Did you know that 4 out of 5 companies are using cloud architectures? Did you also know that 22% of cloud hosting users believe that their cloud service provider is responsible for the security of their cloud server instances, yet 38% have a high level of concern with losing control of their servers and data in public cloud environments?
Join Andrew Hay, Chief Evangelist at CloudPassage, and Wendy Nather, Research Director at 451 Research, as they dive into these and other findings from the CloudPassage 2012 Security and the Cloud survey. Wendy Nather will also discuss cloud security related trends and observations from 451 Research's findings.
During this live 30-minute webinar, you will learn about:
-The challenges and fears identified by individuals looking to embrace cloud architectures
-Current cloud adoption trends and future individual and organizational expansion plans
-How people are securely delivering applications using cloud architectures
113 online suicide prevention: First two year results presented at the ESSSB1...Jan Mokkenstorm
The use of the internet is a promising approach in preventing suicide on the individual as well as the population level. However, this promise remains to be proven in trials and in practice.
The national Dutch suicide prevention platform113Online offers a 24/7 online anonymous mental health care programme. This includes crisis resolution, guided self help, and online psychotherapy. This programme is provided by professionals in close cooperation with volunteers staffing chat- and telephone helplines.
In this presentation philosophy, structure, methods, cost, and preliminary results of the first two years of 113Online are presented.
This document discusses building companies on the cloud. It begins with introductions and definitions of cloud computing. It then discusses concerns around security and control of data in the cloud. Examples are given of data breaches from laptop losses and insider negligence. The document argues that for small and medium businesses, data may be safer and more secure in the cloud compared to on-premise systems. It outlines the economic advantages of the cloud for both technology companies and startups. Large cloud providers are able to achieve economies of scale that lower costs. The cloud represents an opportunity for innovation but also a challenge for traditional IT organizations and vendors.
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
The panel discussion focused on improving global cybersecurity and mitigating risks for enterprises. Key points discussed included:
- Continuous monitoring of user behavior and access controls is essential to detect attackers who have been on networks for months undetected. Rigorous detection, containment, and response processes are needed.
- Executive support and cross-departmental incident response processes are required to quickly address security issues.
- The growth of IoT devices introduces new risks if basic security practices from IT are not applied. A new architectural approach is needed for IoT security.
- Increased public-private collaboration and information sharing is important but will not be solved by government alone. Industry can lead through sector-specific partnerships and alliances
In this episode, Jeff Williams interviews Wayne Jackson of Sonatype. They discuss the results from The 2014 Open Source Development Survey, where 3,300 surveyed developers gave their honest opinions on everything from third-party code to internal policies and procedures. Topics included the implications on continuous application security, compliance measures, and application security automation.
Wayne Jackson's Presentation at RSA 2012Tim O'Brien
This document discusses the state of application security and the need for Sonatype Insight. It notes that 80% of modern software is open source and the average organization uses over 1,000 unique components per month. When vulnerabilities are found, the fixes are not widely adopted - for example, 6,982 organizations were still using a crypto library years after a level 10 flaw was fixed. Sonatype Insight aims to address this problem by providing a central repository of component metadata and usage information to help more quickly identify and address vulnerabilities.
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Sonatype
Watch this insightful and witty discussion between two old pals, Wendy Nather, Security Research Director at 451 Research and Josh Corman, CTO at Sonatype on the state of application security today. They share their perspectives on the changing landscape of application development and how this is impacting common application security approaches. They agree the dramatic shift from source code to component based development has created an open source security gap. With component vulnerabilities becoming national news, Heartbleed, Struts and the promise of more to come, now is the time to stop using components with known vulnerabilities.
To learn more about Heartbleed and what it means for your company please visit http://www.sonatype.com/clm/spotlight-on-heartbleed
"Wait, Wait! Don't pwn Me!"- AppSec Europe 2014Sonatype
Update: You can now view a recording of the session while testing yourself against the "Expert" panel!
https://www.youtube.com/watch?v=VIS9fXZXJ44&feature=youtu.be&t=5h47m12s
"Wait, wait! Don't pwn Me!" is a live, security news game show that pits three security experts (Josh Corman, Chris Eng and Matt Tesauro) against each other in a game of wits. Host Mark Miller, selects topics from the week's security news, posing the news items as limericks, fill-in-the-blank, and audience participation questions. The panel competes against each other, and the audience, for speed and accuracy when answering the questions.
During the AppSec USA 2013 Conference, this was a rollicking, high spirited session, exposing the prevalence of security issues highlighted in the main stream news. It demonstrates how hard it is to keep up to date with security updates, even for the experts. Audience members should come prepared as we test their knowledge against the panel, trying to determine what is real news and what is fake.
This is a fun filled session where panelists and audience members compete for prizes from the OWASP store. It is sure to put you in a good mood for the rest of the conference.
113 online suicide prevention: First two year results presented at the ESSSB1...Jan Mokkenstorm
The use of the internet is a promising approach in preventing suicide on the individual as well as the population level. However, this promise remains to be proven in trials and in practice.
The national Dutch suicide prevention platform113Online offers a 24/7 online anonymous mental health care programme. This includes crisis resolution, guided self help, and online psychotherapy. This programme is provided by professionals in close cooperation with volunteers staffing chat- and telephone helplines.
In this presentation philosophy, structure, methods, cost, and preliminary results of the first two years of 113Online are presented.
This document discusses building companies on the cloud. It begins with introductions and definitions of cloud computing. It then discusses concerns around security and control of data in the cloud. Examples are given of data breaches from laptop losses and insider negligence. The document argues that for small and medium businesses, data may be safer and more secure in the cloud compared to on-premise systems. It outlines the economic advantages of the cloud for both technology companies and startups. Large cloud providers are able to achieve economies of scale that lower costs. The cloud represents an opportunity for innovation but also a challenge for traditional IT organizations and vendors.
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
The panel discussion focused on improving global cybersecurity and mitigating risks for enterprises. Key points discussed included:
- Continuous monitoring of user behavior and access controls is essential to detect attackers who have been on networks for months undetected. Rigorous detection, containment, and response processes are needed.
- Executive support and cross-departmental incident response processes are required to quickly address security issues.
- The growth of IoT devices introduces new risks if basic security practices from IT are not applied. A new architectural approach is needed for IoT security.
