Flying Blind in the Cloud

Transcription

1 Independently conducted by Ponemon Institute LLC Publication Date: April 7, 2010 Flying Blind in the Cloud The State of Information Governance Flying Blind in the Cloud Ponemon Institute Research Report

2 The State of Information Governance Prepared by Ponemon Institute, April I. Executive Summary Despite widespread interest in adopting cloud computing technologies, many organizations are flying blind with respect to making them secure, potentially putting their operations, intellectual property and customer information at risk., Ponemon Institute independently conducted this national study, Flying Blind in the Cloud: the State of Information Governance, to better understand how organizations are securing their information assets in a cloud computing environment. The survey was completed by 637 U.S. IT security practitioners and focused on the following issues: Organizations use of cloud computing applications, platforms and infrastructure services. The importance of cloud computing in the organization s IT and data processing objectives. Policies and procedures in place to protect sensitive information in the cloud, especially regulated data subject to data breach notification. The following are the major findings of this study: Business applications, solution stacks and storage are the most popular cloud computing applications, platforms and infrastructure services. Seventy-one percent report their organizations use business applications such as CRM inc., Salesforce.com and webmail. This is followed by peer-to-peer applications (58 percent) and social media applications (50 percent). Fortysix percent use computing platforms such as solution stacks (Java, PHP and Python) and 45 percent use services such as identity management, payments and search. The most popular infrastructure service is storage (56 percent) followed by computing (43 percent). Few organizations take proactive steps to protect both their own sensitive business information and that of their customers, consumers and employees when they store that information with cloud computing vendors. In both cases, fewer than 1 in 10 respondents say their organizations use any kind of product vetting or employee training to determine that the cloud computing resources meet all appropriate security requirements before deploying cloud applications. Organizations are adopting cloud technologies without the usual vetting procedures. Despite security concerns and the expected growth in cloud computing, most organizations lack the procedures, policies and tools to ensure that sensitive data they put in the cloud remains secure. Only 27 percent of respondents say their organizations have procedures for approving cloud applications that use sensitive or confidential data. The main reason organizations permit cloud computing without vetting vendors for security risks is that they can t control end users, 76 percent of respondents say, followed by not enough resources to conduct an evaluation (50 percent), no one is in charge (44 percent) and not considered a priority (43 percent). Employees are making decisions without their IT departments insights or full knowledge of the security risks involved. Only 30 percent of respondents vet or evaluate cloud computing vendors prior to deploying their products and those people rely overwhelmingly 65 percent on word-of-mouth recommendations and market reputation in making their purchase decisions. The next-most common means were contractual agreements and assurances from the vendor (55 percent and 53 percent, respectively). Only 23 percent require proof of security compliance such as SAS 70, Page 2

3 18 percent rely on in-house security assessments and just 6 percent rely on third-party assessments by security experts or auditors. Our survey reveals a potential explanation for this ad hoc environment: In most organizations, large gaps exist between which people are most responsible for vetting or evaluating cloud computing vendors, and which people should be most responsible. End users (45 percent) and business managers (23 percent) currently carry the brunt of responsibility, while corporate IT (11 percent) and information security (9 percent) personnel are far less involved. Overall, respondents would prefer to see the latter positions take charge (35 percent for information security, 34 percent for corporate IT), so end users (9 percent) and business managers (11 percent) can focus elsewhere. Moreover, only 20 percent of organizations reported that members of their IT security teams are regularly involved in the decision-making process for allowing the use of cloud applications or platforms. More than half say they were rarely involved and nearly 1 in 4 say they never participated at all. Not surprisingly, 49 percent say they are not confident they know about all cloud computing applications, platforms and infrastructure services their organizations currently use. These results indicate that many organizations are flying blind with regards to securing these technologies, potentially putting their operations, organizational and customer information at risk. Other important findings include: Two years from now, most respondents plan to use cloud computing much more intensively than they do today. Eighty percent of respondents up from 50 percent today expect cloud computing to be very important and important to meeting their IT and data processing goals. The percentage of organizations using cloud computing to meet between 21 and 80 percent of their IT and data processing requirements is projected to triple, from 24 percent to 72 percent. Yet even as momentum for cloud computing builds, doubts about security difficulties of cloud computing persist. Fifty-one percent of respondents state they saw disadvantages to using cloud computing in their organizations: increased security risk (56 percent), loss of control over end users (40 percent) and increased risks of non-compliance and data breaches (33 and 31 percent, respectively). Two-thirds (66 percent) of respondents say cloud computing makes it more difficult to protect confidential or sensitive information. The most common difficulties are controlling or restricting end-user access (80 percent) and directly inspecting cloud computing vendors for security compliance (77 percent). Organizations most frequently protect themselves through traditional IT security solutions and legal or indemnification agreements with vendors. Legal or indemnification agreements with cloud computing vendors are the most common means to protect both sensitive business and customer data (32 percent for each kind of data). A point of potential concern is that most organizations (60 percent) use conventional security tools to protect information in the cloud, even though some of those tools data loss prevention (DLP) and some encryption technologies come to mind sometimes don t work in cloud environments. This indicates that many respondents don t understand the specific security risks and remedies cloud computing environments present. Page 3

