Perspectives From Leading It Professionals 2016 Ioug Cloud Security Survey

PERSPECTIVES
FROM LEADING IT
PROFESSIONALS:
2016 IOUG CLOUD
SECURITY SURVEY
By Joseph McKendrick, Research Analyst

Produced by Unisphere Research,
a Division of Information Today, Inc.
October 2016
Sponsored by Produced by
2
TABLE OF CONTENTS
Executive Summary3
Cloud Risks4
Cloud Formations11
Data in the Cloud15
Conclusion20
Demographics21
PERSPECTIVES FROM LEADING IT PROFESSIONALS: 2016 IOUG CLOUD SECURITY SURVEY was produced by Unisphere Research and sponsored by Oracle. Unisphere Research
is the market research unit of Unisphere Media, a division of Information Today, Inc., publishers of Database Trends and Applications magazine and the 5 Minute Briefing newsletters. To
review abstracts of our past reports, visit www.unisphereresearch.com. Unisphere Media, 121 Chanlon Road, New Providence, NJ 07974; 908-795-3702.
3
EXECUTIVE SUMMARY
A new survey of 306 IT professionals finds growing interest Highlights of the survey include the following findings:
in moving data to the cloud, despite security concerns. In fact,
nearly half of the respondents think that moving data to a public n Nearly one-third of respondents expect to experience some
cloud will provide them with better security than they can achieve type of data breach within their cloud environments over the
on premises. coming year.
While many enterprises are taking a hybrid cloud/on-premises
approach, there is still widespread belief that data breaches are n Most enterprises do not have assurances that their public
inevitable for both environments. Although there is a feeling that cloud providers are doing enough to protect their clients
private clouds are not as vulnerable to outside hackers as public data. Fifty-eight percent of respondents cannot get assurances,
clouds, respondents also understand that those environments are or do not know, whether their cloud providers are accessing
subject to internal user abuse or issues with legacy systems. such data.
The survey, conducted by Unisphere Research, a division of
Information Today, Inc., finds that organizations are moving n In terms of security concerns, other cloud tenants present
quickly into private cloud environments, and many are planning the greatest threat, according to respondents, even more
to adopt public cloud services as well. The survey, conducted in so than hackers and criminals. The riskiest aspects of
partnership with Oracle among members of the Independent private clouds, on the other hand, are their own users and
Oracle Users Group (IOUG), represents respondents from administrators, as well as the performance of legacy systems.
organizations of all sizes and across various industries.
n About half of the enterprises in the survey are willing to store
sensitive data with public cloud providers, and more than half
are storing such data in private clouds.
Read on to learn more about our latest findings on the state of
70%
enterprise cloud security from IT professionals. Data security has
long been a concern, and the rise of cloud adds a new dimension
to the challengeproviding greater coverage in some ways but
say the greatest threat opening up new vulnerabilities in others.
to public cloud data is
other cloud tenants
48%
believe the cloud to be
inherently more secure
than on-premises
deployments
4
CLOUD RISKS
One-fourth to one-third of data managers expect to experience some type of data breach within their cloud environments over
the coming year. Most enterprises do not have assurances that their public cloud providers are not engaging in risky practices, or
implementing safeguards to protect their clients data. In the majority of cases, 58%, data managers cannot assure, or simply dont
know, whether their cloud providers are accessing such data. Public cloud users believe that other tenants pose the greatest risk to the
security of their services, even more so than hackers and criminals. The riskiest aspects of private clouds, on the other hand, are their
own users and administrators, as well as the performance of legacy systems.
Likelihood of a Data Breach comply with. Worse yet, only one in four say they have received
What do respondents see as the likelihood of a data breach in assurances that their data will be expunged after the contract with
their cloud environments over the next 12 months? One-third of the provider ends. (See Figure 5.)
public cloud users say a breach is likely. Even private clouds are Adding to this sense of insecurity, a majority of data managers,
not exempt from such threatsone-fourth of private cloud users 58%, cannot assure, or simply dont know, whether their cloud
fear a breach is likely. (See Figure 1.) Thats why some data managers providers are keeping employees from breaking into or abusing
report greater vigilance. One respondent, for example, recommends such data. Only one-third say their public cloud data is encrypted,
