Your SlideShare is downloading. ×
Ponemon cloud security study
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ponemon cloud security study

215
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
215
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Managing Firewall Risks in the CloudSurvey of U.S. IT & IT Security PractitionersSponsored by Dome9 SecurityIndependently conducted by Ponemon Institute LLCPublication Date: November 2011Ponemon Institute© Research Report
  • 2. Managing Firewall Risks in the Cloud Ponemon Institute, November 2011Part 1. IntroductionPonemon Institute is pleased to present the results of Managing Firewall Risks in the Cloud.Sponsored by Dome9 Security, this research was conducted to determine the challengesorganizations face when managing access and securing firewalls and ports in their cloudenvironments. We believe this is the first study to look at the risk to cloud security because ofunsecured ports and firewalls. Imagine this. Can this happen to your organization?The study surveyed 682 IT and IT securitypractitioners (hereafter referred to as IT After configuring a cloud server firewall, apractitioners) in the United States. On systems administrator inadvertently locks-average, respondents have more than 10 out your organization’s access to a cloudyears IT or IT security experience. Only IT server, thereby preventing it frompractitioners working in organizations that processing a mission critical application.use hosted or cloud servers (dedicated or In order to access cloud servers, yourvirtual private server) completed the survey. organization leaves administrative serverThe majority of respondents report that their ports (such as SSH or Remote Desktop)organizations use both public clouds and open. These open ports expose thehybrid (semi-public) clouds. Forty percent organization to increased hacker attacksare employed by organizations with a and serious security exploits.worldwide headcount of more than 5,000.Our research shows that the majority of respondents (68 percent) say their organizations usepublic cloud services. The most commonly cited service providers are listed in Bar Chart 1.Bar Chart 1. The major public cloud service providers used by respondents’ organizationsMore than one choice is permitted 60% 47% 49% 50% 45% 38% 40% 28% 30% 30% 24% 20% 10% 0% All others Terremark GoGRID RackSpace Google Azure AWS EC2According to the majority of these respondents (52 percent), the state of cloud server securitymanagement is either fair or poor and 21 percent had no comment. This concern can be partlyattributed to the finding that 42 percent fear that they would most likely not know if theirorganizations’ applications or data was compromised by a security exploit or data breachinvolving an open port on a cloud server.Ponemon Institute© Research Report Page 1
  • 3. The topics addressed in this study include: Perceptions about organizations’ ability to mitigate the risk to their cloud servers Barriers to efficiently managing security in the cloud server Responsibility for managing cloud security risks The risk of open ports in a cloud environment The importance of certain features to securing the cloud serverThe next section reports the key findings of our independently conducted survey research. Theresults provide strong evidence that organizations’ cloud servers are vulnerable, most ITpersonnel do not understand the risk and it is a challenge to secure access to and generatereports for cloud servers.Ponemon Institute© Research Report Page 2
  • 4. Part 2. Key findingsRespondents do not give high marks to their organizations’ cloud server security. BarChart 2 shows more than half (52 percent) rate their organizations’ overall management of cloudserver security as fair (27 percent) and poor (25 percent).Bar Chart 2. How do you rate your organization’s overall management of cloud serversecurity today? 30% 27% 25% 25% 21% 20% 18% 15% 9% 10% 5% 0% Excellent Good Fair Poor No commentTwenty-one percent of respondents have no comment about the status of cloud servermanagement in their organizations, which could indicate a lack of knowledge about how theirorganizations are managing access and securing firewalls and ports in their cloud environments.In fact, as shown in Bar Chart 3, 54 percent of respondents say the IT personnel within theirorganization are not knowledgeable (41 percent) or have no knowledge (13 percent) about thepotential risk of open firewall ports in their cloud environments.Bar Chart 3. How knowledgeable are IT operations and infrastructure personnel withinyour organization about the potential risk caused by open ports in the cloud environment? 45% 41% 40% 35% 32% 30% 25% 20% 14% 13% 15% 10% 5% 0% Very knowledgeable Knowledgeable Not knowledgeable No knowledgePonemon Institute© Research Report Page 3