4 II. Key Findings Following are the most salient findings of this survey research. Please note that most of the results are displayed in Figure format. The actual data utilized in each figure and referenced in the paper are also in the percentage frequency tables attached as the Appendix to this paper. 1. Business applications, solution stacks and storage are the most popular cloud computing applications, platforms and infrastructure services. Seventy-one percent report their organizations use business applications such as CRM Inc., Salesforce.com and Web mail. This is followed by peer-topeer applications (58 percent) and social media applications (50 percent). Forty-six percent use computing platforms such as solution stacks (Java, PHP and Python) and 45 percent use services such as identity management, payments and search. The most popular infrastructure service is storage (56 percent) followed by computing (43 percent). Accordingly, see Bar Charts 1a and 1b. Bar Chart 1a: Most popular cloud computing applications Bar Chart 1b: Most popular cloud computing platform or infrastructure services Respondents primary reasons for using cloud computing resources help explain these results. The overwhelmingly most popular reason is reducing costs (71 percent), followed by increasing efficiency (49 percent) and faster deployment time (43 percent). The least popular reasons are improving security (11 percent), increasing flexibility and choice (10 percent), improving customer service (9 percent) and complying with contractual agreements or policies (6 percent). Page 4

5 Bar Chart 2: Primary reasons for choosing cloud computing resources Analysis of these statistics reveals several interesting points. Respondents are concerned about security and don t use the cloud for mission-critical applications and information, while simultaneously viewing the benefits of cloud computing as so compelling that they re willing to accept the risks. For the cloud model to grow, cloud vendors must assure customers that operating in the cloud is secure. Another possible reason could be that individual business units can deploy cloud computing applications without coordinating with IT staff or buying and configuring their own equipment. All three factors can slow deployment of cloud computing technologies and thus cause a perceived competitive disadvantage. 2. Few organizations take proactive steps to protect both their own sensitive business information and that of their customers, consumers and employees when they store that information with cloud computing vendors. In both cases, the most popular action (32 percent) is legal or indemnification agreements with cloud computing vendors. Fewer than 1 in 10 respondents say their organizations uses any kind of product vetting or employee training to determine that cloud computing resources meet all appropriate security requirements before deploying cloud resources. See Bar Chart 3. Bar Chart 3: Steps taken to protect sensitive or confidential information These results suggest that organizations are relying mostly on bureaucratic and passive means to educate employees about cloud computing security policies, as the most popular responses don t require Page 5

6 active end-user participation. Only 16 percent offer any kind of employee training, while 43 percent just incorporate cloud computing security policies in their overall enterprise security policies and 23 percent offer internal awareness programs that include s to employees. Only 29 percent of respondents have policies that restrict or limit the use of certain cloud computing applications. This data suggests huge defects in how organizations communicate internally about securely using cloud computing. Pie Chart 1: Does your organization have a policy that restricts the use of certain cloud applications? Table 1: If yes, how is this policy communicated to end-users in the company? It is part of the enterprise security policy 43% Internal awareness including to employees 23% Don t know 18% Informal process 11% Formal in-house training 5% The survey results also suggest that organizations training programs may not sufficiently prepare employees to sufficiently protect sensitive or confidential information in the cloud. The largest number of respondents (42 percent) offer general data security training without specifically discussing cloud applications, followed by general data security training that does discuss cloud applications (19 percent). Only 5 percent 1 in 20 of organizations offer specialized training for each cloud application. Bar Chart 4: Methods for training employees about safeguarding sensitive or confidential information when using cloud applications and resources. 3. Organizations are adopting cloud technologies without the usual vetting procedures. Despite security concerns and the expected growth in cloud computing, most organizations lack the procedures, policies and tools to ensure that sensitive information they put in the cloud remains secure. Fifty-three percent of respondents say their organizations do not have vetting procedures for approving cloud applications that use sensitive or confidential data. The main reason organizations permit cloud computing without vetting vendors for security risk is that they can t control end users, 76 percent of Page 6

