-users 76%

Not enough resources to conduct

evaluation 50%

No one is in-charge 44%

Not considered a priority 43%

Don’t know 18%

When correlated with Key Finding 1, these results show why cloud computing applications – readily

available to end users through the Internet – are much more popular than cloud computing platforms and

infrastructure services, which require more coordination with organizations’ IT staffs. Some of the very

qualities that make cloud computing attractive – ease of use, end-user accessibility through the Internet,

potential cost savings and productivity improvements – can make it difficult to engage the IT staff

necessary to keep sensitive and confidential information secure. So much of what IT security does is

driven by engagement with IT staff but unfortunately in the case of cloud computing, both IT security and

management staff are often out of the loop.

§4. Employees are making decisions without their IT departments’ insights or full knowledge of

the security risks involved. Only 30 percent of respondents vet or evaluate cloud computing vendorsprior to deploying their products and those people rely overwhelmingly – 65 percent – on word-of-mouth

recommendations and market reputation in making their purchase decisions. The next-most common

means are contractual agreements and assurances from the vendor (55 percent and 53 percent,

respectively). Only 23 percent require proof of security compliance such as SAS 70, 18 percent rely on in-

house security assessments and just 6 percent rely on third-party assessments by experts or auditors.

Bar Chart 5: How does your organization go about vetting cloud vendors?




Page 8

§5. Our survey reveals a potential explanation for this ad hoc environment: In most organizations,

large gaps exist between which people are most responsible for vetting or evaluating cloud

computing vendors, and which people respondents thought should be most responsible. End

users (45 percent) and business managers (23 percent) currently carry the brunt of responsibility, while

corporate IT (11 percent) and information security (9 percent) personnel are far less involved. Overall,

respondents would prefer to see the latter positions take charge (35 percent for information security, 34

percent for corporate IT), so end users (9 percent) and business managers (11 percent) can focuselsewhere.

Bar Chart 6: Who is (and who should be) most responsible for vetting and evaluating cloud vendors?

Despite a wider appreciation for the need for IT security, Findings 3, 4 and 5 (described above) show that

security is not a primary job responsibility or concern for many people making cloud computing decisions.

These employees often don’t have a sophisticated-enough understanding of IT security risks and

remedies, especially regarding new technologies such as cloud computing that emphasize key business

imperatives such as ease of use and cost savings. This can contribute to a mindset that puts immediatebusiness needs and technological benefits ahead of ensuring information is sufficiently secure.

As we have mentioned, the use of cloud computing is relatively new and growing quickly. Consequently,

organizations may have been caught off guard because they haven’t updated their security procedures

and policies to include cloud computing and its requirements. In addition, lines of business may be

circumventing IT in their efforts to realize the benefits of cloud as soon as they can. These factors present

a real challenge for IT.

The use of cloud computing in business environments raises an important point about how to secure

information in the cloud. As people adopt more dispersed systems, data becomes more fluid and

protecting access to that data is critical. In this environment, the cloud is driving the trend that IT

governance requires a combination of both business and IT management and leadership.

§6. Moreover, only 20 percent of organizations reported that members of their IT security teams

are regularly involved in the decision-making process for allowing the use of cloud applications or

platforms. More than half say they are rarely involved and nearly 1 in 4 say they never participate. Not

surprisingly, 49 percent say they are not confident they know about all cloud computing applications,

platforms and infrastructure services their organizations currently use. These results indicate that many

organizations are “flying blind” with regards to securing these technologies, potentially putting their

business operations, intellectual property and customer information at risk.




Page 9

Pie Chart 3: How confident are you that your IT

organization knows all cloud computing resources

used within your company today?

Table 3: How involved are members of your security

team in the decision-making process for allowing the

use of cloud applications or platforms?

Rarely 56%

Never 24%

Some of the time 12%

Most of the time 5%

Always 3%

§7.Two years from now, most respondents plan to use cloud computing much more intensively

than they do today. Eighty percent of respondents – up from 50 percent today – expect cloud computing

to be very important and important to meeting their IT and data processing goals. The percentage of

organizations using cloud computing to meet between 21 and 80 percent of their IT and data processing

requirements is projected to triple, from 24 percent to 72 percent.