  • 5. Manually configuring a cloud server firewall frustrates IT practitioners. Bar Chart 4 listsseven (7) attributions or statements about the state of cloud security in respondents’ 1organizations. Eighty-six percent of respondents strongly agree or agree that configuring theirorganizations’ cloud server firewall manually is a difficult and sometimes frustrating process. Infact, 79 percent of respondents believe being able to efficiently manage security in the cloudenvironment is just as important as the security itself. Most respondents (81 percent) agree that inthe cloud environment, opening or closing ports to servers containing their organizations’applications or data is managed via controls provided by the cloud service provider.Bar Chart 4. Respondents’ perceptions about the state of cloud security and remotemanagement of firewallsStrongly agree and agree response combined. Configuring your organization’s cloud server firewall manually is a difficult and sometimes 86% frustrating process. In the cloud environment, opening or closing ports to servers containing your organization’s 81% applications or data is managed via controls provided by the cloud service provider. In the cloud environment, being able to efficiently manage security is just as important as the 79% security itself. In the cloud environment, the physical security of servers containing your organization’s 77% applications or data is primarily determined by the cloud service provider. In the cloud environment, cloud server firewalls are the first place to stop attacks and prevent 73% exploits of OS and application vulnerabilities. In the cloud environment, user access to applications and data is primarily determined by 72% username and passwords. The security of cloud servers containing my organization’s applications and data is a 52% significant priority. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%1 In our survey we used attributions to capture the perceptions of respondents concerning the security ofcloud computing environments. These attributions or statements are evaluated using a five-point adjectivescale ranging from strongly agree to strongly disagree. A favorable or affirmative response is defined as astrongly agree or agree response. A negative or non-affirmative response is defined as a strongly disagree,disagree or unsure response.Ponemon Institute© Research Report Page 4
  • 6. Scalability and cost, according to IT practitioners, are reasons for not having a cloudserver firewall management solution. Pie Chart 1 shows 61 percent of respondents say theirorganization does not have a cloud server firewall management solution. Of those who do nothave the solution, Bar Chart 5 shows 62 percent say it is because the solutions are not scalable,they cost too much (59 percent) and solutions are not available (57 percent). Of the 39 percentwho say they do have a cloud server firewall management solution, more than half (54 percent)say it is because they manage the cloud server firewall manually. Pie Chart 1. Does your organization have a Bar Chart 5. If no, why not? cloud server firewall management solution The solution is . . . deployed today? Not scalable 62% Cost too much 59% Yes; 39% Not available 57% No; 61% Overly complex 49% Not dependable 43% 0% 20% 40% 60% 80%Ponemon Institute© Research Report Page 5
  • 7. Responsibility for security in the cloud server usually rests with either IT operations andthe business units. Bar Chart 6a shows 41 percent of respondents say the IT operationsdepartment or function is most responsible for ensuring servers that house the organizations’applications and data in the cloud are adequately secured. Bar Chart 6b shows the groups mostresponsible for making sure the cloud provider has adequate security controls in-place, which arethe business functions (37 percent) followed by IT operations (35 percent). It is interesting to seein both charts that IT security is relatively low in terms of having the most responsibility inensuring cloud server security.Bar Chart 6. Who within your organization is most responsible?6a. Who within your organization is most responsible 6b. Who within your organization is mostfor ensuring servers that house your organization’s responsible for determining whether a given cloudapplications and data in the cloud are adequately provider has adequate security controls in-place tosecured? protect your organization’s applications and data? IT operations 41% Business functions 37% Managed service 20% IT operations 35% provider IT security 17% IT security 21% Business functions 15% Legal & compliance 5% Data center 5% Data center 2% 0% 10% 20% 30% 40% 50% 0% 10% 20% 30% 40%Bar Chart 7 reports 36 percent believe the cloud provider is most responsible for ensuringsecurity of the cloud operations that support applications and data followed by 33 percent whosay this responsibility is shared between the cloud provider and cloud user.Bar Chart 7. In general, who is most responsible for ensuring the security of cloudoperations that support your applications and data? 40% 36% 35% 33% 31% 30% 25% 20% 15% 10% 5% 0% Cloud user Both are equal Cloud providerPonemon Institute© Research Report Page 6