- Increased public-private collaboration and information sharing is important but will not be solved by government alone. Industry can lead through sector-specific partnerships and alliances
In this episode, Jeff Williams interviews Wayne Jackson of Sonatype. They discuss the results from The 2014 Open Source Development Survey, where 3,300 surveyed developers gave their honest opinions on everything from third-party code to internal policies and procedures. Topics included the implications on continuous application security, compliance measures, and application security automation.
Wayne Jackson's Presentation at RSA 2012Tim O'Brien
This document discusses the state of application security and the need for Sonatype Insight. It notes that 80% of modern software is open source and the average organization uses over 1,000 unique components per month. When vulnerabilities are found, the fixes are not widely adopted - for example, 6,982 organizations were still using a crypto library years after a level 10 flaw was fixed. Sonatype Insight aims to address this problem by providing a central repository of component metadata and usage information to help more quickly identify and address vulnerabilities.
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Sonatype
Watch this insightful and witty discussion between two old pals, Wendy Nather, Security Research Director at 451 Research and Josh Corman, CTO at Sonatype on the state of application security today. They share their perspectives on the changing landscape of application development and how this is impacting common application security approaches. They agree the dramatic shift from source code to component based development has created an open source security gap. With component vulnerabilities becoming national news, Heartbleed, Struts and the promise of more to come, now is the time to stop using components with known vulnerabilities.
To learn more about Heartbleed and what it means for your company please visit http://www.sonatype.com/clm/spotlight-on-heartbleed
"Wait, Wait! Don't pwn Me!"- AppSec Europe 2014Sonatype
Update: You can now view a recording of the session while testing yourself against the "Expert" panel!
https://www.youtube.com/watch?v=VIS9fXZXJ44&feature=youtu.be&t=5h47m12s
"Wait, wait! Don't pwn Me!" is a live, security news game show that pits three security experts (Josh Corman, Chris Eng and Matt Tesauro) against each other in a game of wits. Host Mark Miller, selects topics from the week's security news, posing the news items as limericks, fill-in-the-blank, and audience participation questions. The panel competes against each other, and the audience, for speed and accuracy when answering the questions.
During the AppSec USA 2013 Conference, this was a rollicking, high spirited session, exposing the prevalence of security issues highlighted in the main stream news. It demonstrates how hard it is to keep up to date with security updates, even for the experts. Audience members should come prepared as we test their knowledge against the panel, trying to determine what is real news and what is fake.
This is a fun filled session where panelists and audience members compete for prizes from the OWASP store. It is sure to put you in a good mood for the rest of the conference.
The document summarizes the findings of a study conducted by Ponemon Institute on cloud security and firewall risks. The key findings are:
1) Most organizations' cloud servers are vulnerable, as 54% of IT personnel have little knowledge of open firewall port risks and 67% said they are vulnerable today.
2) Securing access to cloud servers and generating security reports is difficult, as 79% struggle to manage access and reporting.
3) Cloud security is widely seen as important but poorly managed currently, with only 9% rating their security as excellent and 42% unaware if their cloud was hacked due to open ports.
State of Web Application Security by Ponemon InstituteJeremiah Grossman
This document summarizes the findings of a study on the state of web application security. The study found that while data theft is seen as the biggest threat, organizations are not allocating sufficient resources to secure critical web applications. Specifically:
- 70% of respondents said their organizations do not allocate enough resources for web application security.
- 34% of urgent vulnerabilities are not fixed in a timely manner.
- Proactive organizations spend more than twice as much (25% vs 12%) on web application security and are more likely to use firewalls and cloud-based solutions than reactive organizations.
This document summarizes the results of a survey about application security. It finds that 51% of respondents had experienced at least one web application security incident since 2011, with 18% reporting losses of at least $500,000. While many organizations employ security measures, few take a holistic strategic approach. There is also often a disconnect between development and security teams. To improve, companies need to integrate security into development from the start and better align development and security goals.
INSZoom is an innovator in the legal technology space focused on immigration services. It provides a cloud-based case management platform that allows for mobile access to documents, automated workflows for compliance, and data integration across systems. The platform aims to improve lawyer productivity, reduce costs for clients, and help manage increasingly complex immigration regulations.
Technology innovation in legal industry by inszoom Sneh Sharma
The document discusses technology innovations in the legal industry. It outlines several trends and innovations including e-discovery, cloud computing, mobile apps, case management tools, security solutions, social networking, collaborative tools, e-billing, big data, virtual law firms, and outsourcing. It then highlights INSZoom.com as an innovator in the immigration space, outlining many innovations they have implemented in their case management system since 2000 to better serve their clients.
INSZoom - Technology Innovation in Legal Industry INSZoom
Barcamps are known for the hottest technological topics and trends. A session on “Technology Innovation in Legal Industry” by INSZoom made a major impact on the legal-tech space at the recently held Bangalore Barcamp XIII. INSZoom has revolutionized the sector with technological innovation. The industry has advanced to major technological changes – from cloud solutions, security systems, case management software to mobile apps.
If you missed this productive session by Mr. Vishwas Mudagal (VP – Products & Marketing, INSZoom) and Mr. Anuj Sarin (Director – Best Practices, INSZoom) here is an opportunity to go through the law-tech presentation.
This summary cloud security survey from Intel captures key findings from 800 IT managers in the U.S., the U.K., China, and Germany that provide insight into cloud computing security concerns and how those concerns might be alleviated.
Privacy & Security: The New Drivers of Brand, Reputation and ActionEdelman
1) Privacy and security concerns have moved from the backroom to the boardroom as data breaches make headlines worldwide.
2) A survey found that over two-thirds of global consumers feel more concerned about data security and privacy than five years ago and sense a loss of control over their personal information.
3) Financial institutions and online retailers have a notable gap between the importance consumers place on privacy/security and the level of trust in these industries to protect personal data.
This document summarizes the results of a survey of 682 IT and security practitioners in the US about challenges of managing firewall risks in the cloud. Key findings include:
- Over half of respondents rate their organization's cloud server security management as fair or poor. Many IT personnel also lack knowledge of risks of open ports.
- Manually configuring cloud server firewalls is seen as difficult and frustrating by most respondents.
- Major barriers to adopting cloud firewall management solutions are concerns about scalability, cost and availability of solutions.