7 respondents say there are not enough resources to conduct an evaluation (50 percent), no one is in charge (44 percent) and is not considered a priority (43 percent). Pie Chart 2: Are cloud computing services evaluated for security prior to deployment or engagement? Table 2: If no, why does your organization permit cloud computing resources without vetting or evaluation for security? Not able to control end-users 76% Not enough resources to conduct evaluation 50% No one is in-charge 44% Not considered a priority 43% Don t know 18% When correlated with Key Finding 1, these results show why cloud computing applications readily available to end users through the Internet are much more popular than cloud computing platforms and infrastructure services, which require more coordination with organizations IT staffs. Some of the very qualities that make cloud computing attractive ease of use, end-user accessibility through the Internet, potential cost savings and productivity improvements can make it difficult to engage the IT staff necessary to keep sensitive and confidential information secure. So much of what IT security does is driven by engagement with IT staff but unfortunately in the case of cloud computing, both IT security and management staff are often out of the loop. 4. Employees are making decisions without their IT departments insights or full knowledge of the security risks involved. Only 30 percent of respondents vet or evaluate cloud computing vendors prior to deploying their products and those people rely overwhelmingly 65 percent on word-of-mouth recommendations and market reputation in making their purchase decisions. The next-most common means are contractual agreements and assurances from the vendor (55 percent and 53 percent, respectively). Only 23 percent require proof of security compliance such as SAS 70, 18 percent rely on inhouse security assessments and just 6 percent rely on third-party assessments by experts or auditors. Bar Chart 5: How does your organization go about vetting cloud vendors? Page 7

8 5. Our survey reveals a potential explanation for this ad hoc environment: In most organizations, large gaps exist between which people are most responsible for vetting or evaluating cloud computing vendors, and which people respondents thought should be most responsible. End users (45 percent) and business managers (23 percent) currently carry the brunt of responsibility, while corporate IT (11 percent) and information security (9 percent) personnel are far less involved. Overall, respondents would prefer to see the latter positions take charge (35 percent for information security, 34 percent for corporate IT), so end users (9 percent) and business managers (11 percent) can focus elsewhere. Bar Chart 6: Who is (and who should be) most responsible for vetting and evaluating cloud vendors? Despite a wider appreciation for the need for IT security, Findings 3, 4 and 5 (described above) show that security is not a primary job responsibility or concern for many people making cloud computing decisions. These employees often don t have a sophisticated-enough understanding of IT security risks and remedies, especially regarding new technologies such as cloud computing that emphasize key business imperatives such as ease of use and cost savings. This can contribute to a mindset that puts immediate business needs and technological benefits ahead of ensuring information is sufficiently secure. As we have mentioned, the use of cloud computing is relatively new and growing quickly. Consequently, organizations may have been caught off guard because they haven t updated their security procedures and policies to include cloud computing and its requirements. In addition, lines of business may be circumventing IT in their efforts to realize the benefits of cloud as soon as they can. These factors present a real challenge for IT. The use of cloud computing in business environments raises an important point about how to secure information in the cloud. As people adopt more dispersed systems, data becomes more fluid and protecting access to that data is critical. In this environment, the cloud is driving the trend that IT governance requires a combination of both business and IT management and leadership. 6. Moreover, only 20 percent of organizations reported that members of their IT security teams are regularly involved in the decision-making process for allowing the use of cloud applications or platforms. More than half say they are rarely involved and nearly 1 in 4 say they never participate. Not surprisingly, 49 percent say they are not confident they know about all cloud computing applications, platforms and infrastructure services their organizations currently use. These results indicate that many organizations are flying blind with regards to securing these technologies, potentially putting their business operations, intellectual property and customer information at risk. Page 8

