No doubt about it, cloud security has steadily improved over the years. If you did doubt it, a recent study by the Ponemon Institute, “Security of Cloud Computing Users 2013,” found that IT professionals believe there has been an improvement in cloud security since a 2010 study that researched the same topic. That’s good news, especially for those who have balked about moving corporate data to the cloud because of the security concerns.
Still, there are a lot of questions about cloud security that even professionals struggle to answer, and one of those questions is who is responsible for the security in the cloud. According to an article posted to ISS Source:
The survey shows a concerning lack of agreement remains regarding who has responsibility for cloud security. While some organizations expect their cloud services providers to ensure the security of Software as a Service (SaaS) and Infrastructure as a Service (IaaS) applications (36 percent and 22 percent, respectively), responsibility also goes out to companies’ end users (31 percent for SaaS; 21 percent for IaaS), and very little responsibility went to IT security (eight percent for SaaS and 10 percent for IaaS). This relinquishment of responsibility points to a lack of clarity around ownership, which may lead to gaps in security processes and governance.
Who is responsible for cloud security is a question that comes up frequently in conversations and cloud forums that I visit, and the study’s results mirror most of those conversations. Cloud security is complex because of all the different players involved. I think it is interesting how much responsibility for security is given to the end user and how little lies within IT security. I suspect that BYOD has a lot to do with that, since a growing number of employees access the cloud via their personal mobile devices.
In my opinion, we shouldn’t look at cloud security in terms of who is responsible or who owns it, but rather, how is it best shared? Yes, end users need to be responsible for making sure their devices are protected and that they are engaging in security best practices. IT security professionals need to make sure that the links between data in the cloud and those using the network are secure. Cloud providers must own up to protecting their servers and clients from hackers. Would cloud security improve if we begin to think of it as a joint responsibility instead of pointing fingers at someone else?