Public Cloud is Not Always the Answer... but Sometimes it isAxway
IDG Event: The Future of IT | August 6, 2019 | Boston, MA
In today’s digital world, protecting unstructured data where users need on-demand access to files for sharing and collaboration is top of mind for IT and Security executives. Fifty-two percent of IT executives say their organization is concerned about storing their unstructured data in the public cloud. Why is that? Join our session and get answers to that question and get even more insight into what leading IT Leaders are thinking when it comes to balancing the needs of their users and keeping their data safe. We’ll be sharing insights and findings from research we conducted with Vanson Bourne and Ponemon Institute across 2000 IT Leaders. The research focused on security and how to protect unstructured data in a digital world where security breaches continue to happen and where privacy laws and legislation are evolving quickly, including the amendments to the Massachusetts Data Breach Notification law enacted earlier this year. Find out what is top of mind from IT leaders across Healthcare, Financial Services, Manufacturing and Government and we’ll share some insights from our customers on how they’ve handled these challenges.
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
The Ponemon Institute issued a first-of-its-kind report sponsored by Netskope that identifies a “cloud multiplier effect” on the probability of a data breach. IT and security professionals believe that increasing the use of cloud services in the enterprise will increase the likelihood of a $20M data breach by as much as 3x. In these slides and the accompanying on-demand video, Dr. Larry Ponemon and Netskope CEO Sanjay Beri for a look at the report findings and for advice on how enterprises can mitigate this multiplier and enable safe cloud usage.
1) Mobile privacy is an important issue for both consumers and businesses.
2) Many current mobile privacy policies are lacking, and consumers are increasingly concerned about privacy when using mobile apps.
3) Consumers take steps to protect their personal information with mobile apps, such as researching apps online or checking for privacy policies, but few think their app stores only offer privacy-safe apps.
This document discusses internet security and cybercrime. It begins with an introduction by Sam Lumpkin of 2AB, Inc and then covers the following topics: how different groups view security (management, users, hackers); examples of security breaches and headlines; how common unauthorized access is; what hackers can do; why companies should care about security; how to begin securing a network; implementing security through awareness, physical controls, electronic access controls, access authorization, policy, and logging; and enforcing security policies.
In its seventh annual study of outbound email and data loss prevention issues, Proofpoint Inc. found that email continues to be the number one source of data loss risks in large enterprises as more than a third (35%) investigated a leak of confidential or proprietary information via email in the past 12 months. At the same time, the number of data loss events associated with social media channels continued to increase. Employee misuse of email, work-owned mobile devices, and popular social media tools including Facebook, LinkedIn, Twitter, video sharing sites, forums and blogs resulted in an increasing number of disciplinary actions—including termination—as enterprises demonstrate increasing concern about securing sensitive data.
This document summarizes a webinar about moving applications to the cloud. It discusses the results of a survey of 190 organizations regarding their cloud application adoption. The survey found that email, file sharing, CRM and accounting applications were most commonly moved to the cloud. The primary drivers for cloud adoption were improved mobility, flexibility of the modern workplace, and improved end-user efficiency. However, security concerns and outdated manual provisioning processes were still significant barriers preventing further cloud application adoption. The webinar provided recommendations for automating provisioning and implementing single sign-on to help organizations better navigate the transition to cloud applications.
Most tech and healthcare executives surveyed viewed cyber attacks as a serious threat to their business and data. While over half were moderately confident in their own security, far fewer were confident in their partners' security. In response, 98% of companies are maintaining or increasing cybersecurity resources, focusing more on response than prevention. Over half of companies now offer cybersecurity as part of their products and services. Increased media coverage has heightened awareness of cyber threats for many executives.
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012Lumension
Review this presentation as we reveal statistics from the 2012 State of the Endpoint survey, sponsored by Lumension® and conducted by Ponemon Institute. Find out about today's growing insecurity, IT's perceived areas of greatest risk for 2012, and the disconnect between risk and planned security strategies. In addition, we will examine the evolving IT risk environment and recommendations to more effectively and cost-efficiently secure your endpoints.
* How organizations are creating a perfect storm for hackers
* The Top 3 new threats to the workplace
* Perceived risks and corresponding strategies to combat today's evolving endpoint environment
Find out about our reliance on productivity tools, but how inadequate collaboration and resource restrictions for security are creating a perfect storm for hackers.
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
Presentation slides from Black Hat 2016. Presented by Sami Laine, Principal Technologist at CloudPassage & Aaron McKeown, Lead Security Architect of Xero.
Looking to make a huge impact? So are we. At CloudPassage, we are all about making cloud computing safer and more agile for leading global enterprises. It’s a big and important challenge. And one that requires smart, sharp, creative talent that is second to none in the industry.
More Related Content
Similar to What You Haven't Heard (Yet) About Cloud Security
The document summarizes the findings of a study conducted by Ponemon Institute on cloud security and firewall risks. The key findings are:
1) Most organizations' cloud servers are vulnerable, as 54% of IT personnel have little knowledge of open firewall port risks and 67% said they are vulnerable today.
2) Securing access to cloud servers and generating security reports is difficult, as 79% struggle to manage access and reporting.
3) Cloud security is widely seen as important but poorly managed currently, with only 9% rating their security as excellent and 42% unaware if their cloud was hacked due to open ports.
State of Web Application Security by Ponemon InstituteJeremiah Grossman
This document summarizes the findings of a study on the state of web application security. The study found that while data theft is seen as the biggest threat, organizations are not allocating sufficient resources to secure critical web applications. Specifically:
- 70% of respondents said their organizations do not allocate enough resources for web application security.
- 34% of urgent vulnerabilities are not fixed in a timely manner.
- Proactive organizations spend more than twice as much (25% vs 12%) on web application security and are more likely to use firewalls and cloud-based solutions than reactive organizations.
This document summarizes the results of a survey about application security. It finds that 51% of respondents had experienced at least one web application security incident since 2011, with 18% reporting losses of at least $500,000. While many organizations employ security measures, few take a holistic strategic approach. There is also often a disconnect between development and security teams. To improve, companies need to integrate security into development from the start and better align development and security goals.
INSZoom is an innovator in the legal technology space focused on immigration services. It provides a cloud-based case management platform that allows for mobile access to documents, automated workflows for compliance, and data integration across systems. The platform aims to improve lawyer productivity, reduce costs for clients, and help manage increasingly complex immigration regulations.
