ponemon cloud security study

Managing Firewall Risks in the Cloud Survey of U.S. IT & IT Security Practitioners

Ponemon Institute© Research Report

Sponsored by Dome9 Security Independently conducted by Ponemon Institute LLC Publication Date: November 2011

Ponemon Institute© Research Report Page 1

Managing Firewall Risks in the Cloud Ponemon Institute, November 2011

Part 1. Introduction Ponemon Institute is pleased to present the results of Managing Firewall Risks in the Cloud. Sponsored by Dome9 Security, this research was conducted to determine the challenges organizations face when managing access and securing firewalls and ports in their cloud environments. We believe this is the first study to look at the risk to cloud security because of unsecured ports and firewalls. The study surveyed 682 IT and IT security practitioners (hereafter referred to as IT practitioners) in the United States. On average, respondents have more than 10 years IT or IT security experience. Only IT practitioners working in organizations that use hosted or cloud servers (dedicated or virtual private server) completed the survey. The majority of respondents report that their organizations use both public clouds and hybrid (semi-public) clouds. Forty percent are employed by organizations with a worldwide headcount of more than 5,000. Our research shows that the majority of respondents (68 percent) say their organizations use public cloud services. The most commonly cited service providers are listed in Bar Chart 1. Bar Chart 1. The major public cloud service providers used by respondents’ organizations More than one choice is permitted

According to the majority of these respondents (52 percent), the state of cloud server security management is either fair or poor and 21 percent had no comment. This concern can be partly attributed to the finding that 42 percent fear that they would most likely not know if their organizations’ applications or data was compromised by a security exploit or data breach involving an open port on a cloud server.

24% 28% 30%

38%

45% 47% 49%

0%

10%

20%

30%

40%

50%

60%

All others Terremark GoGRID RackSpace Google Azure AWS EC2

Imagine this. Can this happen to your organization?

After configuring a cloud server firewall, a systems administrator inadvertently locks-out your organization’s access to a cloud server, thereby preventing it from processing a mission critical application.

In order to access cloud servers, your organization leaves administrative server ports (such as SSH or Remote Desktop) open. These open ports expose the organization to increased hacker attacks and serious security exploits.


The topics addressed in this study include: Perceptions about organizations’ ability to mitigate the risk to their cloud servers

Barriers to efficiently managing security in the cloud server Responsibility for managing cloud security risks The risk of open ports in a cloud environment The importance of certain features to securing the cloud server The next section reports the key findings of our independently conducted survey research. The results provide strong evidence that organizations’ cloud servers are vulnerable, most IT personnel do not understand the risk and it is a challenge to secure access to and generate reports for cloud servers.


Part 2. Key findings Respondents do not give high marks to their organizations’ cloud server security. Bar Chart 2 shows more than half (52 percent) rate their organizations’ overall management of cloud server security as fair (27 percent) and poor (25 percent). Bar Chart 2. How do you rate your organization’s overall management of cloud server security today?

Twenty-one percent of respondents have no comment about the status of cloud server management in their organizations, which could indicate a lack of knowledge about how their organizations are managing access and securing firewalls and ports in their cloud environments. In fact, as shown in Bar Chart 3, 54 percent of respondents say the IT personnel within their organization are not knowledgeable (41 percent) or have no knowledge (13 percent) about the potential risk of open firewall ports in their cloud environments. Bar Chart 3. How knowledgeable are IT operations and infrastructure personnel within your organization about the potential risk caused by open ports in the cloud environment?

9%

18%

27% 25%

21%

0%

5%

10%

15%

20%

25%

30%

Excellent Good Fair Poor No comment

14%

32%

41%

13%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Very knowledgeable Knowledgeable Not knowledgeable No knowledge


Manually configuring a cloud server firewall frustrates IT practitioners. Bar Chart 4 lists seven (7) attributions or statements about the state of cloud security in respondents’ organizations.1 Eighty-six percent of respondents strongly agree or agree that configuring their organizations’ cloud server firewall manually is a difficult and sometimes frustrating process. In fact, 79 percent of respondents believe being able to efficiently manage security in the cloud environment is just as important as the security itself. Most respondents (81 percent) agree that in the cloud environment, opening or closing ports to servers containing their organizations’ applications or data is managed via controls provided by the cloud service provider. Bar Chart 4. Respondents’ perceptions about the state of cloud security and remote management of firewalls Strongly agree and agree response combined.

