achieving data privacy in the cloud - news.microsoft.com · achieving data privacy in the cloud...
TRANSCRIPT
Achieving Data Privacy in the CloudSTUDY OF INFORMATION TECHNOLOGY PRIVACY AND COMPLIANCE OF SMALL TO MEDIUM-SIZED ORGANIZATIONS IN THE UNITED STATES
SPONSORED BY MICROSOFTIndependently Conducted by Ponemon Institute LLCJune 2012Ponemon Institute© Research Report
1
Achieving Data Privacy in the Cloud: United StatesContents
Executive Summary 2
Key Findings 3
Perceptions about privacy, data protection, and the use of cloud resources 3
Cloud computing is considered an important part of IT operations 3
Organizational commitment to privacy and data protection in the cloud 3
The state of cloud computing in organizations 4
Impact of sufficiency of privacy practices on selection of cloud providers 4
Cloud computing is now an integral part of IT 5
Although cloud computing is increasing rapidly, it does not seem to affect organizational privacy commitments 6
Organizations rely on cloud provider contracts and self-assessments in the vetting process 7
Certain assurances from cloud vendors influence organizational decisions to purchase services 8
Understand the types of confidential information that are too risky to be used or stored in the cloud 9
Country differences in cloud privacy 10
Confidence about data privacy in the cloud 10
The impact of cloud service privacy practices on purchase decisions 11
Conclusion 12
Method 13
Survey Limitations 14
2
With organizations increasingly moving to the cloud, it is becoming more important to ensure that privacy commitments and obligations are met.
The Ponemon Institute surveyed 1,771 individuals in positions within IT, compliance, data security, risk management, and privacy in the United States, Germany, and the Nordic countries (Denmark, Finland, Norway, and Sweden), and created three separate reports.
This report focuses on the United States, where Ponemon surveyed 769 individuals who had, on average, about 11 years of business experience. Almost half (48 percent) reported to the Chief Information Officer, while 10 percent reported to the Chief Information Security Officer.
In the following sections, you’ll find an analysis of the most salient findings of this research, as well as recommendations to help organizations better protect data and privacy in the cloud. The complete findings of this research are presented in the appendix to this report.
Executive Summary
The goal of the study was to better understand how business decision- maker in small and medium-sized organizations think about privacy as they adopt cloud computing. Specifically, the Ponemon Institute wanted to identify privacy concerns related to cloud computing and how cloud providers can ameliorate them.
According to 73 percent of survey respondents, their organizations are
TOPICS ADDRESSED IN THIS STUDY> PERCEPTIONS ABOUT PRIVACY, DATA PROTECTION, AND THE USE OF CLOUD RESOURCES> THE STATE OF CLOUD COMPUTING IN SMALL AND MEDIUM-SIZED ORGANIZATIONS> COUNTRY DIFFERENCES IN ATTITUDES ABOUT CLOUD PRIVACY
moderate or heavy users of cloud computing resources and are concerned about how they will manage data privacy.
The research also found that the privacy reputation and practices of cloud computing providers figure prominently in cloud computing purchase decisions. Fifty-nine percent of respondents stated that privacy practices influenced their choice of cloud service providers. Cloud
provider privacy practices cited as particularly important:
≈ Disclosure of physical location of data (62 percent of respondents)
≈ Stringent processes to separate customer data (54 percent)
≈ Agreement not to mine customer data for advertising (44 percent)
3
Key FindingsPerceptions about privacy, data protection, and the use of cloud resources
Cloud computing is considered an important part of IT operations
Of the organizations in this study, 73 percent make either heavy or moderate use of cloud computing. Only 17 percent of the respondents say their use is light. The majority (69 percent) use public cloud services, though there is also some use of private cloud services (12 percent).
Organizational commitment to privacy and data protection in the cloud
While 60 percent of respondents say their organizations are committed to protecting confidential or sensitive information, many indicate their organizations do not take steps to meet those commitments. Specifically, only 38 percent say their organization determines what personal information is too sensitive for the cloud environment, and just 39 percent say their organization assesses the impact that the use of cloud computing has on their privacy commitments and obligations.