Technology innovation in legal industry by inszoom Sneh Sharma
The document discusses technology innovations in the legal industry. It outlines several trends and innovations including e-discovery, cloud computing, mobile apps, case management tools, security solutions, social networking, collaborative tools, e-billing, big data, virtual law firms, and outsourcing. It then highlights INSZoom.com as an innovator in the immigration space, outlining many innovations they have implemented in their case management system since 2000 to better serve their clients.
INSZoom - Technology Innovation in Legal Industry INSZoom
Barcamps are known for the hottest technological topics and trends. A session on “Technology Innovation in Legal Industry” by INSZoom made a major impact on the legal-tech space at the recently held Bangalore Barcamp XIII. INSZoom has revolutionized the sector with technological innovation. The industry has advanced to major technological changes – from cloud solutions, security systems, case management software to mobile apps.
If you missed this productive session by Mr. Vishwas Mudagal (VP – Products & Marketing, INSZoom) and Mr. Anuj Sarin (Director – Best Practices, INSZoom) here is an opportunity to go through the law-tech presentation.
This summary cloud security survey from Intel captures key findings from 800 IT managers in the U.S., the U.K., China, and Germany that provide insight into cloud computing security concerns and how those concerns might be alleviated.
Privacy & Security: The New Drivers of Brand, Reputation and ActionEdelman
1) Privacy and security concerns have moved from the backroom to the boardroom as data breaches make headlines worldwide.
2) A survey found that over two-thirds of global consumers feel more concerned about data security and privacy than five years ago and sense a loss of control over their personal information.
3) Financial institutions and online retailers have a notable gap between the importance consumers place on privacy/security and the level of trust in these industries to protect personal data.
This document summarizes the results of a survey of 682 IT and security practitioners in the US about challenges of managing firewall risks in the cloud. Key findings include:
- Over half of respondents rate their organization's cloud server security management as fair or poor. Many IT personnel also lack knowledge of risks of open ports.
- Manually configuring cloud server firewalls is seen as difficult and frustrating by most respondents.
- Major barriers to adopting cloud firewall management solutions are concerns about scalability, cost and availability of solutions.
Public Cloud is Not Always the Answer... but Sometimes it isAxway
IDG Event: The Future of IT | August 6, 2019 | Boston, MA
In today’s digital world, protecting unstructured data where users need on-demand access to files for sharing and collaboration is top of mind for IT and Security executives. Fifty-two percent of IT executives say their organization is concerned about storing their unstructured data in the public cloud. Why is that? Join our session and get answers to that question and get even more insight into what leading IT Leaders are thinking when it comes to balancing the needs of their users and keeping their data safe. We’ll be sharing insights and findings from research we conducted with Vanson Bourne and Ponemon Institute across 2000 IT Leaders. The research focused on security and how to protect unstructured data in a digital world where security breaches continue to happen and where privacy laws and legislation are evolving quickly, including the amendments to the Massachusetts Data Breach Notification law enacted earlier this year. Find out what is top of mind from IT leaders across Healthcare, Financial Services, Manufacturing and Government and we’ll share some insights from our customers on how they’ve handled these challenges.
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
The Ponemon Institute issued a first-of-its-kind report sponsored by Netskope that identifies a “cloud multiplier effect” on the probability of a data breach. IT and security professionals believe that increasing the use of cloud services in the enterprise will increase the likelihood of a $20M data breach by as much as 3x. In these slides and the accompanying on-demand video, Dr. Larry Ponemon and Netskope CEO Sanjay Beri for a look at the report findings and for advice on how enterprises can mitigate this multiplier and enable safe cloud usage.
1) Mobile privacy is an important issue for both consumers and businesses.
2) Many current mobile privacy policies are lacking, and consumers are increasingly concerned about privacy when using mobile apps.
3) Consumers take steps to protect their personal information with mobile apps, such as researching apps online or checking for privacy policies, but few think their app stores only offer privacy-safe apps.
This document discusses internet security and cybercrime. It begins with an introduction by Sam Lumpkin of 2AB, Inc and then covers the following topics: how different groups view security (management, users, hackers); examples of security breaches and headlines; how common unauthorized access is; what hackers can do; why companies should care about security; how to begin securing a network; implementing security through awareness, physical controls, electronic access controls, access authorization, policy, and logging; and enforcing security policies.
In its seventh annual study of outbound email and data loss prevention issues, Proofpoint Inc. found that email continues to be the number one source of data loss risks in large enterprises as more than a third (35%) investigated a leak of confidential or proprietary information via email in the past 12 months. At the same time, the number of data loss events associated with social media channels continued to increase. Employee misuse of email, work-owned mobile devices, and popular social media tools including Facebook, LinkedIn, Twitter, video sharing sites, forums and blogs resulted in an increasing number of disciplinary actions—including termination—as enterprises demonstrate increasing concern about securing sensitive data.
This document summarizes a webinar about moving applications to the cloud. It discusses the results of a survey of 190 organizations regarding their cloud application adoption. The survey found that email, file sharing, CRM and accounting applications were most commonly moved to the cloud. The primary drivers for cloud adoption were improved mobility, flexibility of the modern workplace, and improved end-user efficiency. However, security concerns and outdated manual provisioning processes were still significant barriers preventing further cloud application adoption. The webinar provided recommendations for automating provisioning and implementing single sign-on to help organizations better navigate the transition to cloud applications.
Most tech and healthcare executives surveyed viewed cyber attacks as a serious threat to their business and data. While over half were moderately confident in their own security, far fewer were confident in their partners' security. In response, 98% of companies are maintaining or increasing cybersecurity resources, focusing more on response than prevention. Over half of companies now offer cybersecurity as part of their products and services. Increased media coverage has heightened awareness of cyber threats for many executives.
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2012Lumension
Review this presentation as we reveal statistics from the 2012 State of the Endpoint survey, sponsored by Lumension® and conducted by Ponemon Institute. Find out about today's growing insecurity, IT's perceived areas of greatest risk for 2012, and the disconnect between risk and planned security strategies. In addition, we will examine the evolving IT risk environment and recommendations to more effectively and cost-efficiently secure your endpoints.
* How organizations are creating a perfect storm for hackers
* The Top 3 new threats to the workplace
* Perceived risks and corresponding strategies to combat today's evolving endpoint environment
Find out about our reliance on productivity tools, but how inadequate collaboration and resource restrictions for security are creating a perfect storm for hackers.