1In our survey we used attributions to capture the perceptions of respondents concerning the security of cloud computing environments. These attributions or statements are evaluated using a five-point adjective scale ranging from strongly agree to strongly disagree. A favorable or affirmative response is defined as a strongly agree or agree response. A negative or non-affirmative response is defined as a strongly disagree, disagree or unsure response.

52%

72%

73%

77%

79%

81%

86%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

The security of cloud servers containing my organization’s applications and data is a

significant priority.

In the cloud environment, user access to applications and data is primarily determined by

username and passwords.

In the cloud environment, cloud server firewalls are the first place to stop attacks and prevent exploits of OS and application vulnerabilities.

In the cloud environment, the physical security of servers containing your organization’s

applications or data is primarily determined by the cloud service provider.

In the cloud environment, being able to efficiently manage security is just as important as the

security itself.

In the cloud environment, opening or closing ports to servers containing your organization’s

applications or data is managed via controls provided by the cloud service provider.

Configuring your organization’s cloud server firewall manually is a difficult and sometimes

frustrating process.


Scalability and cost, according to IT practitioners, are reasons for not having a cloud server firewall management solution. Pie Chart 1 shows 61 percent of respondents say their organization does not have a cloud server firewall management solution. Of those who do not have the solution, Bar Chart 5 shows 62 percent say it is because the solutions are not scalable, they cost too much (59 percent) and solutions are not available (57 percent). Of the 39 percent who say they do have a cloud server firewall management solution, more than half (54 percent) say it is because they manage the cloud server firewall manually.

Pie Chart 1. Does your organization have a cloud server firewall management solution

deployed today?

Bar Chart 5. If no, why not? The solution is . . .

Yes; 39%

No; 61%

43%

49%

57%

59%

62%

0% 20% 40% 60% 80%

Not dependable

Overly complex

Not available

Cost too much

Not scalable


Responsibility for security in the cloud server usually rests with either IT operations and the business units. Bar Chart 6a shows 41 percent of respondents say the IT operations department or function is most responsible for ensuring servers that house the organizations’ applications and data in the cloud are adequately secured. Bar Chart 6b shows the groups most responsible for making sure the cloud provider has adequate security controls in-place, which are the business functions (37 percent) followed by IT operations (35 percent). It is interesting to see in both charts that IT security is relatively low in terms of having the most responsibility in ensuring cloud server security. Bar Chart 6. Who within your organization is most responsible? 6a. Who within your organization is most responsible for ensuring servers that house your organization’s applications and data in the cloud are adequately secured?

6b. Who within your organization is most responsible for determining whether a given cloud provider has adequate security controls in-place to protect your organization’s applications and data?

Bar Chart 7 reports 36 percent believe the cloud provider is most responsible for ensuring security of the cloud operations that support applications and data followed by 33 percent who say this responsibility is shared between the cloud provider and cloud user. Bar Chart 7. In general, who is most responsible for ensuring the security of cloud operations that support your applications and data?

5%

15%

17%

20%

41%

0% 10% 20% 30% 40% 50%

Data center

Business functions

IT security

Managed service provider

IT operations

2%

5%

21%

35%

37%

0% 10% 20% 30% 40%

Data center

Legal & compliance

IT security

IT operations

Business functions

31% 33%

36%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Cloud user Both are equal Cloud provider


IT practitioners report that locking out an organization’s access to a cloud server is likely to happen. As noted in Bar Chart 8, when asked if a systems administrator could lockout the organization’s access to a cloud server after configuring the cloud server firewall, 12 percent say this has already happened and 43 percent say this is very likely to happen. Bar Chart 8. Two cloud server firewall risk management scenarios. How likely is likely is each scenario?

Leaving administrative server ports open and vulnerable to hackers is likely to happen, according to respondents. The above chart also shows 19 of respondents say their organization experienced additional hacker risk or security exploits because of exposed open ports on cloud servers. Another 42 percent say it is very likely that administrative server ports are left open and, thus, the company is exposed to increased hacker attacks and security exploits.