9 Pie Chart 3: How confident are you that your IT organization knows all cloud computing resources used within your company today? Table 3: How involved are members of your security team in the decision-making process for allowing the use of cloud applications or platforms? Rarely 56% Never 24% Some of the time 12% Most of the time 5% Always 3% 7.Two years from now, most respondents plan to use cloud computing much more intensively than they do today. Eighty percent of respondents up from 50 percent today expect cloud computing to be very important and important to meeting their IT and data processing goals. The percentage of organizations using cloud computing to meet between 21 and 80 percent of their IT and data processing requirements is projected to triple, from 24 percent to 72 percent. Bar Chart 7: How important is the use of cloud computing for meeting IT objectives 8. Yet even as momentum for cloud computing builds, doubts about the security of cloud computing persist. Fifty-one percent of respondents state they saw disadvantages to using cloud computing in their organizations: increased security risk (56 percent), loss of control over end users (40 percent) and increased risks of non-compliance and data breaches (33 and 31 percent, respectively). Page 9

10 Pie Chart 3: In your opinion, are there any disadvantages to using cloud computing resources within your organization? Table 3: If yes, what are the main disadvantages? Increased security risk 56% Loss of control over end-users 40% Increased risk of non-compliance 33% Increased data privacy risk 31% Increased risk of business process conflicts or snafus 19% Increased complexity in meeting IT requirements 16% Two-thirds (66 percent) of respondents say cloud computing makes it more difficult to protect confidential or sensitive information. The most common difficulties are in controlling or restricting end-user access (80 percent) and directly inspecting cloud computing vendors for security compliance (77 percent). Pie Chart 3: In your opinion, are there any disadvantages to using cloud computing resources within your organization? Table 3: If yes, what are the main disadvantages? It is more difficult to control or restrict end-user access 80% It is more difficult to inspect cloud computing vendor for security compliance directly 77% It is more difficult to apply conventional information security in the cloud computing environment 31% Don t know 10% Taken together, these statistics indicate that not many cloud service providers are offering complianceready infrastructure. Vendors that facilitate security and regulatory compliance through their services and solutions, therefore, differentiate themselves in a competitive market. So what is considered too dangerous or risky to store in the public cloud ecosystem. According to respondents, the top three categories of confidential information considered too risky to be stored in the cloud include: financial business information (69 percent), health information (65 percent) and credit card information (53 percent). Page 10

11 Bar 8: Types of sensitive or confidential information considered too risky for public clouds 9. Organizations most frequently protect themselves through traditional IT security solutions and legal or indemnification agreements with vendors. Legal or indemnification agreements with cloud computing vendors were the most common means to protect both sensitive business and customer data (32 percent for each kind of data [see Bar Chart 3]). A point of potential concern is that most organizations (60 percent) use conventional security tools to protect information in the cloud, even though some of those tools don t work in cloud environments. These results suggest that many respondents don t understand the specific security risks and remedies cloud computing environments present. Bar 10: Types of sensitive or confidential information considered too risky for public clouds Cloud providers and their customers must be in sync about security but that level of maturity by and large hasn t developed yet. Such syncing is particularly challenging because most organizations don t have IT professionals involved in assessing cloud-related risks. Business managers and end-users put business considerations first and are often too busy to take advantage of cloud computing trends. As a result, they trust too much in standard business practices and not in evaluations based on IT security best practices. While legal protections are of course necessary, they don t always effectively address issues specific to IT security, which can leave organizations at risk. Page 11

12 III. Implications for Public Sector & Financial Services Organizations This study underscores pervasive concerns many public sector organizations have about keeping data especially personal and/or sensitive data under control and secure in cloud computing environments. Implications for the public sector include the following: The primary reasons organizations use cloud computing tie directly into public sector priorities. These are reducing taxpayer costs and delivering better services faster to constituencies. Increased focus on security is crucial for cloud vendors to persuade public sector organizations that cloud computing can help accomplish those organizations missions (Key Finding 1). Developing an effective combination of business and IT management and leadership that cloud computing demands is especially important for public sector organizations given the specific business, security and regulatory challenges the public sector faces compared to other industry sectors (Key Finding 5). Public sector organizations are especially interested in cloud vendors offering compliance-ready infrastructure because that infrastructure can help them meet security and regulatory requirements more quickly and effectively. This can lead to faster and better mission success and help avoid costly data breaches (Key Finding 8). Financial services organizations face similar issues: Developing an effective combination of business and IT management and leadership that cloud computing demands is especially important for financial services organizations given the specific business, security and regulatory challenges they face compared to other industry sectors (Key Finding 5). Financial services organizations are especially interested in cloud vendors offering compliance-ready infrastructure because that infrastructure can help them meet security and regulatory requirements more quickly and effectively. This can lead to faster and better service delivery, improved performance and avoidance of costly data breaches (Key Finding 8). Financial services organizations that rely on legal or indemnification agreements for protection need to ensure those agreements contain sufficient data security and access provisions to meet regulatory requirements (Key Finding 9). Page 12