Similar to What You Haven't Heard (Yet) About Cloud Security (20)
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
Presentation slides from Black Hat 2016. Presented by Sami Laine, Principal Technologist at CloudPassage & Aaron McKeown, Lead Security Architect of Xero.
Looking to make a huge impact? So are we. At CloudPassage, we are all about making cloud computing safer and more agile for leading global enterprises. It’s a big and important challenge. And one that requires smart, sharp, creative talent that is second to none in the industry.
Transforming the CSO Role to Business EnablerCloudPassage
The world is not only getting smaller, it’s getting faster. Today’s CEOs are focused on business agility, innovation and competitive advantage to drive growth and profit. And cloud computing is taking center stage as the disruptive force powering faster, more agile business innovation. But threats to the business are growing, often putting the CSO is the uncomfortable position to say “no," or to — wisely — slow down new initiatives to make sure they are handled carefully. So how does the CSO transform to enabler of business growth and innovation while simultaneously protecting the business? CloudPassage CTO Amrit Williams discusses the case for this transformation, why cloud computing can be your friend, five actionable steps CSOs can adopt to become business enablers, and how the right cloud security platform can help.
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
Software-Defined Security Bestows Simplicity
By:
Carson Sweet
CEO & Co-founder
CloudPassage
Once an over-hyped buzzword, software-defined security is now a high-value strategy seeing adoption by large enterprises across industries. Hear real implementations of solutions spanning multiple private, public and hybrid infrastructures.
Businesses who want to stay ahead of the curve and achieve maximum efficiency and consistency are adopting cloud infrastructure. Keeping up with dynamic cloud environments, achieving scalable, automated, flexible, and secure cloud infrastructures means increased business agility. But how can you manage security as you migrate to cloud infrastructures?
Join Rishi Vaish, VP of Product at RightScale & Amrit Williams, CTO at CloudPassage as they discuss:
Recent findings from RightScale's State of the Cloud survey
Why hybrid cloud is the standard of choice
3 strategies for existing cloud server workloads
Benefits and security challenges of migrating to cloud infrastructures
Choosing a hybrid strategy - management and security practices to get the utmost resource flexibility
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
This document discusses security challenges for enterprise cloud infrastructure and different approaches to addressing them. It summarizes common cloud use cases like ITaaS, development/testing in public clouds, and big data analytics. It then outlines challenges like virtualized networks and lack of hardware controls. Next-generation approaches like virtual appliances, in-hypervisor controls, and workload-based security are presented along with pros and cons. The document focuses on CloudPassage's workload-based security agent Halo, which provides automated security and compliance controls that scale across cloud environments.
Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:
Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows
Technologies You Need to Safely Use the CloudCloudPassage
There are three main types of cloud services discussed in the document:
1) Infrastructure as a Service (IaaS) requires technologies to verify workload integrity, alert to unauthorized changes, and track incidents as the provider cannot do this. Point solutions and broader providers offer these controls.
2) Software as a Service (SaaS) presents risks if providers mishandle sensitive data or have authentication/application weaknesses exploited. Users should control access and encrypt data.
3) Governance is needed to track cloud service use, as without it companies lack visibility into how data is used and exposed. Technologies help monitor usage and set policies to mitigate risks and protect data.
Cloud Security: Make Your CISO SuccessfulCloudPassage
Enterprises today cannot get by without a clear strategy for cloud security. Whether the organization’s adoption of cloud environments (private, public or hybrid) is mandated by business strategy or by unsanctioned employee use, CISOs and their security teams need to be prepared for this inevitable infrastructure shift.
Attend and learn how to build a cloud security strategy that makes your CISO successful. Join Rich Mogull, lead analyst at Securosis, and Nick Piagentini, Solution Architect at CloudPassage as they discuss the following topics:
-Cloud is Different, But Not the Way You Think
-Adapting Security for Cloud Computing Principles
-Getting Started: Practical Applications
-CISO Cloud Security Checklist
Secure Cloud Development Resources with DevOpsCloudPassage
Adoption of cloud resources by development teams has created a security problem. The self-service and on-demand nature of the cloud increases the company attack surface in unknown ways. How can security operations teams ensure the DevOps teams maintain their needed agility while also being compliant to company security requirements?
Presented by Andrew Storms and Eric Hoffman at RSAC 2014
45 Minutes to PCI Compliance in the CloudCloudPassage
Join CloudPassage CEO, Carson Sweet and Sumo Logic Founding VP of Product & Strategy, Bruno Kurtic, for a webinar on “45 minutes to PCI Compliance in the Cloud”.
What You Will Learn:
-Understand the typical challenges faced by enterprises for achieving PCI on cloud infrastructure
-Learn how purpose-built SaaS-based cloud security solutions can save you tens of thousands in audit costs by speeding your time to compliance
-Get a quick demo of the CloudPassage Halo and Sumo Logic solutions that provide the telemetry and query/reporting engines respectively for cloud PCI
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
Andras Cser, VP Principal Analyst at Forrester Research and Carson Sweet, CEO at CloudPassage discussed a new enterprise security architecture that will:
-Apply elastic compute power, big data, and massively horizontal distribution of security controls and telemetry.
-Automate security and compliance monitoring in a scalable and portable manner across both traditional datacenter and cloud environments.
-Address both data at rest and in motion and create minimal resource impact across environments.
Security that works with, not against, your SaaS businessCloudPassage
The document discusses security challenges for software-as-a-service (SaaS) businesses and how CloudPassage's Halo platform addresses them. Cloud-based development complicates traditional security approaches. Halo automates security controls across cloud infrastructures to enhance visibility, simplify compliance, and support agile development without slowing it down. Case studies show how Halo has helped large companies secure their transition to SaaS-based models and secure acquisitions built in public clouds.
This document discusses integrating security into DevOps practices. It notes that while DevOps embraces cloud automation and agility, security can slow things down. Traditional security approaches are ill-suited for cloud environments. The document introduces CloudPassage Halo as a security-as-a-service platform that provides automated security controls like firewall management, intrusion detection and vulnerability scanning across cloud infrastructure in a self-service manner. It also describes the CloudPassage Halo architecture and demostrates some of its features. Finally, it promotes the CloudPassage Halo API toolbox and offers six months of free developer access to the platform.
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
This document discusses key considerations for achieving PCI DSS compliance in public cloud environments. It outlines the scope of responsibility between cloud service providers (CSPs) and their customers, providing an example breakdown. It also provides a basic checklist for PCI compliance in the cloud and suggestions for limiting the scope of PCI controls. Incident response procedures and securing data throughout its lifecycle in the cloud are also addressed.