Bar Chart 7: How important is the use of cloud computing for meeting IT objectives

§8. Yet even as momentum for cloud computing builds, doubts about the security of cloud

computing persist. Fifty-one percent of respondents state they saw disadvantages to using cloud

computing in their organizations: increased security risk (56 percent), loss of control over end users (40

percent) and increased risks of non-compliance and data breaches (33 and 31 percent, respectively).




Page 10

Pie Chart 3: In your opinion, are there any

disadvantages to using cloud computing resources

within your organization?

Table 3: If yes, what are the main disadvantages?

Increased security risk 56%

Loss of control over end-users 40%

Increased risk of non-compliance 33%

Increased data privacy risk 31%

Increased risk of business process

conflicts or snafus 19%

Increased complexity in meeting IT

requirements 16% Two-thirds (66 percent) of respondents say cloud computing makes it more difficult to protect confidential

or sensitive information. The most common difficulties are in controlling or restricting end-user access (80

percent) and directly inspecting cloud computing vendors for security compliance (77 percent).

Pie Chart 3: In your opinion, are there any

disadvantages to using cloud computing resources

within your organization?

Table 3: If yes, what are the main disadvantages?

It is more difficult to control or restrict

end-user access 80%

It is more difficult to inspect cloudcomputing vendor for security

compliance directly 77%

It is more difficult to apply conventional

information security in the cloud

computing environment 31%

Don’t know 10%

Taken together, these statistics indicate that not many cloud service providers are offering compliance-

ready infrastructure. Vendors that facilitate security and regulatory compliance through their services and

solutions, therefore, differentiate themselves in a competitive market.

So what is considered too dangerous or risky to store in the public cloud ecosystem. According to

respondents, the top three categories of confidential information considered too risky to be stored in the

cloud include: financial business information (69 percent), health information (65 percent) and credit card

information (53 percent).




Page 11

Bar 8: Types of sensitive or confidential information considered too risky for public clouds

§9. Organizations most frequently protect themselves through traditional IT security solutions andlegal or indemnification agreements with vendors. Legal or indemnification agreements with cloud

computing vendors were the most common means to protect both sensitive business and customer data

(32 percent for each kind of data [see Bar Chart 3]). A point of potential concern is that most

organizations (60 percent) use conventional security tools to protect information in the cloud, even though

some of those tools don’t work in cloud environments. These results suggest that many respondents don’t

understand the specific security risks and remedies cloud computing environments present.

Bar 10: Types of sensitive or confidential information considered too risky for public clouds

Cloud providers and their customers must be in sync about security but that level of maturity by and large

hasn’t developed yet. Such syncing is particularly challenging because most organizations don’t have ITprofessionals involved in assessing cloud-related risks.

Business managers and end-users put business considerations first and are often too busy to take

advantage of cloud computing trends. As a result, they trust too much in standard business practices and

not in evaluations based on IT security best practices. While legal protections are of course necessary,

they don’t always effectively address issues specific to IT security, which can leave organizations at risk.




Page 12

III. Implications for Public Sector & Financial Services Organizations

This study underscores pervasive concerns many public sector organizations have about keeping data—

especially personal and/or sensitive data—under control and secure in cloud computing environments.

Implications for the public sector include the following:

•The primary reasons organizations use cloud computing tie directly into public sector priorities. Theseare reducing taxpayer costs and delivering better services faster to constituencies. Increased focus

on security is crucial for cloud vendors to persuade public sector organizations that cloud computing

can help accomplish those organizations’ missions (Key Finding 1).

• Developing an effective combination of business and IT management and leadership that cloud

computing demands is especially important for public sector organizations given the specific

business, security and regulatory challenges the public sector faces compared to other industry

sectors (Key Finding 5).

• Public sector organizations are especially interested in cloud vendors offering compliance-ready

infrastructure because that infrastructure can help them meet security and regulatory requirements

more quickly and effectively. This can lead to faster and better mission success and help avoid costly

data breaches (Key Finding 8).

Financial services organizations face similar issues:

• Developing an effective combination of business and IT management and leadership that cloud

computing demands is especially important for financial services organizations given the specific

business, security and regulatory challenges they face compared to other industry sectors (Key

Finding 5).