13 IV: Methods A sampling frame of nearly 14,000 adult-aged individuals who reside within the United States was used to recruit and select participants to this survey. Our randomly selected sampling frame was built from several proprietary lists of experienced IT and IT security practitioners. Table 4: Sample response statistics Freq. Sampling frame 13, % Total invitations 12, % Bounce back 1, % Returns % Rejections % Final sample % After screen % After screen % In total, 918 respondents completed the survey. Of the returned instruments, 109 surveys failed reliability checks. A total of 809 surveys were used as our final sample, which represents a 5.8 percent response rate. Two screening questions were used to ensure respondents had relevant knowledge and experience, resulting in a reduced sample size of 637 individuals. Ninety percent of respondents completed all survey items within 15 minutes. 1 The average overall experience level of respondents is years, and the years of experience in their present job is 4.5 years. Pie Chart 4 reports the primary industry sector of respondents organizations. As shown, the largest segments include financial services, government, industrial companies, pharmaceuticals and healthcare (combined), and services. Pie Chart 4: Industry distribution of respondents organizations 1 Please note that nominal compensation was provided to respondents who successfully completed the survey instrument. Page 13

14 Table 5 reports the respondent organization s global headcount. As shown, a majority of respondents work within companies with more than 1,000 employees. Over 38 percent of respondents are located in larger-sized companies with more than 10,000 employees. Table 5: The worldwide headcount of respondents organizations Less than 500 people 4% 500 to 1,000 people 11% 1,001 to 5,000 people 21% 5,001 to 10,000 people 26% 10,001 to 25,000 people 25% 25,001 to 75,000 people 8% More than 75,000 people 5% Table 6 reports the respondent s primary reporting channel. As can be seen, 52 percent of respondents are located in the organization s IT department (led by the company s CIO). Eighteen percent report to the company s security officer (or CISO). Table 6: Respondent s primary reporting channel CEO/Executive Committee 1% Chief Financial Officer 4% Chief Information Officer 52% Chief Information Security Officer 18% Compliance Officer 5% Chief Privacy Officer 0% Director of Internal Audit 1% General Counsel 0% Chief Technology Officer 7% Human Resources Leader 0% Chief Security Officer 4% Chief Risk Officer 6% Other 3% Table 7 reports the respondent organization s global footprint. As can be seen, a large number of participating organizations are multinational companies that operate outside the United States. Table 7: Location of the respondent Northeast 20% Mid-Atlantic 18% Midwest 18% Southeast 13% Southwest 12% Pacific 19% Page 14

15 V. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings. 0BSelf-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Page 15

16 VI: Recommendations We recommend that organizations immediately assess what specific, proactive steps they should take to protect sensitive information stored in the cloud. Other recommendations to implement immediately include the following: Organizations should ensure that policies and procedures clearly state the importance of protecting sensitive information stored in the cloud. The policy should outline what information is considered sensitive and proprietary. Organizations should vet and evaluate the security posture of third parties before sharing confidential or sensitive information. As part of the process, corporate IT and/or IT security experts should conduct a thorough review and audit of the vendor s security qualifications. Prior to deploying cloud technology, organizations should formally train employees how to mitigate the security risks specific to the new technology to make sure sensitive and confidential information is not threatened. Organizations should establish an organizational structure that allows the CIO, CISO or other security/privacy leaders to participate actively in the vetting, purchasing and implementing processes to ensure they are handled appropriately. Larger organizations should establish a function dedicated to information governance oversight. Organizations should expand their governance activities beyond traditional IT areas to better protect their business. Organizations should define policy around information and applications they are willing to put in the cloud. Cloud computing vendors should provide more transparency into their security infrastructure to help ensure customer confidence that information stored in the cloud is secure. These recommendations should be incorporated into all procedures involving employees using cloud computing resources. Doing so will address numerous significant risks facing organizations as cloud computing technologies become more pervasive. If you have questions or comments about this research report or you would like to obtain additional copies of the document (including permission to quote from or reuse this report), please contact us by letter, phone call or Ponemon Institute LLC Attn: Research Department 2308 US 31 North Traverse City, Michigan USA Hresearch@ponemon.org Page 16