FIGURE 1 ACTIONS THAT ARE PRACTICED TO PROTECT DATA AND PRIVACY IN THE CLOUD
DETERMINE WHAT PERSONAL DATA IS TOO SENSITIVE FOR THE CLOUD ENVIRONMENT
RESPECT THE PRIVACY RIGHTS OF CUSTOMERS, EMPLOYEES, CONSUMERS, AND OTHER STAKEHOLDERS
ESTABLISH CLEARLY DEFINED ACCOUNTABILITY FOR SAFEGUARDING CONFIDENTIAL OR SENSITIVE INFORMATION
ASSESS THE IMPACT THAT THE USE OF CLOUD COMPUTING HAS ON THEIR PRIVACY COMMITMENTS AND OBLIGATIONS
PROACTIVE COMPLIANCE MANAGEMENT WITH PRIVACY AND DATA PROTECTION LAWS, REGULATIONS, AND OTHER REQUIREMENTS
VIGILANT IN ASSESSING THE INHERENT RISKS WHEN USING OR STORING PERSONAL DATA IN THE CLOUD
EXTREMELY CAREFUL ABOUT SHARING CONFIDENTIAL OR SENSITIVE INFORMATION WITH THIRD PARTIES
38%
41%
46%
39%
45%
42%
50%
4
Impact of sufficiency of privacy practices on selection of cloud providers
As shown in Figure 2, 59 percent of respondents say their organizations consider the level of commitment a cloud provider has for protecting the privacy of data in the cloud when making a purchase decision.
SOME TO VERY SIGNIFICANT
IMPACTUNSURE
NO IMPACT
3%59%
FIGURE 2 IMPACT OF CLOUD PROVIDER’S PRIVACY POLICIES AND PRACTICES ON CLOUD PURCHASING DECISIONS
FIGURE 3 IMPORTANT ISSUES THAT ILLUSTRATE CLOUD PROVIDERS’ COMMITMENT TO PRIVACY”VERY IMPORTANT” AND “IMPORTANT” RESPONSES COMBINED
38%
Figure 3 shows the policies and practices that respondents cited as “important” or “very important” when evaluating a cloud provider’s commitment to privacy. Specifically, 44 percent want an agreement that the cloud provider will not mine customer data for advertising, 54 percent want strict processes to separate customer data, and 62 percent of respondents want disclosure of the physical location of their data.
THE CLOUD PROVIDER DISCLOSES THE PHYSICAL LOCATION OF DATA STORAGE
THE CLOUD PROVIDER AGREES NOT TO MINE CUSTOMER DATA
THE CLOUD PROVIDER HAS PROCESSES IN PLACE TO ENSURE THAT CUSTOMER DATA IS
SEPARATE FROM THAT OF OTHER CUSTOMERS
62%54%
44%
Key FindingsThe state of cloud computing in organizations
5
FIGURE 4 IMPORTANCE OF CLOUD COMPUTING IN MEETING INFORMATION TECHNOLOGY AND DATA PROCESSING GOALS
11%26%28% 25%
10%15%30%36%
13%6%
TODAY 24 MONTHS FROM NOW
ESSENTIAL VERY IMPORTANT IMPORTANT NOT IMPORTANT IRRELEVANT
Cloud computing is now an integral part of IT
Figure 4 reveals that 65 percent of respondents say that the use of cloud computing applications or services is essential or important to meeting their organization’s IT and data processing objectives. This percentage is expected to increase to 81 percent in two years.
As shown in Figure 5, the top three applications used in organizations are business applications such as CRM and web mail, infrastructure applications like online backup security, and social media applications.
FIGURE 5 CLOUD COMPUTING APPLICATIONS CURRENTLY IN USEMORE THAN ONE CHOICE PERMITTED
BUSINESS APPLICATIONS
STORAGE SERVICES SOLUTION STACKS OTHER
INFRASTRUCTURE APPLICATIONS SOCIAL MEDIA APPLICATIONS PEER-TO-PEER
WE DON’T USE CLOUD APPLICATIONS OR SERVICES
72%
33%
68%
32%
56%
10%
49%
46% 5%
Key FindingsThe state of cloud computing in organizations
6
The anticipated growth in cloud computing is shown in Figure 6. Based on an extrapolated average, cloud computing resources meet 35 percent of the total IT and data processing requirements of the organizations surveyed, and this is expected to rise to 44 percent over the next two years.
FIGURE 6 PERCENTAGE OF INFORMATION TECHNOLOGY REQUIREMENTS MET BY CLOUD COMPUTING
TODAY 24 MONTHS FROM NOW
NONE <10% 41% – 50%11% – 20% 51% – 60%21% – 30% 61% – 70%31% – 40% 71% – 80% >80%
10%20%
7% 9%2%5% 12%
24%
7% 5%2%
23%
4%15%
2%2%
22%15%7% 8%
Although cloud computing is increasing rapidly, it does not seem to affect organizational privacy commitments
Only 14 percent of respondents say the use of cloud resources increases an organization’s responsibility to safeguard customer, employee, consumer, and other personal information. Figure 7 also shows that about half of respondents say it does not affect their organization’s responsibility.