• Financial services organizations are especially interested in cloud vendors offering compliance-ready

infrastructure because that infrastructure can help them meet security and regulatory requirements

more quickly and effectively. This can lead to faster and better service delivery, improved

performance and avoidance of costly data breaches (Key Finding 8).

• Financial services organizations that rely on legal or indemnification agreements for protection need

to ensure those agreements contain sufficient data security and access provisions to meet regulatory

requirements (Key Finding 9).




Page 13

IV: Methods

A sampling frame of nearly 14,000 adult-aged individuals who reside within the United States was used to

recruit and select participants to this survey. Our randomly selected sampling frame was built from

several proprietary lists of experienced IT and IT security practitioners.

Table 4: Sample response statistics Freq. Pct%Sampling frame 13,956 100.0%

Total invitations 12,531 89.8%

Bounce back 1,650 11.8%

Returns 918 6.6%

Rejections 109 0.8%

Final sample 809 5.8%

After screen 1 755 5.4%

After screen 2 637 4.6%

In total, 918 respondents completed the survey. Of the returned instruments, 109 surveys failed reliability

checks. A total of 809 surveys were used as our final sample, which represents a 5.8 percent response

rate.

Two screening questions were used to ensure respondents had relevant knowledge and experience,

resulting in a reduced sample size of 637 individuals. Ninety percent of respondents completed all survey

items within 15 minutes.1

The average overall experience level of respondents is 12.01 years, and the

years of experience in their present job is 4.5 years.

Pie Chart 4 reports the primary industry sector of respondents’ organizations. As shown, the largest

segments include financial services, government, industrial companies, pharmaceuticals and healthcare

(combined), and services.

Pie Chart 4: Industry distribution of respondents’ organizations

1

Please note that nominal compensation was provided to respondents who successfully completed the surveyinstrument.




Page 14

Table 5 reports the respondent organization’s global headcount. As shown, a majority of respondents

work within companies with more than 1,000 employees. Over 38 percent of respondents are located in

larger-sized companies with more than 10,000 employees.

Table 5: The worldwide headcount of respondents’ organizations Pct%

Less than 500 people 4%

500 to 1,000 people 11%

1,001 to 5,000 people 21%

5,001 to 10,000 people 26%

10,001 to 25,000 people 25%

25,001 to 75,000 people 8%

More than 75,000 people 5%

Total 100%

Table 6 reports the respondent’s primary reporting channel. As can be seen, 52 percent of respondents

are located in the organization’s IT department (led by the company’s CIO). Eighteen percent report to

the company’s security officer (or CISO).

Table 6: Respondent’s primary reporting channel Pct%

CEO/Executive Committee 1%

Chief Financial Officer 4%

Chief Information Officer 52%

Chief Information Security Officer 18%

Compliance Officer 5%

Chief Privacy Officer 0%

Director of Internal Audit 1%

General Counsel 0%

Chief Technology Officer 7%

Human Resources Leader 0%

Chief Security Officer 4%

Chief Risk Officer 6%

Other 3%

Total 100%

Table 7 reports the respondent organization’s global footprint. As can be seen, a large number of

participating organizations are multinational companies that operate outside the United States.

Table 7: Location of the respondent Pct%

Northeast 20%

Mid-Atlantic 18%

Midwest 18%

Southeast 13%

Southwest 12%

Pacific 19%

Total 100%




Page 15

V. Caveats to this study

There are inherent limitations to survey research that need to be carefully considered before drawing

inferences from findings. The following items are specific limitations that are germane to most web-based

surveys.

•Non-response bias: The current findings are based on a sample of survey returns. We sent surveysto a representative sample of individuals, resulting in a large number of usable returned responses.

Despite non-response tests, it is always possible that individuals who did not participate are

substantially different in terms of underlying beliefs from those who completed the instrument.

• Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is

representative of individuals who are IT or IT security practitioners. We also acknowledge that the

results may be biased by external events such as media coverage. We also acknowledge bias

caused by compensating subjects to complete this research within a holdout period. Finally, because

we used a web-based collection method, it is possible that non-web responses by mailed survey or

telephone call would result in a different pattern of findings.

• 0BSelf-reported results: The quality of survey research is based on the integrity of confidential

responses received from subjects. While certain checks and balances can be incorporated into thesurvey process, there is always the possibility that a subject did not provide a truthful response.