17 Detailed Survey Results Audited results presented by Dr. Larry Ponemon, completed March 2009 The following tables provide the frequency and percentage frequency of responses to all survey questions. This webbased survey was conducted by Ponemon Institute with subject debriefing completed on March 2, The final sample size involves 809 respondents (637 after screening). Sample response statistics Freq. Sampling frame % Total invitations % Bounce back % Returns % Rejections % Final sample % I. Screening Q1. Does your organization use cloud computing resources? Freq, Remainder Yes No (stop) 54 0 Total Q2. What percent of your organization s total use of cloud computing resources involves public versus private clouds? Freq, Remainder All or mostly public cloud About equal public and private cloud All or mostly private cloud (stop) Total II. Attributions about information governance. Please use the scale provided below each statement to express your opinions about information governance within your organization. Strongly agree Agree Q3a. My organization is committed to protecting confidential or sensitive information. 19% 32% Q3b. My organization has established clearly defined accountability for safeguarding of confidential or sensitive information. 16% 26% Q3c. My organization educates employees to understand their responsibilities in safeguarding sensitive or confidential information. 16% 24% Q3d. My organization is careful about sharing confidential or sensitive information with third parties such as business partners, contractors, and vendors. 16% 32% Q3e. My organization respects the privacy rights of customers, consumers and employees. 12% 27% Q3f. My organization is proactive in managing compliance with privacy and data protection requirements around the globe. 8% 23% Page 17

18 III. Background on cloud computing Q4.What cloud computing applications does your organization presently use? Please select all that apply. Total% We don t use cloud computing applications 14% Peer-to-peer (such as Skype) 58% Social media applications (such as Facebook, YouTube, Twitter, etc.) 50% Business applications (such as CRM inc, SalesForce.com, webmail, HR, GoogleDocs, etc.) 79% Infrastructure applications (online backup, security, archiving, etc.) 23% Other 5% Total 229% Q5. What cloud computing platforms does your organization presently use? Please select all that apply. Total% We don t use cloud computing platforms 39% Services (such as identity management, payments, search and others) 45% Solution stacks (such as Java, PHP, Python, ColdFusion and others) 46% Other 11% Total 141% Q6. What cloud computing infrastructure services does your organization presently use? Please select all that apply. Total% We don t use infrastructure services 38% Computing 43% Network 14% Storage 56% Other 10% Total 161% Q7. Approximately, what percent of your organization s total IT and data processing requirements are met by using cloud computing resources today? Extrapolated Percent Less than 5% 15% 1% Between 5 to 10% 12% 1% Between 11 to 20% 29% 4% Between 21 to 30% 9% 2% Between 31 to 40% 6% 2% Between 40 to 50% 5% 2% Between 51 to 60% 3% 2% Between 61 to 70% 1% 1% Between 71 to 80% 0% 0% Between 81 to 90% 0% 0% More than 90% 3% 3% Don t know 17% 0% 18% Page 18

19 Q8. In your opinion (best guess), what percent of your organization s total IT and data processing requirements will be met by using cloud computing resources two years from today? Extrapolated Percent Less than 5% 4% 0% Between 5 to 10% 3% 0% Between 11 to 20% 6% 1% Between 21 to 30% 11% 3% Between 31 to 40% 17% 6% Between 40 to 50% 13% 6% Between 51 to 60% 12% 7% Between 61 to 70% 11% 7% Between 71 to 80% 8% 6% Between 81 to 90% 0% 0% More than 90% 5% 5% Don t know 10% 0% 40% Q9. How important is the use of cloud computing applications or platform solutions for meeting your organization s IT and data processing objectives? Today Next two years Very important 18% 34% Important 32% 46% Not important 31% 18% Irrelevant 19% 2% 100% Q10. What are the primary reasons why cloud computing resources are used within your organization? Please select only two choices. Total% Reduce cost 71% Increase efficiency 49% Improve security 11% Faster deployment time 43% Increase flexibility and choice 10% Improve customer service 9% Comply with contractual agreements or policies 6% Other 0% Total 199% Q11. How confident are you that your IT organization knows all cloud computing applications, platform or infrastructure services in use today? Very confident 19% Confident 32% Not confident 49% Page 19