  • 8. IT practitioners report that locking out an organization’s access to a cloud server is likelyto happen. As noted in Bar Chart 8, when asked if a systems administrator could lockout theorganization’s access to a cloud server after configuring the cloud server firewall, 12 percent saythis has already happened and 43 percent say this is very likely to happen.Bar Chart 8. Two cloud server firewall risk management scenarios.How likely is likely is each scenario? 50% 45% 43% 42% 40% 35% 30% 25% 22% 19% 18% 20% 16% 14% 15% 12% 9% 10% 5% 5% 0% Already happened Very likely to happen Likely to happen No likely to happen Will never happen After configuring a cloud server firewall, a systems administrator inadvertently locks-out the organization’s access to a cloud server. In order to access cloud servers, your organization leaves administrative server ports open. These open ports expose the company to increased hacker attacks and security exploits.Leaving administrative server ports open and vulnerable to hackers is likely to happen, accordingto respondents. The above chart also shows 19 of respondents say their organizationexperienced additional hacker risk or security exploits because of exposed open ports on cloudservers. Another 42 percent say it is very likely that administrative server ports are left open and,thus, the company is exposed to increased hacker attacks and security exploits.Ponemon Institute© Research Report Page 7
  • 9. Data and applications in the cloud server are at risk because of the inability to manageaccess and secure ports and firewalls. According to Bar Chart 9, two-thirds (67 percent) ofrespondents, their organizations are very vulnerable or vulnerable because ports and firewalls inthe cloud environment are not adequately secured. Less than half (46 percent) of respondentssay they have IT operations and infrastructure personnel who are very knowledgeable orknowledgeable about this risk.Bar Chart 9. How vulnerable is your organization because it does not adequately secureports and firewalls in cloud environments? 40% 35% 35% 32% 30% 24% 25% 20% 15% 9% 10% 5% 0% Very vulnerable Vulnerable Not vulnerable UnsureAutomated firewall policy management is more important in the cloud environment because it iselastic, according to 40 percent of respondents. Thirty-six percent say their organization cannotmanage access or generate reports efficiently and 29 percent say they manage access throughthe cloud provider’s tools but cannot see the access reports.Bar Chart 10. Relative to on-premises computing, how important is automated firewallpolicy management in the cloud environment? More important in the cloud environment because 40% it is elastic Equally important in both on-premises and cloud 32% environments Unsure 20% Less important in the cloud environment 8% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45%Ponemon Institute© Research Report Page 8
  • 10. Automatic firewall configuration, an inexpensive solution and centralized control over allclosed and open ports on cloud servers top the wish list of IT practitioners. Bar Chart 11lists features relating to cloud firewall risk management solutions. Seventy-eight percent ofrespondents say the feature most important is a solution that closes ports automatically withouthaving to reconfigure the firewall manually. The second most important feature, according to 73percent of respondents, is a solution that costs less than traditional managed service solutions.Seventy-two percent of respondents say a solution providing centralized control over all closedand open ports on cloud servers is most important to them.Bar Chart 11. How important are the following technology features regarding cloud server 2firewall security?Very important and important response combined The solution closes ports automatically, so you 78% don’t have to manually reconfigure your firewall. The solution is inexpensive, costing companies about 20% of the cost of managed service 73% solutions. The solution provides centralized control over all 72% closed and open ports on cloud servers. The solution is scalable to all cloud servers 69% irrespective of location. The solution keeps all administrative ports closed on your servers without losing access and 69% control. The solution can consolidate security management across the cloud (i.e., multiple cloud 65% providers). The solution securely accesses your cloud 63% servers without fear of getting locked out. The solution provides audited reports showing who has access, when it occurred, what servers 62% were accessed, and why access was granted. The solution provides delegated administration so an organization can segregate who can access 61% and who can manage a given cloud server. The solution dynamically opens any port on- 59% demand, any time and from anywhere. The solution sends time and location-based 56% secure access invitations to third parties. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%2 Respondents were asked to assume that the above-mentioned features result from a proprietary softwaredownload to each cloud server containing their organization’s applications and data.Ponemon Institute© Research Report Page 9
  • 11. Part 3. MethodsA random sampling frame of 18,997 adult-aged individuals who reside within the United Stateswas used to recruit and select participants to this survey. Our randomly selected sampling framewas built from proprietary lists of highly experienced IT and IT security practitioners with bona fidecredentials. As shown in Table 1, 727 respondents completed the survey. Of the returnedinstruments, 64 surveys failed reliability checks. A total of 831 surveys were available beforescreening. One screening questions were used to remove respondents who did not have relevantexperience or knowledge. This resulted in a final sample of 682 individuals. Table 1. Survey response Freq. Pct% Sampling frame 18,997 100.0% Total returns 727 3.8% Rejected surveys 64 0.3% Sample before screening 863 4.5% Final