Page 16

VI: Recommendations

We recommend that organizations immediately assess what specific, proactive steps they should take to

protect sensitive information stored in the cloud. Other recommendations to implement immediately

include the following:

•

Organizations should ensure that policies and procedures clearly state the importance of protectingsensitive information stored in the cloud. The policy should outline what information is considered

sensitive and proprietary.

• Organizations should vet and evaluate the security posture of third parties before sharing confidential

or sensitive information. As part of the process, corporate IT and/or IT security experts should

conduct a thorough review and audit of the vendor’s security qualifications.

• Prior to deploying cloud technology, organizations should formally train employees how to mitigate

the security risks specific to the new technology to make sure sensitive and confidential information is

not threatened.

• Organizations should establish an organizational structure that allows the CIO, CISO or other

security/privacy leaders to participate actively in the vetting, purchasing and implementing processesto ensure they are handled appropriately.

• Larger organizations should establish a function dedicated to information governance oversight.

• Organizations should expand their governance activities beyond traditional IT areas to better protect

their business.

• Organizations should define policy around information and applications they are willing to put in the

cloud.

• Cloud computing vendors should provide more transparency into their security infrastructure to help

ensure customer confidence that information stored in the cloud is secure.

These recommendations should be incorporated into all procedures involving employees using cloud

computing resources. Doing so will address numerous significant risks facing organizations as cloud

computing technologies become more pervasive.

If you have questions or comments about this research report or you would like to obtain additional copiesof the document (including permission to quote from or reuse this report), please contact us by letter,phone call or e-mail:

Ponemon Institute LLC

Attn: Research Department

2308 US 31 North

Traverse City, Michigan 49686 USA1.800.887.3118

[email protected]




Page 17

Detailed Survey Results

Audited results presented by Dr. Larry Ponemon, completed March 2009

The following tables provide the frequency and percentage frequency of responses to all survey questions. This web-

based survey was conducted by Ponemon Institute with subject debriefing completed on March 2, 2010. The final

sample size involves 809 respondents (637 after screening).

Sample response statistics Freq. Pct%

Sampling frame 13956 100.0%

Total invitations 12531 89.8%

Bounce back 1650 11.8%

Returns 918 6.6%

Rejections 109 0.8%

Final sample 809 5.8%

I. Screening

Q1. Does your organization use cloud computing resources? Freq, Remainder

Yes 755 755No (stop) 54 0

Total 809 755

Q2. What percent of your organization’s total use of cloud computing

resources involves public versus private clouds? Freq, Remainder

All or mostly public cloud 501 501

About equal public and private cloud 136 136

All or mostly private cloud (stop) 118 0

Total 755 637

II. Attributions about information governance. Please use the

scale provided below each statement to express your opinions aboutinformation governance within your organization. Strongly agree Agree

Q3a. My organization is committed to protecting confidential or sensitive information. 19% 32%

Q3b. My organization has established clearly defined accountabilityfor safeguarding of confidential or sensitive information. 16% 26%

Q3c. My organization educates employees to understand their responsibilities in safeguarding sensitive or confidential information. 16% 24%

Q3d. My organization is careful about sharing confidential or sensitiveinformation with third parties such as business partners, contractors,

and vendors. 16% 32%

Q3e. My organization respects the privacy rights of customers,consumers and employees. 12% 27%

Q3f. My organization is proactive in managing compliance with

privacy and data protection requirements around the globe. 8% 23%




Page 18

III. Background on cloud computing

Q4.What cloud computing applications does your organizationpresently use? Please select all that apply. Total%

We don’t use cloud computing applications 14%

Peer-to-peer (such as Skype) 58%

Social media applications (such as Facebook, YouTube, Twitter, etc.) 50%

Business applications (such as CRM inc, SalesForce.com, webmail,HR, GoogleDocs, etc.) 79%

Infrastructure applications (online backup, security, archiving, etc.) 23%

Other 5%

Total 229%

Q5. What cloud computing platforms does your organization

presently use? Please select all that apply. Total%

We don’t use cloud computing platforms 39%

Services (such as identity management, payments, search and

others) 45%Solution stacks (such as Java, PHP, Python, ColdFusion and others) 46%

Other 11%

Total 141%

Q6. What cloud computing infrastructure services does your organization presently use? Please select all that apply. Total%