20 Q12a. Are cloud computing services evaluated for security prior to engagement or deployment by your end-users in you organization? Yes 30% No 53% Don t know 17% Q12b. If yes, who is responsible for vetting or evaluating cloud computing vendors in your organization? Who is most responsible Who should be most responsible End-users 45% 9% Business unit managers 23% 11% Corporate IT 11% 34% Compliance 3% 6% Legal 1% 0% Procurement 3% 2% Internal audit 1% 0% Information security 9% 35% Physical security 0% 0% Other 2% 0% No one person (shared responsibility) 2% 3% 100% Q12c. If yes, how does your organization go about vetting or evaluating cloud computing vendors? Please select all that apply. Total% Word-of-mouth (market reputation) 65% Contractual negotiation and legal review 26% Proof of security compliance (such as SAS 70) 23% Self-assessment checklist or questionnaire completed by vendor 25% Assessment by in-house security team 18% Third-party assessment by security expert or auditor 6% Other 6% Total 169% Q12d. If no, why does your organization permit cloud computing resources to be deployed without vetting or evaluation for security risks? Please select all that apply. Total% No one is in-charge 44% Not considered a priority 43% Not enough resources to conduct evaluation 50% Not able to control end-users 76% Other 5% Don t know 18% Total 236% Page 20

21 Q13a. In your opinion, are there any disadvantages to using cloud computing resources within your organization? Yes 51% No 26% Don t know 23% Q13b. If yes, what are the main disadvantages? Please select only two choices. Total% Increased security risk 56% Increased data privacy risk 31% Loss of control over end-users 40% Increased risk of non-compliance 33% Increased complexity in meeting IT requirements 16% Increased risk of business process conflicts or snafus 19% Other 0% Total 195% IV. Information governance in the cloud Q14. How does your organization go about protecting confidential or sensitive information in the cloud? Please select only two choices. Total% We rely on assurances from the cloud computing vendor 53% We rely on contractual agreements with the cloud computing vendor 55% We buy additional security services provided by the cloud computing vendor 11% We use conventional security tools to protect information in the cloud 60% Don t know 16% Other 2% Total 197% Q15a. Does cloud computing make it more difficult to protect confidential or sensitive information? Yes 66% No 23% Don t know 11% Q15b. If yes, why does it make it more difficult to protect confidential or sensitive information in the cloud? Please select only two choices. Total% It is more difficult to inspect cloud computing vendor for security compliance directly 77% It is more difficult to apply conventional information security in the cloud computing environment 31% It is more difficult to control or restrict end-user access 80% Don t know 10% Other 0% Total 198% Page 21

22 Q15c. What types of confidential or sensitive information does your organization consider too risky to be stored in the cloud? Please select all that apply. Total% Consumer data 12% Customer information 20% Credit card information 53% Employee records 38% Health information 65% Non-financial confidential business information 19% Financial business information 69% Intellectual property such as source code, design plans, architectural renderings 22% Research data 29% Other 9% Total 336% Q16. How does your organization determine that all appropriate security requirements are met before deploying cloud computing resources? Self-assessment completed by the vendor 8% Vetting and evaluation by in-house security team 5% Vetting and evaluation by outside security expert or auditor 2% Legal or indemnification agreement with cloud computing vendor 21% Training of end-users before deploying cloud applications 6% Other 3% None of the above 55% Q17. How does your organization educate employees about safeguarding sensitive or confidential information when using cloud applications? Specialized training for each cloud application 5% General data security training includes discussion of cloud applications 19% General data security training without specific discussion about cloud applications 42% Informal awareness effort 24% Other 0% None of the above 10% Q18a. Does your organization have a policy that restricts or limits the use of certain cloud computing applications? Yes 29% No 49% Don t know 22% Page 22

23 Q18b. If yes, how is this policy communicated to end-users? Internal awareness including to employees 23% It is part of the enterprise security policy 43% Formal in-house training 5% Informal process 11% Don t know 18% Other 0% Q19. In your opinion, how does the use of cloud computing applications affect the individual employee s responsibility to safeguard sensitive or confidential information stored in the cloud? Cloud computing increases employee (end-user) responsibility. 62% Cloud computing decreases employee (end-user) responsibility. 4% Cloud computing does not affect employee (end-user) responsibility. 34% Q20. How does your organization ensure safe sharing of confidential or sensitive information with cloud computing vendors? Informal self-assessment to review security requirements 8% Vetting and evaluation by in-house security team 6% Vetting and evaluation by outside expert or auditor 2% Legal or indemnification agreement with cloud computing vendor 32% Training of end-users before deploying cloud applications 6% Other 3% None of the above 43% Q21. How does your organization go about ensuring the privacy rights of customers, consumers and employees when this personal information is stored in the cloud? Informal self-assessment to review privacy requirements 8% Vetting and evaluation by in-house privacy compliance expert 5% Vetting and evaluation by outside privacy expert or auditor 0% Legal or indemnification agreement with cloud computing vendor 32% Training of end-users before deploying cloud applications 6% Other 5% None of the above 44% Q22. What privacy and data protection regulatory requirements are most difficult to meet in the cloud computing environment? Please select no more than three choices. Total% Various US state data breach laws 48% Health Insurance Portability and Accountability Act (HIPAA) 45% EU Data Protection Directive 43% Sarbanes-Oxley 40% Safe Harbor (US and EU agreement) 39% Various country-specific privacy laws 35% Page 23