12%

43%

22%

18%

5%

19%

42%

9%

14% 16%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Already happened Very likely to happen Likely to happen No likely to happen Will never happen

After configuring a cloud server firewall, a systems administrator inadvertently locks-out the organization’s access to a cloud server.

In order to access cloud servers, your organization leaves administrative server ports open. These open ports expose the company to increased hacker attacks and security exploits.


Data and applications in the cloud server are at risk because of the inability to manage access and secure ports and firewalls. According to Bar Chart 9, two-thirds (67 percent) of respondents, their organizations are very vulnerable or vulnerable because ports and firewalls in the cloud environment are not adequately secured. Less than half (46 percent) of respondents say they have IT operations and infrastructure personnel who are very knowledgeable or knowledgeable about this risk. Bar Chart 9. How vulnerable is your organization because it does not adequately secure ports and firewalls in cloud environments?

Automated firewall policy management is more important in the cloud environment because it is elastic, according to 40 percent of respondents. Thirty-six percent say their organization cannot manage access or generate reports efficiently and 29 percent say they manage access through the cloud provider’s tools but cannot see the access reports. Bar Chart 10. Relative to on-premises computing, how important is automated firewall policy management in the cloud environment?

32% 35%

9%

24%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Very vulnerable Vulnerable Not vulnerable Unsure

8%

20%

32%

40%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Less important in the cloud environment

Unsure

Equally important in both on-premises and cloud environments

More important in the cloud environment because it is elastic


Automatic firewall configuration, an inexpensive solution and centralized control over all closed and open ports on cloud servers top the wish list of IT practitioners. Bar Chart 11 lists features relating to cloud firewall risk management solutions. Seventy-eight percent of respondents say the feature most important is a solution that closes ports automatically without having to reconfigure the firewall manually. The second most important feature, according to 73 percent of respondents, is a solution that costs less than traditional managed service solutions. Seventy-two percent of respondents say a solution providing centralized control over all closed and open ports on cloud servers is most important to them. Bar Chart 11. How important are the following technology features regarding cloud server firewall security?2 Very important and important response combined

2Respondents were asked to assume that the above-mentioned features result from a proprietary software download to each cloud server containing their organization’s applications and data.

56%

59%

61%

62%

63%

65%

69%

69%

72%

73%

78%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

The solution sends time and location-based secure access invitations to third parties.

The solution dynamically opens any port on-demand, any time and from anywhere.

The solution provides delegated administration so an organization can segregate who can access

and who can manage a given cloud server.

The solution provides audited reports showing who has access, when it occurred, what servers

were accessed, and why access was granted.

The solution securely accesses your cloud servers without fear of getting locked out.

The solution can consolidate security management across the cloud (i.e., multiple cloud

providers).

The solution keeps all administrative ports closed on your servers without losing access and

control.

The solution is scalable to all cloud servers irrespective of location.

The solution provides centralized control over all closed and open ports on cloud servers.

The solution is inexpensive, costing companies about 20% of the cost of managed service

solutions.

The solution closes ports automatically, so you don’t have to manually reconfigure your firewall.


Part 3. Methods A random sampling frame of 18,997 adult-aged individuals who reside within the United States was used to recruit and select participants to this survey. Our randomly selected sampling frame was built from proprietary lists of highly experienced IT and IT security practitioners with bona fide credentials. As shown in Table 1, 727 respondents completed the survey. Of the returned instruments, 64 surveys failed reliability checks. A total of 831 surveys were available before screening. One screening questions were used to remove respondents who did not have relevant experience or knowledge. This resulted in a final sample of 682 individuals.