sample 682 3.6%Table 2 reports the respondent’s organizational level within participating organizations. Fifty-sixpercent of respondents are at or above the supervisory levels. On average, respondents hadmore than10 years of overall experience in either the IT or IT security fields, and nearly five yearsin their present position. Table 2. Respondents’ position level Pct% Vice President 2% Director 15% Manager 21% Supervisor 18% Technician 37% Staff 4% Contractor 3% Total 100%Table 3 shows that the most frequently cited reporting channels among respondents are the CIO(58 percent), CISO (20 percent) and chief risk officer (8 percent). Table 3. Respondents’ primary reporting channel Pct% Chief Information Officer 58% Chief Information Security Officer 20% Chief Risk Officer 8% Chief Financial Officer 4% Chief Security Officer 4% General Counsel 3% Compliance Officer 3% Total 100%Ponemon Institute© Research Report Page 10
  • 12. Table 4 reports the worldwide headcount of participating organizations. It reports that 65 percentof respondents are located in organizations with more than 1,000 employees.Table 4. Worldwide headcount of respondents’ organizations Pct%< 500 16%500 to 1,000 19%1,001 to 5,000 25%5,001 to 25,000 18%25,001 to 75,000 13%75,001 to 100,000 4%101,000 to 150,000 3%> 150,000 2%Total 100%Table 5 reports the respondent organization’s global footprint. As can be seen, a large number ofparticipating organizations are multinational companies that operate outside the United States.Table 5: Geographic footprint of respondents’ organizations Pct%United States 100%Canada 75%Europe 68%Middle East & Africa 41%Asia-Pacific 58%Latin America 43%Pie Chart 2 reports the industry distribution of respondents’ organizations. As shown, financialservices (including retail banking, insurance, brokerage and payments), public sector (federal,state and local), and healthcare and pharmaceuticals are the three largest industry segments.Pie Chart 2: Industry distribution of respondents’ organizations Financial services 3% 2% 3% Public sector 3% 20% 3% Health & pharmaceuticals Industrial 4% Services 5% Retailing Hospitality Education & research 5% 12% Technology & Software Communications 6% Consumer products Energy 7% 11% Entertainment & media Transportation 8% 8% DefensePonemon Institute© Research Report Page 11
  • 13. Part 4. LimitationsThere are inherent limitations to survey research that need to be carefully considered beforedrawing inferences from findings. The following items are specific limitations that are germane tomost web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals in IT and IT security located in the United States, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs or perceptions about data protection activities from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the sample is representative of individuals in the IT and IT security fields. We also acknowledge that the results may be biased by external events. We also acknowledge bias caused by compensating respondents to complete this research within a holdout period. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that certain respondents did not provide accurate responses.Ponemon Institute© Research Report Page 12
  • 14. Part 5. ConclusionThe IT practitioners in our study acknowledge that cloud server security is vulnerable and openports expose the company to increased hacker attacks and security exploits. According to thefindings in this study, some of the main barriers to mitigating risks include the current perceptionthat cloud server security is not a priority and the lack of IT operations and infrastructureemployees who are knowledgeable about the importance of securing ports and access.We also learned that accountability for the security of cloud servers is rarely with IT security butwith the business units or IT operations. We believe the primary reason for this perception is thatin general the business units and not IT security are most responsible for provisioning cloudservices. For example, research and engineering developers are adopting the cloud faster than ITdepartments and in many cases IT departments are not involved in the adoption and deploymentof cloud services.Based on the findings, it is recommended that organizations take the following steps: Create awareness among the organization’s leadership of the importance of cloud server security to safeguarding critical data and applications. Investigate solutions that are both efficient and cost effective. Create accountability for cloud server security. Make sure those who are accountable are knowledgeable about the risks. Ensure that the cloud service providers have appropriate controls in place. Require cloud service providers to notify those accountable for cloud server security if the organizations’ applications or data are compromised by a security exploit or data breach involving an open port on a cloud server.As more data and applications migrate to the cloud, security of the cloud server should become asignificant priority for the organization. These recommendations should help IT practitionersmake a difference in reducing the risk of a potentially costly and damaging attack.Ponemon Institute© Research Report Page 13