24 Gramm-Leach-Bliley 12% Various FTC requirements including the Red Flags Rule 10% Fair and Accurate Credit Transaction Act (FACTA) 9% Fair Credit Reporting Act (FCRA) 7% US Federal Privacy Act 5% Children s Online Privacy Protection Act (COPPA) 2% Total 295% Q23. Does the organization have procedures on how to decide if cloud applications using sensitive or confidential information should be allowed? Yes 27% No 51% Don t know 22% Q24. Are members of your security team involved in the decisionmaking process about allowing the use of certain cloud applications or platforms? Always 3% Most of the time 5% Some of the time 12% Rarely 56% Never 24% V. Attributions about cloud computing. Please use the scale provided below each statement to express your opinions about information governance within your organization. Strongly agree Agree Q25a. My organization assesses the affect cloud computing applications may have on the classification of data according to risk. 9% 12% Q25b. My organization determines what data is too sensitive for cloud computing applications. 8% 16% Q25c. My organization is vigilant in conducting audits or assessments of data used by cloud computing applications. 6% 9% Q25d. My organization is proactive in assessing the types of data to be allowed in the cloud. 6% 17% Q25e. My organization s IT infrastructure has the ability to ensure substantial security of information in the cloud. 11% 12% VI. Organization characteristics and respondent demographics D1. Your current title is (approximate only) Director IT security 20% Manager, network security 18% Chief information security officer (CISO or approximate) 15% IT compliance & security 14% Quality assurance 12% All others 22% Page 24

25 D2. What organizational level best describes your current position? Senior Executive 0% Vice President 2% Director 20% Manager 26% Supervisor 15% Staff or technician 34% Other 3% D3. Check the Primary Person you or your supervisor reports to within your organization. CEO/Executive Committee 1% Chief Financial Officer 4% Chief Information Officer 52% Chief Information Security Officer 18% Compliance Officer 5% Chief Privacy Officer 0% Director of Internal Audit 1% General Counsel 0% Chief Technology Officer 7% Human Resources Leader 0% Chief Security Officer 4% Chief Risk Officer 6% Other 3% D4. Location Northeast 20% Mid-Atlantic 18% Midwest 18% Southeast 13% Southwest 12% Pacific 19% D5. Experience Mean Median D5a. Total years in business D5b. Total years in IT security D5c. Total years in current position Page 25

26 D6. Educational and career background: Compliance (auditing, accountant, legal) 9% IT (systems, software, computer science) 42% Security (law enforcement, military, intelligence) 29% Other non-technical field 13% Other technical field 7% D7. What industry best describes your organization s industry concentration or focus? Airlines 1% Automotive 1% Agriculture 0% Brokerage 2% Cable 1% Chemicals 1% Credit Cards 2% Defense 2% Education 3% Entertainment & Media 3% Services 4% Health Care 6% Hospitality & Leisure 5% Manufacturing 7% Insurance 3% Internet & ISPs 2% Government 11% Pharmaceutical 5% Professional Services 4% Research 2% Retail 7% Banking 11% Energy 3% Telecommunications 3% Technology & Software 6% Transportation 4% Wireless 1% D8. What best describes your role in managing data protection and security risk in your organization? Check all that apply. Setting priorities 69% Managing budgets 68% Selecting vendors and contractors 63% Determining privacy and data protection strategy 58% Evaluating program performance 60% Page 26

27 D9. What is the worldwide headcount of your organization? Less than 500 people 4% 500 to 1,000 people 11% 1,001 to 5,000 people 21% 5,001 to 10,000 people 26% 10,001 to 25,000 people 25% 25,001 to 75,000 people 8% More than 75,000 people 5% Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Page 27