Who Is Responsible for Security in the Cloud?

Security is a primary concern for most organizations looking at cloud adoption, but who is responsible for making sure the cloud is secure? That's one of the many questions that a Ponemon Institute survey, sponsored by security hosting vendor Armor, asked.

By Sean Michael Kerner

More than half (56 percent) of respondents said that the primary reason they adopt cloud is to reduce costs, while only 8 percent said that a primary reason is to improve security, according to the study, which is based on a poll of 990 senior IT professionals in the United States and United Kingdom. Meanwhile, 79 percent of respondents indicated that security is a critical part of the cloud migration decision.

Related: The No. 1 Problem with Computer Security

"It continues to surprise me that there seems to be agreement in the industry that security is important and continues to be a major concern in the cloud," Jeff Schilling, CSO at Armor (previously known as Firehost), told eWEEK. "However, more than half of the respondents are unwilling to pay a premium to ensure the security of their sensitive data in the cloud."

Despite the views of the survey's respondents, it is possible to achieve a secure posture in the cloud, said Schilling, who is a former director of the U.S. Army's Global Network Operations and Security Center, which falls under the U.S. Army's Cyber Command.

In Schilling's view, the cloud is the place that allows enterprises to take back the initiative from the threat actors, but it takes the right technology, managed via the right techniques and the right people. "Not investing in the proper security controls gives threat actors the advantage," he said.

The survey asked multiple questions about responsibilities for cloud software-as-as-service (SaaS) as well as infrastructure-as-a-service (IaaS) deployments. Only 15 percent of respondents indicated that IT security is most responsible for ensuring the security of SaaS applications, while 16 percent of respondents identified IT security as most responsible for the security of IaaS resources.

Related: Compliance Biggest Cloud Security Challenge

"Security is something that is everyone's responsibility to some degree, yet no one particular function seems to step up and own it," Schilling said. "This is absolutely where managed security providers can come in to take on some responsibilities and share some of the risk." Schilling suggests that customers considering a managed service should ensure that their chosen provider clearly delineates the responsibilities that they will assume versus those that the customer will retain.

The study also asked respondents about deployments of IT security technologies on-premises and in the cloud; 59 percent of respondents indicated that they deploy security information and event management (SIEM) technology on premises, while 39 percent deploy it in the cloud.

"Based on my past experiences, many companies keep SIEM on premises, whether due to regulatory requirements or just by the nature of the amount of data being processed and stored," Schilling said. "That said, we find that SIEM can absolutely work in the cloud if you have the right architecture and talent to manage it."

When it comes to intrusion-prevention systems (IPS), 54 percent of respondents noted that they deploy in the cloud, with 42 percent reporting on-premise deployments. For next-generation firewalls (NGFWs), the results are flipped, with 38 percent deploying on premises and 17 percent deploying in the cloud.

"For advanced firewalls or unified threat platforms [such as a firewall-IPS combo], there is a struggle to virtualize the software and move off of bare metal," Schilling said. "Part of me suspects this is more of a business decision by most of the vendors, as software companies drive less revenue than hardware/software companies."

The industry is starting to see some of the big players move to the cloud because they realize they will be irrelevant if they don't have a cloud option, Schilling explained.

Related: The Key to Security in the Cloud

While one part of the study showed that respondents, in fact, use security applications in the cloud, 32 percent indicated that IT security applications are considered too risky to be processed or housed in the cloud.

The back-end analytics systems for some of the largest security companies in the world require tremendous horizontal and vertical scaling as their business grows and the complexity of their analytics grow exponentially, Schilling said, adding that nearly all security vendors that approach him lately have some level of public cloud use as part of their enterprises.

"I love asking them to present their security validation paperwork so I can get a sense of how they are securing their cloud use," Schilling said. "Most of the time, the conversation turns to 'thank you for your time and I will get back to you,' and I never hear from them."