We don’t use infrastructure services 38%

Computing 43%

Network 14%

Storage 56%

Other 10%

Total 161%

Q7. Approximately, what percent of your organization’s total IT anddata processing requirements are met by using cloud computingresources today? Pct%

ExtrapolatedPercent

Less than 5% 15% 1%

Between 5 to 10% 12% 1%

Between 11 to 20% 29% 4%

Between 21 to 30% 9% 2%

Between 31 to 40% 6% 2%

Between 40 to 50% 5% 2%

Between 51 to 60% 3% 2%

Between 61 to 70% 1% 1%

Between 71 to 80% 0% 0%

Between 81 to 90% 0% 0%

More than 90% 3% 3%

Don’t know 17% 0%

Total 100% 18%




Page 19

Q8. In your opinion (best guess), what percent of your organization’stotal IT and data processing requirements will be met by using cloudcomputing resources two years from today? Pct%

ExtrapolatedPercent

Less than 5% 4% 0%

Between 5 to 10% 3% 0%

Between 11 to 20% 6% 1%

Between 21 to 30% 11% 3%

Between 31 to 40% 17% 6%

Between 40 to 50% 13% 6%

Between 51 to 60% 12% 7%

Between 61 to 70% 11% 7%

Between 71 to 80% 8% 6%

Between 81 to 90% 0% 0%

More than 90% 5% 5%

Don’t know 10% 0%

Total 100% 40%

Q9. How important is the use of cloud computing applications or platform solutions for meeting your organization’s IT and dataprocessing objectives? Today Next two years

Very important 18% 34%

Important 32% 46%

Not important 31% 18%

Irrelevant 19% 2%

Total 100% 100%

Q10. What are the primary reasons why cloud computing resourcesare used within your organization? Please select only two choices. Total%

Reduce cost 71%

Increase efficiency 49%

Improve security 11%

Faster deployment time 43%

Increase flexibility and choice 10%

Improve customer service 9%

Comply with contractual agreements or policies 6%

Other 0%

Total 199%

Q11. How confident are you that your IT organization knows all cloud

computing applications, platform or infrastructure services in usetoday? Pct%

Very confident 19%Confident 32%

Not confident 49%

Total 100%




Page 20

Q12a. Are cloud computing services evaluated for security prior toengagement or deployment by your end-users in you organization? Pct%

Yes 30%

No 53%

Don’t know 17%

Total 100%

Q12b. If yes, who is responsible for vetting or evaluating cloudcomputing vendors in your organization?

Who is mostresponsible

Who should bemost responsible

End-users 45% 9%

Business unit managers 23% 11%

Corporate IT 11% 34%

Compliance 3% 6%

Legal 1% 0%

Procurement 3% 2%

Internal audit 1% 0%

Information security 9% 35%

Physical security 0% 0%

Other 2% 0%

No one person (shared responsibility) 2% 3%

Total 100% 100%

Q12c. If yes, how does your organization go about vetting or evaluating cloud computing vendors? Please select all that apply. Total%

Word-of-mouth (market reputation) 65%

Contractual negotiation and legal review 26%

Proof of security compliance (such as SAS 70) 23%

Self-assessment checklist or questionnaire completed by vendor 25%Assessment by in-house security team 18%

Third-party assessment by security expert or auditor 6%

Other 6%

Total 169%

Q12d. If no, why does your organization permit cloud computingresources to be deployed without vetting or evaluation for securityrisks? Please select all that apply. Total%

No one is in-charge 44%

Not considered a priority 43%

Not enough resources to conduct evaluation 50%

Not able to control end-users 76%

Other 5%

Don’t know 18%

Total 236%




Page 21

Q13a. In your opinion, are there any disadvantages to using cloudcomputing resources within your organization? Pct%

Yes 51%

No 26%

Don’t know 23%

Total 100%

Q13b. If yes, what are the main disadvantages? Please select onlytwo choices. Total%