CLOUD COMPUTING DOES NOT AFFECT
OUR RESPONSIBILITY
CLOUD RESOURCES INCREASE OUR RESPONSIBILITY
CLOUD RESOURCES DECREASE OUR RESPONSIBILITY
14%
35%
FIGURE 7 IMPACT OF CLOUD COMPUTING ON ORGANIZATIONAL RESPONSIBILITY TO SAFEGUARD INFORMATION
51%
Key FindingsThe state of cloud computing in organizations
7
Organizations rely on cloud provider contracts and self-assessments in the vetting process
The top three steps that organizations take to vet cloud providers are contractual negotiation and legal review (59 percent of respondents), proof of compliance such as an audit report (51 percent), and a self-assessment checklist or questionnaire completed by the provider (43 percent), as illustrated in Figure 8.
Further, 46 percent say they look at adherence to a certification standard and consider SAS-70 (which is currently being replaced by the SSAE 16 standard) and PCI DSS as the most important certifications for evaluating cloud providers, while 38 percent regard the ISO 27001 certification as most important (Figure 9).
To secure sensitive and confidential data, the majority of respondents say they rely on assurances from the cloud provider (63 percent) or contractual agreements with the cloud provider (58 percent). Only 37 percent say they use conventional data security tools such as encryption to protect information in the cloud (Figure 10).
FIGURE 8 METHODS FOR VETTING OR EVALUATING CLOUD PROVIDERSMORE THAN ONE CHOICE PERMITTED
FIGURE 10 METHODS FOR SECURING CONFIDENTIAL OR SENSITIVE PERSONAL INFORMATION IN THE CLOUDMORE THAN ONE CHOICE PERMITTED
FIGURE 9 MOST IMPORTANT CERTIFICATIONS USED WHEN EVALUATING CLOUD PROVIDERSTWO CHOICES PERMITTED
WE RELY ON ASSURANCES FROM THE CLOUD PROVIDER
WE BUY ADDITIONAL SECURITY SERVICES PROVIDED BY THE CLOUD PROVIDER
DON’T KNOW
WE RELY ON CONTRACTUAL AGREEMENTS WITH THE CLOUD PROVIDER
WE USE CONVENTIONAL DATA SECURITY TOOLS TO PROTECT INFORMATION
OTHER
CONTRACTUAL NEGOTIATION AND LEGAL REVIEW
PROOF OF COMPLIANCE
SELF-ASSESSMENT CHECKLIST COMPLETED BY PROVIDER 63%
39%
9%
58%
37%
2%
59% 51% 43%
SAS-70
PCIDSS
ISO 27001
NIST (US ONLY)
OECD
FISMA (US ONLY)
FIPS
FEDRAMP (US ONLY)
OTHER
46%45%
38%21%
13%12%12%8%
3%
Key FindingsThe state of cloud computing in organizations
8
Certain assurances from cloud vendors influence organizational decisions to purchase services
As discussed previously, 59 percent of respondents say that the privacy policies and practices of their cloud providers would impact cloud purchasing decisions.
Figure 11 shows that 63 percent of respondents would be much less likely or less likely to purchase cloud services if the cloud vendor reported a material data breach involving the loss or theft of sensitive or confidential personal information.
FIGURE 11 THE IMPACT OF A MATERIAL DATA BREACH ON THE DECISION TO USE A CLOUD PROVIDER
LESS LIKELY TO BUY CLOUD SERVICES
NO EFFECT ON THE DECISION TO BUY CLOUD SERVICES
UNSURE
MUCH LESS LIKELY TO BUY CLOUD SERVICES34%
3%
29%
33%
Key FindingsThe state of cloud computing in organizations
9
About half (51 percent) of respondents say assurances from a credible third party that the cloud vendor meets all privacy and data protection requirements, including regulations and laws in various countries, would make them much more or more likely to purchase from that company (Figure 12).