  • 15. Appendix: Detailed Survey ResultsThe following tables provide the frequency or percentage frequency of responses to all surveyquestions contained in this study. All survey responses were captured over a three-week periodending in October 2011.Survey response Freq. Pct%Sampling frame 18,997 100.0%Total returns 727 3.8%Rejected surveys 64 0.3%Sample before screening 863 4.5%Final sample 682 3.6%Part 1. Screening questionS1. Does your organization use hosted or cloud servers (dedicated orvirtual private server (VPS))? Freq. Pct%Yes 682 79%No (stop) 181 21%Total 863 100%Part 2. General questionsQ1a. Please check the types of cloud environments your organizationpresently uses. Pct%Private cloud 31%Public cloud 68%Hybrid (semi-public) cloud 50%Other 2%Total 151%Q1b. How many of the following major cloud service providers does yourorganization use? Please select all that apply. Pct%Windows Azure 47%Goggle App Engine 45%Amazon EC2 49%RackSpace 38%GoGRID 30%Terremark 28%None of the above 24%Total 261%Attributions. Please rate the following statements using the five-point Stronglyscale provided below each statement. Strongly agree and agree responses. agree AgreeQ2a. The security of cloud servers containing my organization’sapplications and data is a significant priority. 27% 25%Q2b. In the cloud environment, cloud server firewalls are the first place tostop attacks and prevent exploits of OS and application vulnerabilities. 38% 35%Q2c. In the cloud environment, user access to applications and data isprimarily determined by username and passwords. 38% 34%Q2d. In the cloud environment, the physical security of servers containingyour organization’s applications or data is primarily determined by the cloudservice provider. 40% 37%Q2e. In the cloud environment, opening or closing ports to serverscontaining your organization’s applications or data is managed via controlsprovided by the cloud service provider. 44% 37%Ponemon Institute© Research Report Page 14
  • 16. Q2f. Configuring your organization’s cloud server firewall manually is adifficult and sometimes frustrating process. 46% 39%Q2g. In the cloud environment, being able to efficiently manage security isjust as important as the security itself. 40% 39%Q3a. Does your organization have a cloud server firewall managementsolution deployed today? Pct%Yes 39%No 61%Total 100%Q3b. If yes, what best describes the solution used by your organizationtoday? Pct%We manage the cloud server firewall manually 54%We use managed security services for our cloud server firewalls 20%We have a third-party solution that allows us to manage cloud serverfirewalls remotely 26%Other (please specify) 0%Total 100%Q3c. If no, why not? Please select all that apply. Pct%Solutions are overly complex 49%Solutions are not scalable 62%Solutions cost too much 59%Solutions are not available 57%Solutions are not dependable 43%Other (please specify) 2%Total 272%Q3d. If you are using a third party service provider to manage cloud serversecurity, approximately what do you pay each month per server for thisservice (do not include hosting cost)? Your best guess is welcome. Pct%Less than $20 35%$21 to $50 38%$51 to $100 8%$101 to $150 3%More than $150 2%Dont know 14%Total 100%Extrapolated value ($ each month per server) 34.0Q4. In your opinion, how likely are the following scenarios? Please rate thefollowing events using the scale provided below each item.Q4a. After configuring a cloud server firewall, a systems administratorinadvertently locks-out the organization’s access to a cloud server. Pct%Already happened 12%Very likely to happen 43%Likely to happen 22%No likely to happen 18%Will never happen 5%Total 100%Ponemon Institute© Research Report Page 15
  • 17. Q4b. In order to access cloud servers, your organization leavesadministrative server ports (e.g., SSH, Remote Desktop, etc) open. Theseopen ports expose the company to increased hacker attacks and securityexploits. Pct%Already happened 19%Very likely to happen 42%Likely to happen 9%Not likely to happen 14%Will never happen 16%Total 100%Q5. In your opinion, how vulnerable is your organization because it doesnot adequately secure ports and firewalls in cloud environments? Pct%Very vulnerable 32%Vulnerable 35%Not vulnerable 9%Unsure 24%Total 100%Q6. In your opinion, how knowledgeable are IT operations andinfrastructure personnel within your organization about the potential riskcaused by open ports in the cloud environment? Pct%Very knowledgeable 14%Knowledgeable 32%Not knowledgeable 41%No knowledge 13%Total 100%Q7. Which one statement best describes how your organization managesaccess to cloud servers and generates reports that show who had access,when access occurred, and what servers were accessed. Pct%Our organization uses the cloud service provider’s tools 21%Our organization manages access through the cloud provider’s tools, but itcannot see access reports 29%Our organization manages access and generate reports directly from eachcloud server, but it is manual 14%Our organization cannot manage access or generate reports efficiently 36%Total 100%Q8. Relative to on-premises computing, how important is automatedfirewall policy management in the cloud environment? Pct%More important in the cloud environment because it is elastic 40%Equally important in both on-premises and cloud environments 32%Less important in the cloud environment 8%Unsure 20%Total 100%Ponemon Institute© Research Report Page 16