Increased security risk 56%

Increased data privacy risk 31%

Loss of control over end-users 40%

Increased risk of non-compliance 33%

Increased complexity in meeting IT requirements 16%

Increased risk of business process conflicts or snafus 19%

Other 0%

Total 195%

IV. Information governance in the cloud

Q14. How does your organization go about protecting confidential or

sensitive information in the cloud? Please select only two choices. Total%

We rely on assurances from the cloud computing vendor 53%

We rely on contractual agreements with the cloud computing vendor 55%

We buy additional security services provided by the cloud computingvendor 11%

We use conventional security tools to protect information in the cloud 60%

Don’t know 16%

Other 2%

Total 197%

Q15a. Does cloud computing make it more difficult to protectconfidential or sensitive information? Pct%

Yes 66%

No 23%

Don’t know 11%

Total 100%

Q15b. If yes, why does it make it more difficult to protect confidentialor sensitive information in the cloud? Please select only two choices. Total%

It is more difficult to inspect cloud computing vendor for security

compliance directly 77%

It is more difficult to apply conventional information security in thecloud computing environment 31%

It is more difficult to control or restrict end-user access 80%

Don’t know 10%

Other 0%

Total 198%




Page 22

Q15c. What types of confidential or sensitive information does your organization consider too risky to be stored in the cloud? Pleaseselect all that apply. Total%

Consumer data 12%

Customer information 20%

Credit card information 53%

Employee records 38%

Health information 65%

Non-financial confidential business information 19%

Financial business information 69%

Intellectual property such as source code, design plans, architecturalrenderings 22%

Research data 29%

Other 9%

Total 336%

Q16. How does your organization determine that all appropriatesecurity requirements are met before deploying cloud computing

resources? Pct%

Self-assessment completed by the vendor 8%

Vetting and evaluation by in-house security team 5%

Vetting and evaluation by outside security expert or auditor 2%

Legal or indemnification agreement with cloud computing vendor 21%

Training of end-users before deploying cloud applications 6%

Other 3%

None of the above 55%

Total 100%

Q17. How does your organization educate employees aboutsafeguarding sensitive or confidential information when using cloudapplications? Pct%

Specialized training for each cloud application 5%

General data security training includes discussion of cloudapplications 19%

General data security training without specific discussion about cloudapplications 42%

Informal awareness effort 24%

Other 0%


Total 100%

Q18a. Does your organization have a policy that restricts or limits theuse of certain cloud computing applications? Pct%

Yes 29%

No 49%

Don’t know 22%

Total 100%




Page 23

Q18b. If yes, how is this policy communicated to end-users? Pct%

Internal awareness including email to employees 23%

It is part of the enterprise security policy 43%

Formal in-house training 5%

Informal process 11%

Don’t know 18%

Other 0%

Total 100%

Q19. In your opinion, how does the use of cloud computingapplications affect the individual employee’s responsibility tosafeguard sensitive or confidential information stored in the cloud? Pct%

Cloud computing increases employee (end-user) responsibility. 62%

Cloud computing decreases employee (end-user) responsibility. 4%

Cloud computing does not affect employee (end-user) responsibility. 34%

Total 100%

Q20. How does your organization ensure safe sharing of confidentialor sensitive information with cloud computing vendors? Pct%

Informal self-assessment to review security requirements 8%

Vetting and evaluation by in-house security team 6%

Vetting and evaluation by outside expert or auditor 2%



Other 3%


Total 100%

Q21. How does your organization go about ensuring the privacy

rights of customers, consumers and employees when this personalinformation is stored in the cloud? Pct%

Informal self-assessment to review privacy requirements 8%

Vetting and evaluation by in-house privacy compliance expert 5%

Vetting and evaluation by outside privacy expert or auditor 0%



Other 5%


Total 100%

Q22. What privacy and data protection regulatory requirements are

most difficult to meet in the cloud computing environment? Pleaseselect no more than three choices. Total%

Various US state data breach laws 48%

Health Insurance Portability and Accountability Act (HIPAA) 45%

EU Data Protection Directive 43%

Sarbanes-Oxley 40%

Safe Harbor (US and EU agreement) 39%

Various country-specific privacy laws 35%




Page 24

Gramm-Leach-Bliley 12%

Various FTC requirements including the Red Flags Rule 10%

Fair and Accurate Credit Transaction Act (FACTA) 9%

Fair Credit Reporting Act (FCRA) 7%

US Federal Privacy Act 5%

Children’s Online Privacy Protection Act (COPPA) 2%

Total 295%

Q23. Does the organization have procedures on how to decide if cloud applications using sensitive or confidential information shouldbe allowed? Pct%

