Earlier this month at our videocast on cloud security, panelists discussed the issue from both the customer and the service provider perspective. Many questions were raised about who is responsible for cloud security and how useful Service Level Agreements (SLAs) are in contract negotiations.

Both Liz Mann, CISO of Mycroft Inc., and Lina Liberti, VP of the CA Technologies Security Business Unit, said that customers must partner with vendors to protect their data in the cloud.

Liberti noted that “it’s critical to work with your vendor very closely; SLAs give you control and help you define what you want.” With specific language in place, you should “understand what’s shared or not, what options and technologies are used, and define the comfort level you need,” she said. An audience poll during the videocast showed that 79 percent of respondents believe that cloud security is a shared responsibility between providers and users.

Mycroft’s Mann said that as a service provider, “We have to deliver against those SLAs, and we take them very seriously. Quality-of-service (QoS) delivery and commitment to SLAs are what we live by.”

These assurances are just what concerned users — who are considering whether to trust service providers with their sensitive data — want to hear. Why, then, is there so much anxiety among CIOs when it comes to signing away their applications, storage, infrastructure and platforms to cloud service providers?

One answer, as Liberti also noted, is that customers: “Can’t give up control,” when entering into cloud arrangements. And Mann told CIOs that having service providers host applications doesn’t absolve them from their basic security practices.

Revealing Results from Ponemon Study

To delve even deeper, I turned to a newly released study, Security of Cloud Computing Providers, conducted by CA Technologies and Ponemon Institute. The paper, the second in a two-part series about the state of security in the cloud, was eye-opening to me. Clearly, I realized, most vendor-user relationships are not 50-50 partnerships, and not all vendors are offering the type of assurances our panelists described.

After surveying a total of 127 service providers in the U.S. and Europe earlier this year, the Ponemon researchers concluded: “The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.”

As noted in the chart, there is a large disconnect between the perceptions of users and those of vendors about who is responsible for security cloud data.

It’s Still the ‘Wild West’
During the Smart Enterprise Exchange videocast, Joseph Puglisi, a member of the executive council of the Cloud Computing Consortium at Stevens Institute and former CIO at Emcor Group, also advised customers to be cautious when they enter into cloud relationships and to weigh the benefits and risks carefully. Industry standards will evolve, he says, but right now “it’s the Wild West, and we need to establish law and order.”

Liberti, at CA Technologies, said that for all of their efforts to collaborate, ultimately IT will be held responsible by the CEO if problems arise. Therefore, she recommends getting CISOs involved in cloud contract negotiations from the start.

Here are additional highlights of the Ponemon survey:

• The majority of cloud providers believe it is their customer’s responsibility to secure the cloud, not theirs. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.
• Buyer beware: On average, providers of cloud computing technologies allocate 10 percent or less of their operational resources to security, and most do not have confidence that customers’ security requirements are being met.
• Cloud providers say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications; improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.
• The majority of cloud providers admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.
• Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions do.
• While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the providers are considering such solutions as a new source of revenue sometime in the next two years.

The good news from all of this is that shared responsibility will move both sides to better services and better security. Otherwise, as the report notes: “If the risk of breach outweighs potential cost savings and agility, we may reach a point of “cloud stall, where cloud adoption slows or stops” until organizations believe cloud security is as good as or better than enterprise security.

What are your security expectations when you enter into cloud computing contracts? Have you had success with SLAs? Share your experiences and advice for your peers here. And you can also view highlights from our recent live event here.