Meeting PCI DSS Requirements with AWS and CloudPassageCloudPassage
The document discusses a presentation about meeting PCI DSS requirements using AWS and CloudPassage security tools. It covers what PCI DSS requires, the shared security responsibility model in AWS, CloudPassage Halo security automation capabilities, and a customer case study. CloudPassage Halo provides security controls like firewall management, vulnerability scanning, and compliance monitoring across AWS environments.
Delivering Secure OpenStack IaaS for SaaS ProductsCloudPassage
This document is a presentation by Andrew Hay, Chief Evangelist at CloudPassage, about delivering secure OpenStack IaaS for SaaS products. The presentation discusses OpenStack security concepts like Quantum, Keystone, and Nova. It emphasizes the importance of securing OpenStack images by disabling unnecessary services, removing unneeded packages, and restricting access. The presentation recommends using tools designed for cloud environments to provide continuous security monitoring and compliance for public, private, and hybrid clouds.
The document provides an overview of CloudPassage and its Halo security product. Halo is a SaaS-delivered security and compliance automation solution for public, private, and hybrid cloud servers. It offers capabilities like dynamic cloud firewall automation, system integrity monitoring, and server vulnerability scanning to help customers securely adopt cloud technologies and comply with industry standards. CloudPassage aims to simplify cloud security by putting highly automated controls directly on customer's cloud servers.
Join the discussion with Andrew Hay, Chief Evangelist of CloudPassage and Dave Shackleford, Senior Vice President, Research and Chief Technology Officer of IANS.
In this presentation, we will discuss:
- How compliance is affected by using private, hybrid, and public cloud environments
- What to consider when researching providers who offer "PCI-compliant" clouds
- Recommendations for improving compliance and security posture in the cloud
This document provides an overview of a CloudPassage Halo installfest event. It discusses security issues with infrastructure as a service (IaaS) cloud computing models including lack of firewall control, vulnerability management challenges, and difficulty detecting intrusions. It introduces CloudPassage Halo as a host-based security solution that can address these issues by providing firewall rules, vulnerability scanning, configuration monitoring, and event detection across virtual machines. The installfest will guide participants on installing and using CloudPassage Halo to gain security visibility and control over their cloud infrastructure.
1. #CloudSec13
What You Haven't Heard (Yet)
About Cloud Security
Andrew Hay Wendy Nather
Chief Evangelist, Research Director,
CloudPassage, Inc. Enterprise Security,
451 Research
2. Session Agenda
• Cloud security trends and observations from 451
Research
• Current cloud adoption trends and future individual
and organizational expansion
• How people are securely delivering applications
using cloud architectures
3. Trends in Cloud Security
Wendy Nather, Research Director, Enterprise Security
4. Cloud forecast: Relatively sanguine
Large numbers of enterprises using some form of cloud services
Most say they’re concerned about security
And yet …
Most don’t plan to use security!
5. Security Requirements for Cloud
What security-related requirements did you or will you require of your cloud computing? Please include
certifications, qualifications, frameworks, and functionality in your response.*
Informal Due Diligence 25%
Datacenter Certification 13%
SSAE 16 6%
PCI 6%
Formal Risk Assessment 6%
CSA 6%
Contractual Security Requirements 6%
Agreement to SLAs 6%
Source:
None 38% TheInfoPro, a service of 451
Research
Daniel Kennedy
n=16. *Note that due to multiple responses per interview, totals may exceed 100%. dkennedy@theinfopro.com
6. Application Hosting ‘in the Cloud’: Finance and HR Systems
How concerned is your organization about the security of these types of applications running ‘in the cloud’, where
cloud in this context denotes external hosting?
Finance Systems HR Systems
Extremely Concerned 50% Extremely Concerned 46%
Very Concerned 21% Very Concerned 31%
Somewhat Concerned Somewhat Concerned 8%
Minimally Concerned 29% Minimally Concerned 15%
Source:
Not at All Concerned Not at All Concerned TheInfoPro, a service of 451
Research
Daniel Kennedy
dkennedy@theinfopro.com
Left Chart, n=14; Right Chart, n=13.
Information Security
Wave 15
7. Application Hosting ‘in the Cloud’: ERP Solutions and Email
How concerned is your organization about the security of these types of applications running ‘in the cloud’, where
cloud in this context denotes external hosting?
ERP Solutions Email
Extremely Concerned 36% Extremely Concerned 23%
Very Concerned 36% Very Concerned 31%
Somewhat Concerned 9% Somewhat Concerned 23%
Minimally Concerned 9% Minimally Concerned 8%
Source:
Not at All Concerned 9% Not at All Concerned 15% TheInfoPro, a service of 451
Research
Daniel Kennedy
Left Chart, n=11; Right Chart, n=13. dkennedy@theinfopro.com
Information Security
Wave 15
8. Application Hosting ‘in the Cloud’: Database/Data warehouses
How concerned is your organization about the security of these types of applications running ‘in the cloud’, where
cloud in this context denotes external hosting?
Database/Data warehouses
Extremely Concerned 23%
Very Concerned 46%
Somewhat Concerned 8%
Minimally Concerned 8%
Not at All Concerned 15% Source:
TheInfoPro, a service of 451
Research
Daniel Kennedy
n=13. dkennedy@theinfopro.com
Information Security
Wave 15
9. Types of Cloud-based Security Services: Part 1
Including those delivered by MSSPs, what types of cloud-based security services are you using today?
Intrusion
Content Filtering, Secure Email, or
Detection/Prevention, Firewalls, VPNs Based
Anti-virus/Anti-Spam
on SSL, or Wireless Security
Using Using
14% 7%
In Plans for In Plans for
Next 18 Next 18
Months Months
7% 29%
Not in Plan
64%
Not in Plan
79%
Source:
TheInfoPro, a service of 451
Research
Daniel Kennedy
dkennedy@theinfopro.com
Left Chart, n=14; Right Chart, n=14.
Information Security
Wave 15
10. Types of Cloud-based Security Services: Part 2
Including those delivered by MSSPs, what types of cloud-based security services are you using today?
Security Information Event Log Management (SIEM), or
Vulnerability/Risk Management
In Plans for Next 18
Months
7%
Not in Plan
93%
Source:
TheInfoPro, a service of 451
Research
Daniel Kennedy
dkennedy@theinfopro.com
n=14.