Yes 27%

No 51%

Don’t know 22%

Total 100%

Q24. Are members of your security team involved in the decision-making process about allowing the use of certain cloud applicationsor platforms? Pct%

Always 3%

Most of the time 5%

Some of the time 12%

Rarely 56%

Never 24%

Total 100%

V. Attributions about cloud computing. Please use the scaleprovided below each statement to express your opinions aboutinformation governance within your organization. Strongly agree Agree

Q25a. My organization assesses the affect cloud computing

applications may have on the classification of data according to risk. 9% 12%Q25b. My organization determines what data is too sensitive for cloud computing applications. 8% 16%

Q25c. My organization is vigilant in conducting audits or assessmentsof data used by cloud computing applications. 6% 9%

Q25d. My organization is proactive in assessing the types of data tobe allowed in the cloud. 6% 17%

Q25e. My organization’s IT infrastructure has the ability to ensuresubstantial security of information in the cloud. 11% 12%

VI. Organization characteristics and respondent demographics

D1. Your current title is (approximate only) Pct%

Director IT security 20%

Manager, network security 18%

Chief information security officer (CISO or approximate) 15%

IT compliance & security 14%

Quality assurance 12%

All others 22%

Total 100%




Page 25

D2. What organizational level best describes your current position? Pct%

Senior Executive 0%

Vice President 2%

Director 20%

Manager 26%

Supervisor 15%

Staff or technician 34%

Other 3%

Total 100%

D3. Check the Primary Person you or your supervisor reports towithin your organization. Pct%

CEO/Executive Committee 1%

Chief Financial Officer 4%

Chief Information Officer 52%

Chief Information Security Officer 18%Compliance Officer 5%

Chief Privacy Officer 0%

Director of Internal Audit 1%

General Counsel 0%

Chief Technology Officer 7%

Human Resources Leader 0%

Chief Security Officer 4%

Chief Risk Officer 6%

Other 3%

Total 100%

D4. Location Pct%

Northeast 20%

Mid-Atlantic 18%

Midwest 18%

Southeast 13%

Southwest 12%

Pacific 19%

Total 100%

D5. Experience Mean Median

D5a. Total years in business 10.1 10.5

D5b. Total years in IT security 9.9 10.0

D5c. Total years in current position 4.8 5.3




Page 26

D6. Educational and career background: Pct%

Compliance (auditing, accountant, legal) 9%

IT (systems, software, computer science) 42%

Security (law enforcement, military, intelligence) 29%

Other non-technical field 13%

Other technical field 7%

Total 100%

D7. What industry best describes your organization’s industryconcentration or focus? Pct%

Airlines 1%

Automotive 1%

Agriculture 0%

Brokerage 2%

Cable 1%

Chemicals 1%Credit Cards 2%

Defense 2%

Education 3%

Entertainment & Media 3%

Services 4%

Health Care 6%

Hospitality & Leisure 5%

Manufacturing 7%

Insurance 3%

Internet & ISPs 2%

Government 11%

Pharmaceutical 5%

Professional Services 4%

Research 2%

Retail 7%

Banking 11%

Energy 3%

Telecommunications 3%

Technology & Software 6%

Transportation 4%

Wireless 1%

Total 100%

D8. What best describes your role in managing data protection andsecurity risk in your organization? Check all that apply. Pct%

Setting priorities 69%

Managing budgets 68%

Selecting vendors and contractors 63%

Determining privacy and data protection strategy 58%

Evaluating program performance 60%



S d b S t P 27

D9. What is the worldwide headcount of your organization? Pct%

Less than 500 people 4%

500 to 1,000 people 11%

1,001 to 5,000 people 21%

5,001 to 10,000 people 26%

10,001 to 25,000 people 25%

25,001 to 75,000 people 8%

More than 75,000 people 5%

Total 100%

Ponemon InstituteAdvancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible

information and privacy management practices within business and government. Our mission is to

conduct high quality, empirical studies on critical issues affecting the management and security of

sensitive information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data

confidentiality, privacy and ethical research standards. We do not collect any personally identifiable

information from individuals (or organization identifiable information in our business research).

Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant

or improper questions.

Documents

B-ponemon Institute Flying Blind in the Cloud WP.en-us