THE CLOUD PROVIDER AGREES TO MEET ALL PRIVACY AND DATA PROTECTION REQUIREMENTS
THIRD PARTY PROVIDES ASSURANCE THAT THE CLOUD PROVIDER MEETS PRIVACY AND PROTECTION REQUIREMENTS
MUCH MORE LIKELY TO BUY CLOUD SERVICES
NO EFFECT ON THE DECISION TO BUY CLOUD SERVICES
MORE LIKELY TO BUY CLOUD SERVICES
UNSURE
FIGURE 12 CONDITIONS THAT AFFECT THE DECISION TO USE A CLOUD PROVIDER
15% 9%
36%43%
6%
25%
60%
6%
Understand the types of confidential information that are too risky to be used or stored in the cloud
As shown in Figure 13, respondents are most concerned about putting intellectual property such as source code, design plans, and architectural renderings in the cloud (49 percent) followed by health records (47 percent). Interestingly, almost half (46 percent) of respondents say no sensitive or confidential information is too sensitive to store in the cloud.
FIGURE 13 INFORMATION TOO RISKY TO BE USED IN THE CLOUDMORE THAN ONE CHOICE PERMITTED
INTELLECTUAL PROPERTY
OTHER NONE OF THE ABOVE
RESEARCH DATA
CUSTOMER ACCOUNT INFORMATION
HEALTH RECORDS
CUSTOMER PAYMENTS
NON-FINANCIAL BUSINESS INFORMATION
FINANCIAL BUSINESS INFORMATION
EMPLOYEE RECORDS
CONSUMER DATA
49%38%26%5%
47%33%25%46%
40%29%11%
Key FindingsThe state of cloud computing in organizations
10
Key FindingsCountry differences in cloud privacy
FIGURE 14 CONFIDENCE THAT PRIVACY OBLIGATIONS ARE MET WHEN DEPLOYING CLOUD APPLICATIONS“VERY CONFIDENT” AND “CONFIDENT” RESPONSES COMBINED
In this study, the Ponemon Institute surveyed 1,771 individuals in IT, compliance, data security, risk management, and privacy in the United States, Germany, and the Nordic countries (Denmark, Finland, Norway, and Sweden). This section reports on some of the most salient differences that emerged in this research.
Confidence about data privacy in the cloud
How does confidence in the ability of cloud providers to meet privacy commitments differ among countries in this study? Figure 14 shows that respondents in Germany and the Nordic countries are more confident that privacy obligations are met when deploying cloud applications or services than respondents in the United States.
U.S. GERMANY NORDIC COUNTRIES
39% 56% 46%
11
Key FindingsThe state of cloud computing in organizations
The impact of cloud service privacy practices on purchase decisions
A cloud service provider’s commitment to privacy has the most impact among respondents in Germany and the Nordic countries, as shown in Figure 15.
As shown in Figure 16, respondents in the United States and Germany believe it is most important that the cloud provider disclose the physical location of data storage, including the location of replicated or backed-up data files. Respondents in Nordic countries, however, believe that it is most important that the cloud provider has strict processes and procedures that ensure that customer data is separate from that of other customers.
FIGURE 15 IMPACT OF PRIVACY POLICIES AND PRACTICES OF CLOUD PROVIDERS ON CLOUD PURCHASING DECISION
VERY SIGNIFICANT IMPACT
THE CLOUD PROVIDER HAS PROCESSES IN PLACE TO ENSURE THAT CUSTOMER DATA IS SEPARATE FROM THAT OF OTHER CUSTOMERS
THE CLOUD PROVIDER USES EUROPEAN UNION’S MODEL CLAUSES AS CONTRACTUAL AGREEMENTS
THE CLOUD PROVIDER DISCLOSES THE PHYSICAL LOCATION OF DATA STORAGE
THE CLOUD PROVIDER AGREES NOT TO MINE CUSTOMER DATA
UNSURE
12%
18%
29%
38%
3%
18%
27%
31%
21%
3%
21%
28%
31%
14%
5%
U.S.
U.S.
GERMANY
GERMANY
NORDIC COUNTRIES
NORDIC COUNTRIES
SIGNIFICANT IMPACT
SOME IMPACT
NO IMPACT
FIGURE 16 IMPORTANT ISSUES THAT DETERMINE THE CLOUD PROVIDER’S COMMITMENT TO PRIVACY”VERY IMPORTANT” AND “IMPORTANT” RESPONSES COMBINED
62%
54%
44%
24%
61%
58%
50%
43%
53%
56%
49%
35%
12
Conclusion
Achieving data privacy in the cloud is a challenge for all organizations. The Ponemon Institute recommends that organizations assess the specific, proactive steps they can take to protect sensitive information in the cloud, such as:
≈ Create policies and procedures that clearly state the importance of protecting sensitive information stored in the cloud. The policy should outline what kinds of information are considered sensitive and proprietary.