Table 1. Survey response Freq. Pct%

Sampling frame 18,997 100.0%

Total returns 727 3.8%

Rejected surveys 64 0.3%

Sample before screening 863 4.5%

Final sample 682 3.6% Table 2 reports the respondent’s organizational level within participating organizations. Fifty-six percent of respondents are at or above the supervisory levels. On average, respondents had more than10 years of overall experience in either the IT or IT security fields, and nearly five years in their present position. Table 2. Respondents’ position level Pct% Vice President 2% Director 15% Manager 21% Supervisor 18% Technician 37% Staff 4% Contractor 3% Total 100%

Table 3 shows that the most frequently cited reporting channels among respondents are the CIO (58 percent), CISO (20 percent) and chief risk officer (8 percent). Table 3. Respondents’ primary reporting channel Pct% Chief Information Officer 58% Chief Information Security Officer 20% Chief Risk Officer 8% Chief Financial Officer 4% Chief Security Officer 4% General Counsel 3% Compliance Officer 3% Total 100%


Table 4 reports the worldwide headcount of participating organizations. It reports that 65 percent of respondents are located in organizations with more than 1,000 employees. Table 4. Worldwide headcount of respondents’ organizations Pct% < 500 16% 500 to 1,000 19% 1,001 to 5,000 25% 5,001 to 25,000 18% 25,001 to 75,000 13% 75,001 to 100,000 4% 101,000 to 150,000 3% > 150,000 2% Total 100%

Table 5 reports the respondent organization’s global footprint. As can be seen, a large number of participating organizations are multinational companies that operate outside the United States. Table 5: Geographic footprint of respondents’ organizations Pct% United States 100% Canada 75% Europe 68% Middle East & Africa 41% Asia-Pacific 58% Latin America 43%

Pie Chart 2 reports the industry distribution of respondents’ organizations. As shown, financial services (including retail banking, insurance, brokerage and payments), public sector (federal, state and local), and healthcare and pharmaceuticals are the three largest industry segments. Pie Chart 2: Industry distribution of respondents’ organizations

20%

12%

11%

8% 8%

7%

6%

5%

5%

4%

3% 3%

3% 3% 2% Financial services Public sector Health & pharmaceuticals Industrial Services Retailing Hospitality Education & research Technology & Software Communications Consumer products Energy Entertainment & media Transportation Defense


Part 4. Limitations There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent

surveys to a representative sample of individuals in IT and IT security located in the United States, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs or perceptions about data protection activities from those who completed the instrument.

Sampling-frame bias: The accuracy is based on contact information and the degree to which the sample is representative of individuals in the IT and IT security fields. We also acknowledge that the results may be biased by external events.

We also acknowledge bias caused by compensating respondents to complete this research within a holdout period. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings.

Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that certain respondents did not provide accurate responses.


Part 5. Conclusion The IT practitioners in our study acknowledge that cloud server security is vulnerable and open ports expose the company to increased hacker attacks and security exploits. According to the findings in this study, some of the main barriers to mitigating risks include the current perception that cloud server security is not a priority and the lack of IT operations and infrastructure employees who are knowledgeable about the importance of securing ports and access. We also learned that accountability for the security of cloud servers is rarely with IT security but with the business units or IT operations. We believe the primary reason for this perception is that in general the business units and not IT security are most responsible for provisioning cloud services. For example, research and engineering developers are adopting the cloud faster than IT departments and in many cases IT departments are not involved in the adoption and deployment of cloud services. Based on the findings, it is recommended that organizations take the following steps: Create awareness among the organization’s leadership of the importance of cloud server

security to safeguarding critical data and applications.

Investigate solutions that are both efficient and cost effective.

Create accountability for cloud server security.

Make sure those who are accountable are knowledgeable about the risks.

Ensure that the cloud service providers have appropriate controls in place.

Require cloud service providers to notify those accountable for cloud server security if the organizations’ applications or data are compromised by a security exploit or data breach involving an open port on a cloud server.

As more data and applications migrate to the cloud, security of the cloud server should become a significant priority for the organization. These recommendations should help IT practitioners make a difference in reducing the risk of a potentially costly and damaging attack.


Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured over a three-week period ending in October 2011. Survey response Freq. Pct% Sampling frame 18,997 100.0% Total returns 727 3.8% Rejected surveys 64 0.3% Sample before screening 863 4.5% Final sample 682 3.6% Part 1. Screening question S1. Does your organization use hosted or cloud servers (dedicated or virtual private server (VPS))? Freq. Pct% Yes 682 79% No (stop) 181 21% Total 863 100% Part 2. General questions Q1a. Please check the types of cloud environments your organization presently uses. Pct% Private cloud 31% Public cloud 68% Hybrid (semi-public) cloud 50% Other 2% Total 151% Q1b. How many of the following major cloud service providers does your organization use? Please select all that apply. Pct% Windows Azure 47% Goggle App Engine 45% Amazon EC2 49% RackSpace 38% GoGRID 30% Terremark 28% None of the above 24% Total 261% Attributions. Please rate the following statements using the five-point scale provided below each statement. Strongly agree and agree responses.

Strongly agree Agree

Q2a. The security of cloud servers containing my organization’s applications and data is a significant priority. 27% 25% Q2b. In the cloud environment, cloud server firewalls are the first place to stop attacks and prevent exploits of OS and application vulnerabilities. 38% 35% Q2c. In the cloud environment, user access to applications and data is primarily determined by username and passwords. 38% 34% Q2d. In the cloud environment, the physical security of servers containing your organization’s applications or data is primarily determined by the cloud service provider. 40% 37% Q2e. In the cloud environment, opening or closing ports to servers containing your organization’s applications or data is managed via controls provided by the cloud service provider. 44% 37%


Q2f. Configuring your organization’s cloud server firewall manually is a difficult and sometimes frustrating process. 46% 39% Q2g. In the cloud environment, being able to efficiently manage security is just as important as the security itself. 40% 39% Q3a. Does your organization have a cloud server firewall management solution deployed today? Pct% Yes 39% No 61% Total 100% Q3b. If yes, what best describes the solution used by your organization today? Pct% We manage the cloud server firewall manually 54% We use managed security services for our cloud server firewalls 20% We have a third-party solution that allows us to manage cloud server firewalls remotely 26% Other (please specify) 0% Total 100% Q3c. If no, why not? Please select all that apply. Pct% Solutions are overly complex 49% Solutions are not scalable 62% Solutions cost too much 59% Solutions are not available 57% Solutions are not dependable 43% Other (please specify) 2% Total 272% Q3d. If you are using a third party service provider to manage cloud server security, approximately what do you pay each month per server for this service (do not include hosting cost)? Your best guess is welcome. Pct% Less than $20 35% $21 to $50 38% $51 to $100 8% $101 to $150 3% More than $150 2% Don't know 14% Total 100% Extrapolated value ($ each month per server) 34.0 Q4. In your opinion, how likely are the following scenarios? Please rate the following events using the scale provided below each item. Q4a. After configuring a cloud server firewall, a systems administrator inadvertently locks-out the organization’s access to a cloud server. Pct% Already happened 12% Very likely to happen 43% Likely to happen 22% No likely to happen 18% Will never happen 5% Total 100%


Q4b. In order to access cloud servers, your organization leaves administrative server ports (e.g., SSH, Remote Desktop, etc) open. These open ports expose the company to increased hacker attacks and security exploits. Pct% Already happened 19% Very likely to happen 42% Likely to happen 9% Not likely to happen 14% Will never happen 16% Total 100% Q5. In your opinion, how vulnerable is your organization because it does not adequately secure ports and firewalls in cloud environments? Pct% Very vulnerable 32% Vulnerable 35% Not vulnerable 9% Unsure 24% Total 100% Q6. In your opinion, how knowledgeable are IT operations and infrastructure personnel within your organization about the potential risk caused by open ports in the cloud environment? Pct% Very knowledgeable 14% Knowledgeable 32% Not knowledgeable 41% No knowledge 13% Total 100% Q7. Which one statement best describes how your organization manages access to cloud servers and generates reports that show who had access, when access occurred, and what servers were accessed. Pct% Our organization uses the cloud service provider’s tools 21% Our organization manages access through the cloud provider’s tools, but it cannot see access reports 29% Our organization manages access and generate reports directly from each cloud server, but it is manual 14% Our organization cannot manage access or generate reports efficiently 36% Total 100% Q8. Relative to on-premises computing, how important is automated firewall policy management in the cloud environment? Pct% More important in the cloud environment because it is elastic 40% Equally important in both on-premises and cloud environments 32% Less important in the cloud environment 8% Unsure 20% Total 100%


Q9. How important are the following eleven (11) features regarding cloud server security. Please rate each feature from very important = 1 to irrelevant = 4. Assume that these features result from a proprietary software download to each cloud server containing your organization’s applications and data. Shown only are the very important and important responses.