Information Security
Wave 15
11. Who, what and why …
More organizations are moving to cloud
- Well-defined, granular business operations that go well with SaaS
- CRMs (hello Salesforce!)
- Email
- Office-like applications
- Human resources
- Payroll
- Disposable, clonable uses
- Development and testing
- Honeypots and honeyclients
- Data processing and analysis
12. What’s going to be slower
Legacy stacks
Distributed systems with multiple owners
Governance issues
Getting the right level of multi-tenancy
Version drift and overall inertia
http://www.shaldon-devon.co.uk
13. What’s more likely
More aging-out of legacy systems and greenfield migration to new
ones (particularly pre-packaged IaaS, PaaS and SaaS)
Changing business processes to fit into cloud (hello Procrustes!)
Why?
Because the cloud has more economies of scale and better security
when there are fewer options.
14. How to mitigate the risk
Risk from dynamic Well-documented, secure
environment VM lifecycle
Risk from larger scale Build fail-safes into your
fail-safes
Dormant VM risk Authentication, encryptio
n
Shared risk Well-documented
processes, contracts
Unknown risk Visibility (real-time &
historical)
16. The Security and the Cloud 2012 Survey
• Started on August 10th, 2012
• Questions about current cloud usage, future deployment
plans, and security and compliance related concerns
• Asked to identify the types of cloud, virtual, and physical
compute architectures currently in use
17. TotalNumber of Servers
Total Number of Servers
Number of servers in organization
“More than half (55.3%) of
respondents own and
operate between 101 and
5,000 servers – a range
often representing the
typical enterprise
organization server
deployment spread.”
– Andrew
Hay, CloudPassage, Inc.
18. Cloud Adoption Breakdown
Cloud Adoption Breakdown
Breakdown of cloud hosting environments being used
“The majority of respondents claim that they
only have between 1 and 25 percent of their
servers in public cloud architectures – a
modest 10.1% increase compared to public
cloud architecture deployment for the same
range.”
– Andrew Hay, CloudPassage, Inc.
Which cloud environment did you use first?
“The majority of respondents (52.2%)
claimed that private cloud was their first
cloud architecture while only 28.9% claimed
public cloud.” – Andrew
Hay, CloudPassage, Inc.
21. HowPublic Cloud Servers Are Used Used
How Public Cloud Servers Are
How do you use your public cloud servers today?
“The top 3 public cloud use cases, based on responses, appear to be the
deploying of external applications (25.9%), the deploying of internal
applications (22.4%), internal development and testing (20.9%).”
– Andrew Hay, CloudPassage, Inc.
22. Single Biggest Cloud Use Case
Single Biggest Cloud Use Case
“If we were to remove the ‘we do not host applications in public cloud
environments’ answers, in addition to ‘other’, the data points to 41% of
respondents claiming that the deploying of external applications is their single
biggest concern.” – Andrew Hay, CloudPassage, Inc.
23. HowPublic Cloud Servers Will Be Used Be Used
How Public Cloud Servers Will
How will you use your public cloud servers in 2013?
“The only category due to decrease over the next year is the „we do not host
applications in public cloud environments‟ answer.”
– Andrew Hay, CloudPassage, Inc.
24. WhoOversees Cloud Security?
Who Oversees Cloud Security?
Who oversees cloud security in your organization?
“The majority of respondents (25.9%) claimed that central systems
administrators, infrastructure or DevOps professionals oversaw cloud security
within their organization.”
– Andrew Hay, CloudPassage, Inc.
25. Cloud Security Concerns in 2012
Cloud Security Concerns in 2012
Concerns about public cloud hosting
26. Cloud Security Concerns
Single Greatest Cloud Security Concern
Concern change,
2011 to 2012
“In 2011 we saw 16.4% state
they had no concerns but in
2012 the percentage
of respondents that selected
this answer was a mere 7%.
We attribute this to a
combination of education
about security challenges in
cloud environments and an
increase in the number of high
profile breaches since our
2011 survey.”
– Andrew
Hay, CloudPassage, Inc.
27. Best‘Other’ Comment
Best „Other‟ Comment
Q: What is your absolute greatest security concern
about the public Cloud?
A: Clouds are for angles “One respondent claimed
that they didn’t use a cloud
as ‘clouds are for angles’ –
which we believe was either
a typo or some sort of
existential geometry
argument that we simply
don’t understand.”
– Andrew
Hay, CloudPassage, Inc.
28. TheSurvey: Findings Findings
The Survey: Key
– 4 out of 5 respondents stated that their companies are actively using
cloud architectures
– Concerns about multi-tenancy, the lack of perimeter defenses and/or
network controls, and provider access to guest servers show
significant decrease since our 2011 survey
29. TheSurvey: Findings Findings
The Survey: Key
– Business critical applications are now running in the public cloud with
publicly facing applications leading amongst all other use cases
– The biggest growth area for 2013 appears to be in the utilization of
public cloud for variable workload bursts with a projected 70%
increase in deployment
30. TheSurvey: Findings Findings
The Survey: Key
– Concerns for compliance with PCI and other standards in public
cloud remain high
– Users are becoming smarter about security in cloud environments
with nearly 80% stating that they are aware that the security of their
servers is not the sole responsibility of their cloud service providers
31. The Survey: Findings
Examine The Findings For Yourself
cloudpassage.com/resource-center/get/security-and-the-cloud-2012
32. Questions?
Wendy Nather Andrew Hay
Research Director at 451 Research Chief Evangelist at CloudPassage
@451wendy @andrewsmhay
The majority of respondents (90.1%) were from the United States but 20 individuals responded from other countries – including Canada, Ireland, India, Korea, Japan, Switzerland, South Africa, Mexico, Italy, and the United Kingdom.The respondents also represented 49 distinct industry verticals including financial services, software, manufacturing, business services, education, and others.
We asked respondents to indicate how many total number of servers that their organizations operated including, but not limited to, virtual servers, traditional hardware servers and cloud servers.The two largest server ranges on the survey, as shown in Table 2, appeared to be the 101-500 range, with 53 respondents and 26.4% of the vote, and the 501-5,000 range, with 58 respondents and 28.9% of the vote. This means that more than half (55.3%) of respondents own and operate between 101 and 5,000 servers – a range often representing the typical enterpriseorganization server deployment spread.