  • 18. Q9. How important are the following eleven (11) features regarding cloudserver security. Please rate each feature from very important = 1 toirrelevant = 4. Assume that these features result from a proprietarysoftware download to each cloud server containing your organization’sapplications and data. Shown only are the very important and important Veryresponses. important ImportantThe solution provides audited reports showing who has access, whenaccess occurred, what servers were accessed, and for what purposeaccess was granted. 21% 40%The solution provides delegated administration so an organization cansegregate who can access and who can manage a given cloud server. 20% 41%The solution can consolidate security management across the cloud (i.e.,multiple cloud providers). 28% 37%The solution keeps all administrative ports closed on your servers withoutlosing access and control. 37% 32%The solution dynamically opens any port on-demand, any time and fromanywhere. 34% 25%The solution sends time and location-based secure access invitations tothird parties. 23% 33%The solution closes ports automatically, so you don’t have to manuallyreconfigure your firewall. 38% 40%The solution securely accesses your cloud servers without fear of gettinglocked out. 35% 28%The solution is scalable to all cloud servers irrespective of location. 28% 41%The solution is inexpensive, costing companies about 20% of the cost ofmanaged service solutions. 33% 40%The solution provides centralized control over all closed and open ports oncloud servers. 35% 37%Q10. Who within your organization is most responsible for ensuring serversthat house your organization’s applications and data in the cloud areadequately secured? Pct%Managed service provider 20%IT operations 41%IT security 17%Data center management 5%Business functions 15%Other 2%Total 100%Q11. Who within your organization is most responsible for determiningwhether a given cloud provider has adequate security controls in-place toprotect your organization’s applications and data? Pct%IT operations 35%IT security 21%Legal and compliance 5%Data center management 2%Business functions 37%Other 0%Total 100%Ponemon Institute© Research Report Page 17
  • 19. Q12. In general, who is most responsible for ensuring the security of cloudoperations that support your applications and data? Pct%Cloud provider 36%Cloud user 31%Both are equal 33%Total 100%Q13. If your organization’s applications or data was compromised by asecurity exploit or data breach involving an open port on a cloud server,how would you know? Pct%The cloud provider would inform us. 39%Our system would provide a warning or other message signaling the event 19%Most likely, we wouldn’t know 42%Total 100%Q14. How do you rate your organization’s overall management of cloudserver security today? Pct%Excellent 9%Good 18%Fair 27%Poor 25%No comment 21%Total 100%Part 3. Demographics and organizational characteristicsD1. What organizational level best describes your current position? Pct%Senior Executive 0%Vice President 2%Director 15%Manager 21%Supervisor 18%Technician 37%Staff 4%Contractor 3%Other 0%Total 100%D2. Check the Primary Person you or your IT security leader reports towithin the organization. Pct%Chief Information Officer 58%Chief Information Security Officer 20%Chief Risk Officer 8%Chief Financial Officer 4%Chief Security Officer 4%General Counsel 3%Compliance Officer 3%Total 100%D3. Total years of relevant experience Mean MedianTotal years of IT or IT security experience 10.19 10.00Total years in present position 4.83 4.50Ponemon Institute© Research Report Page 18
  • 20. D4. What industry best describes your organization’s industry focus? Pct%Financial services 20%Public sector 12%Health & pharmaceuticals 11%Industrial 8%Services 8%Retailing 7%Hospitality 6%Education & research 5%Technology & Software 5%Communications 4%Consumer products 3%Energy 3%Entertainment & media 3%Transportation 3%Defense 2%Total 100%D5. Where are your employees located? (check all that apply): Pct%United States 100%Canada 75%Europe 68%Middle East & Africa 41%Asia-Pacific 58%Latin America 43%D6. What is the worldwide headcount of your organization? Pct%< 500 16%500 to 1,000 19%1,001 to 5,000 25%5,001 to 25,000 18%25,001 to 75,000 13%75,001 to 100,000 4%101,000 to 150,000 3%> 150,000 2%Total 100%Ponemon Institute© Research Report Page 19
  • 21. If you have any questions about this research, please contact Ponemon Institute at research@ponemon.org, or contact us via our toll free number 1.800.887.3118. Ponemon Institute Advancing Responsible Information ManagementPonemon Institute is dedicated to independent research and education that advances responsibleinformation and privacy management practices within business and government. Our mission is to conducthigh quality, empirical studies on critical issues affecting the management and security of sensitiveinformation about people and organizations.As a member of the Council of American Survey Research Organizations (CASRO), we uphold strictdata confidentiality, privacy and ethical research standards. We do not collect any personally identifiableinformation from individuals (or organization identifiable information in our business research). Furthermore,we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improperquestions.Ponemon Institute© Research Report Page 20