Who should look after cloud data – the CSP or the end user? Execs undecided


The debate over whether the end user or the cloud service provider (CSP) should be responsible for data security has been reopened after new research from Armor and Ponemon Institute proved inconclusive.

The survey, which quizzed 990 US and UK-based CIOs, CISOs and directors of IT operations, found almost a third (31%) expect their cloud provider to keep SaaS applications secure, while 20% believe the customers are more responsible and only 16% argue it is a shared responsibility.

While 15% of organisations polled believe the IT security team should be most accountable for securing SaaS applications, 60% admit IT security is rarely or never involved when it comes to evaluating cloud services.

Not surprisingly, 79% of respondents say security is important always or most of the time, while three quarters (74%) see similarly with regards to compliance. Yet only a third (33%) of respondents express confidence in meeting security objectives in the cloud.

So is this issue related to the lack of consensus over cloud security responsibility? Dr. Larry Ponemon, founder of Ponemon Institute, believes so. “The fact there’s so much confusion about how to properly secure and understand compliance mandates isn’t surprising considering most organisations today still aren’t sure who – internally – should be managing security for the cloud,” he said.

“It’s my hope that organisations will review this report and look in the mirror to see if they’re part of this group that is still allowing for so much confusion when it comes to secure cloud implementations,” he added.

The imbroglio between cloud providers and their customers has been covered in this publication before, most notably research from iland which argued vendors did not give customers as much support as possible. A quarter (26%) of respondents said the onboarding process took too long, 21% said the onboarding lacked a human aspect, while 18% had bill shock over their support costs.

Elsewhere, more than half (56%) of respondents say the ability to save money is by far the primary reason to use cloud resources.

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.

17 Oct 2015, 7:41 p.m.

At the current rate, everyone is or will be an identity theft victim. No health care organization can stop Chinese intelligence, Russian criminals or cyberterrorists. Consequently, we must begin by asking what we really want, what we really need, instead of implementing stopgap measures that are merely illusions on top of illusions. We should focus on safeguarding everyone, since we should assume we are all identity theft victims. And if privacy and security are really our concerns, we should enforce lifetime financial and medical identity “credit” monitoring as the responsibility of those who failed to secure that identity and anyone convicted of the theft. As a corollary to the idea of universal, affordable health care, we should act with intent by automatically providing every person with the means to monitor their privacy, security, and identity, and never assume that those who can afford those services or those that are victims are the only ones worth protecting.