Who is responsible for securing data in the cloud? Organizations still aren’t sure

CRN recently highlighted a Ponemon Institute survey that looked into organizations’ thoughts on cloud security, and what they consider when moving their data to the cloud. 49% of the 1,140 business and IT managers surveyed said their organizations have moved sensitive data to a cloud environment, and 33% planning to transfer such data to the cloud in the next two years. However, Ponemon respondents are unsure who was protecting their data.

This reminded me of our Cloud Prenup that we put together to help organizations understand cloud responsibilities and what to look for when signing a cloud SLA. When taking a look at both the survey and our prenup, there are some interesting similarities.

Who’s responsible?

The Ponemon survey found 44% of organizations that believed a cloud provider was responsible for protecting the data, and the 30% thought the cloud customer was responsible.

In our cloud prenup we note, cloud buyers should review all SLA terms and conditions carefully to determine who is responsible for what in different circumstances.

It’s also important to detail what happens to customer data should the customer or the vendor go out of business; if there's a merger or acquisition for either party; and how long a cloud vendor will keep customer data.

Regardless of the situation, when in doubt, it’s best to assume that it is the cloud buyer’s responsibility.

Some people are still “setting and forgetting”

In a statement, Larry Ponemon, the chairman and founder of the Ponemon Institute said, "What is perhaps most surprising is that nearly two thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data.”

As we point out, once you move into the cloud, you have the same responsibilities you had when the infrastructure was on premise. It's important to plan how day-to-day IT activities will be handled; who has access to what and when; and what are all of the security details. It's also necessary to understand the maintenance of these environments, whether it is bug fixes or upgrades.

Be careful how much you reduce your security posture

In the survey, 39% of respondents said their security posture reduced after moving their sensitive data to the clould. However, will they be ready for a possible disaster?

In our recommendations we highlight how it's imperative to plan out what happens when disaster strikes. Before taking the cloud plunge it's important to ensure a failover plan is in place and to determine a replication plan. High availability is the cloud vendor's job, but failover isn't.

If you want to see what else was included within our cloud prenup, view it here.