We asked individuals what type of cloud hosting environment their company used to help understand how, exactly, cloud was being adopted. We avoided forcing respondents to specify exactly what virtualization hypervisor platforms were being used to run their clouds, such as VMWare, Citrix, OpenStack, CloudStack, and others, as we expected such a wide variety of responses – including quite a few where the respondent had no knowledge of the architecture being employed.In an effort to determine our respondents’ first foray into cloud computing we posed the question “Which cloud environment did you use first”. Not surprisingly, the majority of respondents (52.2%) claimed that private cloud was their first cloud architecture while only 28.9% claimed public cloud. A small number (18.9%) claimed that they had no knowledge of which cloud environment was first used. The breakdown of cloud environment use can be seen in the bottom table.The results are not all that surprising. Very few organizations are going to make the jump from traditional on-premises physical server deployments, in which they have complete control, to shared public cloud environments where they control but a piece of the architecture’s security. It’s likely the same apprehension that homeowners feel when choosing to move from a house to an apartmentcomplex.
Not surprisingly, private cloud usage tipped the scales with 73 respondents answering that they used private clouds within their company. Though private cloud leads the pack with 36.3% of respondents, we can’t help but wonder if people employing traditional on-premises virtualized infrastructures, such as VMWare ESX, Citrix, and others, also answered ‘private cloud’ as it most closely aligns with how their virtualized compute environment is used.
The majority of respondents (87) claim that they only have between 1 and 25 percent of their servers in public cloud architectures – a modest 10.1% increase compared to public cloud architecture deployment for the same range. 22 respondents, compared to only 5 in the public range, claim to be using private cloud for between 26 and 50 percent of the servers in their environment.Virtualized and Data Center server deployment ranges are fairly similar. 35 respondents claimed that they had between 1 and 25 percent of their servers in virtualized architectures compared to 54 with between 1 and 25 percent in data center architectures. 76 respondents claimed between 26 and 50 percent of their servers in virtualized architectures compared to 74 in the same range for data center architectures. Only 57 respondents claimed that more than 50 percent of their servers resided in virtualized architectures. 45 respondents claimed that more than 50 percent oftheir servers resided in data center architectures.
One of the most ambitious questions we posed in this year’s survey was aimed at determining how respondents were using the public cloud.The top 3 public cloud use cases, based on responses, appear to be the deploying of external applications (25.9%), the deploying of internal applications (22.4%), internal development and testing (20.9%).We also expected temporary workload, but not necessarily big data, to be higher. Various companies are using public cloud for temporary workload activities. The reason we say ‘not necessarily big data’ is because organizations that perform big data analytics continue to rely on internal compute grids for processing or, at best, private clouds under their complete control. These organizations have only begun to look to public cloud to help with genome sequencing, bioinformatics, molecular and financial modeling, and new drug discovery, in an elastic and temporary fashion.One last point on this slide, If we were to remove the ‘we do not host applications in public cloud environments’ answer from the total, we see that roughly 80% of respondents are using mission critical applications in the public cloud today.
If we were to remove the ‘we do not host applications in public cloud environments’ answers, in addition to ‘other’, the data points to 41% of respondents claiming that the deploying of external applications is their single biggest concern
What applications do you plan to run in public cloud hosting environments one year from now?Based on the data it appears as though temporary workload / big data deployment by respondents is poised to increase by 70.4% next year. The next biggest jump is for media (30.6%) followed by internal development and testing (28.6%).According to an EMC-sponsored study of 151 IT managers published in June 2012, one third said they plan to move some mission-critical applications to the cloud in the next year. Within two years, the IT managers said they will migrate 26 percent of their mission-critical applications to the cloud, and in five years, 44 percent of their mission-critical apps will be in the cloud.
Cloud security is a top-down approach in some organizations and 23.4% of respondents stated that their senior technology leadership (CIO/CTO) was responsible for security. Only 14.4% claimed, however, that organizational cloud security was the purview of its senior security leadership team (CSO/CISO).The majority of respondents (25.9%) claimed that central systems administrators, infrastructure or DevOps professionals oversaw cloud security within their organization.Another way to think about it is that more than 65% of responsibility for cloud security is centralized, and only a small amount within the BU itself.
They say that every cloud has a silver lining. Unfortunately, in the world of cloud computing, this isn’t always the case. To better understand the concerns of respondents we asked severalquestions around their spectrum of concerns, their single biggest concern, and a question designed to measure knowledge about the separation of security responsibility in cloud architectures.We asked respondents to rate their level of concern about public cloud issues using LOW, MEDIUM, or HIGH rankings.The concerns that were considered HIGH were security and compliance. 69.2% of respondents felt that security ranked as a HIGH concern – the highest total number responses we saw. Only8.0% of respondents felt security concerns warranted a LOW rating. Compliance concerns, on the other hand, had respondents worried. 45.3% of respondents cited compliance as being a HIGHconcern and 35.3% stated that it was a MEDIUM concern. Less than a quarter (19.4%) of respondents believed compliance was only a LOW concern – perhaps because their organizations were not bound by regulatory mandates or compliance initiatives.
An interesting drop from 2011 to 2012 was how respondents selected the ‘we have no security concerns’ answer. In 2011 we saw 16.4% state they had no concerns but in 2012 the percentage of respondents that selected this answer was a mere 7.0%. We attribute this to a combination of education about security challenges in cloud environments and an increase in the number of high profile breaches since our 2011 survey.My takeaway is that concerns over innate elements of cloud (that can’t be changed) dropped a lot (multi-tenancy, lack of perimeter, provider access), but PCI and “Tools don’t work” stayed relatively high.
The ‘Other’ option resulted in some interesting comments. One respondent stated that they were concerned with the general lack of adequate security, accountability, and survivability of data under others’ control. Another respondent claimed that cloud accounts could get easily compromised and servers can just as easily be taken down. An interesting response was with regards to FDA validation and controlled environment compliance – a response that we would have expected to fall under the blanket ‘Achieving compliance with PCI or other standards’ response. The winner, however…well one respondent claimed that they didn’t use a cloud as “clouds are for angles” – which we believe was either a typo or some sort of existential geometry argument that we simply don’t understand.
The Survey: Findings
The Survey: Findings
The fact that 78.1% of respondents are aware that there is a separation in responsibility between cloud service provider architecture and organizational servers, application and data, shows that education about cloud is increasing.