Last week I shared five ways consumers can protect against another Sony breach. As a follow up to that discussion, I want to address cloud providers’ disconcerting lack of accountability when it comes to security.
A recent Wall Street Journal article by Ben Rooney reported that the majority of cloud service providers do not consider security as one of their most important responsibilities. This sentiment is based on a survey from the Ponemon Institute. According to the article, a survey of 127 cloud service providers – including 24 in six European countries and the remainder in the U.S. – found that most believe it is their customers’ responsibility to secure data. The report goes on to state that the majority of cloud providers (79%) say their organizations allocate 10 percent or less of IT resources to security related activities.
My own company’s experience as a provider of privileged account management software is certainly consistent with this finding. We find that a small number of top-tier cloud service providers seriously think about controlling and auditing their own employees’ access to sensitive customer data. However, you may surprised by some of the well-known providers who seem to treat customer data security as an afterthought.
The fact that so many cloud providers – large and small – have no interest in managing privileged identities and segregating of duties to limit access to sensitive data and systems should give customers great pause before putting their most precious data and resources in the hands of most providers.
No Consequences for Cloud Data Security Violations
The reality of cloud data security and PCI-DSS today are that they are ineffective. Furhtermore, there are no consequences for many companies that under-invest in security.
The recent Sony breaches serve as a prime example. There is abundant technology to inhibit data breaches and limit their damage, but Sony chose not to implement it. Putting this much private customer data in a single database that is publicly extractable with no limits is shameful. Especially given the technologies available today to protect against this type of loss.
The overwhelming odds are that the CIO and CSO at Sony responsible for this situation will not be held accountable for their poor decisions. Similarly, if history is any guide, the auditors responsible for examining IT security compliance at Sony will face no consequences, either. The loss of consumers’ personal information will likely be nothing more than a “cost of doing business”. The consumer will take the pain and Sony will take a short-term hit to its reputation.
It is for this reason I am fundamentally opposed to hiding PCI results, as well as SAS70,reports from the public. If a prospective customer doesn’t have access to the full internal security report of a cloud vendor, the prospect should expect that the vendor has little to no real security. Therefore, he can expect that sensitive data will eventually be compromised.
How likely are you to commit your sensitive data to cloud vendors? And what’s the biggest cloud security question you would like an answer to?