≈ Evaluate the security posture of third parties before sharing confidential or sensitive information. As part of the process, corporate IT or IT security experts should conduct a thorough review and audit of the vendor’s security qualifications.
≈ Train employees to mitigate the security risks specific to cloud technology to make sure that sensitive and confidential information is not threatened.
≈ Establish an organizational structure that allows the CIO, CISO, or other security or privacy leaders to participate actively in the vetting, purchasing, and implementing processes to ensure that they are handled appropriately.
≈ If appropriate, establish a functional role dedicated to information-governance oversight to better protect the business.
≈ Define a policy that governs the protection of sensitive and confidential data and applications that organizations are willing to put in the cloud.
The Ponemon Institute also recommends that cloud computing providers offer greater transparency into their security infrastructure to help ensure customer confidence that information stored in the cloud is secure.
13
Method Table 1 reports the sample frame of 24,889 individuals in the United States who have bona fide credentials in the IT or IT security fields. In total, 814 respondents completed the survey. Of the returned surveys, 45 failed reliability checks. A total of 769 surveys were used in the final sample, which represents a 3.1 percent response rate.
Pie Chart 1 summarizes the positions of the respondents in our study. The majority (65 percent) were at or above the supervisory level, with the average experience in IT or IT security at 10.75 years.
Pie Chart 3 shows that more than half of the respondents (58 percent) report to the Chief Information Officer and Chief Information Security Officer.
Pie Chart 2 reports the respondents’ primary industry segments. Seventeen percent of respondents were in the financial services, which includes banking, investment management, insurance, brokerage, payments, and credit cards. Another 11 percent were in the health and pharmaceutical sectors, and 10 percent were in the public sector, including government.
U.S. SAMPLE RESPONSE RESPONDENTS PERCENTAGE
SAMPLING FRAME 24,889 100.0%
INVITATIONS SENT 24,051 96.6%
TOTAL RETURNS 814 3.3%
TOTAL REJECTS 45 0.2%
FINAL SAMPLE 769 3.1%
TABLE 1
MANAGER
SUPERVISOR
OTHER
COMMUNICATIONS
TRANSPORTATION
DEFENSE
ENERGY
AGRICULTURE AND FOOD SERVICES
FINANCIAL SERVICES
HEALTH AND PHARMACEUTICAL
OTHER
GENERAL COUNSEL
CHIEF FINANCIAL OFFICER
CEO/EXECUTIVE COMMITTEE
DIRECTOR OF INTERNAL AUDIT
HUMAN RESOURCES LEADER
CHIEF SECURITY OFFICER
DIRECTOR
VICE PRESIDENT
SENIOR EXECUTIVE
STAFF OR TECHNICIAN
HOSPITALITY AND LEISURE
CONSUMER PRODUCTS
EDUCATION AND RESEARCH
INDUSTRIAL
TECHNOLOGY AND SOFTWARE
SERVICES
PUBLIC SECTOR
RETAIL
CHIEF PRIVACY OFFICER
COMPLIANCE OFFICER
CHIEF RISK OFFICER
CHIEF TECHNOLOGY OFFICERCHIEF INFORMATION
SECURITY OFFICER
CHIEF INFORMATION OFFICER
23%
4%
4%
19%
5%
4%
2%
2%
8%
10%
2%
3%
3%
3%
5%
8%
11%9%
16%
3%
3%
4%
5%
7%
17%
2%
8%
48%
2%
2%
33%
7%
8%
3%10%
PIE CHART 1 DISTRIBUTION OF RESPONDENTS ACCORDING TO POSITION LEVEL
PIE CHART 3 DISTRIBUTION OF RESPONDENTS ACCORDING TO POSITION LEVEL THEY REPORT TO
PIE CHART 2 DISTRIBUTION OF RESPONDENTS ACCORDING TO PRIMARY INDUSTRY CLASSIFICATION
14
Survey Limitations
There are inherent limitations to survey research that must be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.
Non-response bias. The findings are based on a sample of survey returns. The researchers sent surveys to a representative sample of individuals, resulting in the return of a large number of usable responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different from those who completed the survey in terms of underlying beliefs.
Sampling-frame bias. Research accuracy is based on contact information and the degree to which the list is representative of individuals who are knowledgeable about protecting data in the cloud environment. The researchers recognize that the results may be biased by external events such as media coverage. They also acknowledge that there may be bias because subjects were compensated for completing the surveys.
Self-reported results. The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not respond truthfully.