Very important Important

The solution provides audited reports showing who has access, when access occurred, what servers were accessed, and for what purpose access was granted. 21% 40% The solution provides delegated administration so an organization can segregate who can access and who can manage a given cloud server. 20% 41% The solution can consolidate security management across the cloud (i.e., multiple cloud providers). 28% 37% The solution keeps all administrative ports closed on your servers without losing access and control. 37% 32% The solution dynamically opens any port on-demand, any time and from anywhere. 34% 25% The solution sends time and location-based secure access invitations to third parties. 23% 33% The solution closes ports automatically, so you don’t have to manually reconfigure your firewall. 38% 40% The solution securely accesses your cloud servers without fear of getting locked out. 35% 28% The solution is scalable to all cloud servers irrespective of location. 28% 41% The solution is inexpensive, costing companies about 20% of the cost of managed service solutions. 33% 40% The solution provides centralized control over all closed and open ports on cloud servers. 35% 37% Q10. Who within your organization is most responsible for ensuring servers that house your organization’s applications and data in the cloud are adequately secured? Pct% Managed service provider 20% IT operations 41% IT security 17% Data center management 5% Business functions 15% Other 2% Total 100% Q11. Who within your organization is most responsible for determining whether a given cloud provider has adequate security controls in-place to protect your organization’s applications and data? Pct% IT operations 35% IT security 21% Legal and compliance 5% Data center management 2% Business functions 37% Other 0% Total 100%


Q12. In general, who is most responsible for ensuring the security of cloud operations that support your applications and data? Pct% Cloud provider 36% Cloud user 31% Both are equal 33% Total 100% Q13. If your organization’s applications or data was compromised by a security exploit or data breach involving an open port on a cloud server, how would you know? Pct% The cloud provider would inform us. 39% Our system would provide a warning or other message signaling the event 19% Most likely, we wouldn’t know 42% Total 100% Q14. How do you rate your organization’s overall management of cloud server security today? Pct% Excellent 9% Good 18% Fair 27% Poor 25% No comment 21% Total 100% Part 3. Demographics and organizational characteristics D1. What organizational level best describes your current position? Pct% Senior Executive 0% Vice President 2% Director 15% Manager 21% Supervisor 18% Technician 37% Staff 4% Contractor 3% Other 0% Total 100% D2. Check the Primary Person you or your IT security leader reports to within the organization. Pct% Chief Information Officer 58% Chief Information Security Officer 20% Chief Risk Officer 8% Chief Financial Officer 4% Chief Security Officer 4% General Counsel 3% Compliance Officer 3% Total 100% D3. Total years of relevant experience Mean Median Total years of IT or IT security experience 10.19 10.00 Total years in present position 4.83 4.50


D4. What industry best describes your organization’s industry focus? Pct% Financial services 20% Public sector 12% Health & pharmaceuticals 11% Industrial 8% Services 8% Retailing 7% Hospitality 6% Education & research 5% Technology & Software 5% Communications 4% Consumer products 3% Energy 3% Entertainment & media 3% Transportation 3% Defense 2% Total 100% D5. Where are your employees located? (check all that apply): Pct% United States 100% Canada 75% Europe 68% Middle East & Africa 41% Asia-Pacific 58% Latin America 43% D6. What is the worldwide headcount of your organization? Pct% < 500 16% 500 to 1,000 19% 1,001 to 5,000 25% 5,001 to 25,000 18% 25,001 to 75,000 13% 75,001 to 100,000 4% 101,000 to 150,000 3% > 150,000 2% Total 100%


If you have any questions about this research, please contact Ponemon Institute at [email protected], or contact us via our toll free number 1.800.887.3118.

Ponemon Institute Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

ponemon cloud security study

Technology

cloud security risks

cloud serverthe

cloud environments

state of cloud security

cloud server responsibility

cloud servers barriers

percent organization

percent rate