frequent audits and drills, using highly qualified hackers, to test and and fewer than three in 10 say the encryption keys are kept out of
identify any vulnerabilities and report to fix. reach of public cloud staff members. Just over one in four says their
provider audits user activities. (See Figure 6.)
Better Security on Premise Versus Public Clouds More due diligence is required. One respondent laid out the
Data managers are divided on whether public cloud security is details of what enterprises need to ask of cloud providers to ensure
superior to what they have on premises. Forty-eight percent feel all data will remain secure. Due diligence should include providing
that moving from traditional on-premises to public cloud security detailsbackground checks, experience levels, foreign national
could provide better security overall, while one-third say this is not disclosures, etc.about their employees administrating the data
the case, and another one in five simply dont know. (See Figure 2.) and services, the respondent said. Ask vendors to provide a
detailed architectural diagram of their storage and infrastructure,
Greatest Risks Posed by Cloud to reduce single points of failure, as well as physical access policies
Public cloud users believe that other tenants pose the greatest disclosures, backup and recovery processes, and point-in-time
risk to the security of their services, even more so than hackers recovery.
and criminals. Seven in 10 believe the tenants using the same
cloud resources could jeopardize the security of their own services. Cloud Vendor Reports
In addition, enterprise data managers are just as worried about What are the top security-related reports data managers receive
vendors administrators as they are about external hackers. Close to related to cloud usage? For public cloud users, the most prevalent
three in five expressed concern about the degree of privileged access event notifications include user activity reports (creations, updates,
granted to the cloud providers administrators. (See Figure 3.) deletions), received by 45%, along with 42% being provided with
What are the greatest risks or vulnerabilities to enterprises reports on reads and updates of sensitive data. Forty-two percent
cloud environments? The behavior and degree of internal access also receive updates on unused user accounts. On the private cloud
among providers are the risks that worry public cloud users the side, two in three receive updates on key management activity, and
most. For private cloud users, the risk is of a different naturesix 63% also receive reports on locked user accounts. (See Figure 7.)
in 10 worry about the performance and accessibility of their legacy Its important to select cloud providers who work very closely
applications within a corporate cloud. (See Figure 4.) with customers during planning, implementation, and sustain
activities, a respondent noted. Our provider does this, which
Cloud Vendor Assurances is why we use them for secure applications even though they are
Unfortunately, data security assurances by public cloud expensive.
providers appear to be few and far between. Among public cloud There are many sensitive data types that managers would
users in the survey, 46% say either they do not receive assurances, consider storing in highly secure public cloud environments,
or simply do not know if they have received such guidance. In including HR data, customer information, and encryption keys.
addition, only 38% could say that their providers will notify them A majority, 51%, would have no issue in placing production data
of any security breaches. In addition, only two in five say they meant for testing within public cloud settings. More than two-fifths
are informed of security vulnerabilities, and just over one-third would also move audit data to public cloud environments (See
are made aware of what government regulations their providers Figure 8.)
5
Figure 1: What
do you see as the likelihood of a data breach in your cloud
environment over the next 12 months?
Public Private
Highly unlikely 15% 27%
Somewhat unlikely 23% 23%
Somewhat likely 24% 21%
Highly likely 9% 5%
Dont know 28% 24%
0 20 40 60 80 100
Figure 2: Do
you feel that moving from traditional on-premises to a public cloud
could provide better security overall?
Definitely 16%
Dont know 19%
Somewhat 32%
Not at all 33%
6
Figure 3: What are the greatest threats to your cloud environment?
Public Private
100
30% 41% 41% 41% 42% 59% 62% 62% 64%
80
70%
60
59% 59% 59% 58%
40
41%
38% 38%
36%
20
0
Other Cloud Opportunistic Nation Organized Internal Internal Internal Internal
tenants in provider hackers states criminals consultants adminis- text/dev business
the same administrators users users
cloud trators
7
Figure 4: What are the greatest risks or vulnerabilities to your cloud

environment?
Public Private
Limited or no auditing of admin access 57% 43%
Lack of security personnel and processes 53% 47%
Unknown software vulnerabilities (zero-day

51% 49%
attacks)
Limited or no control on admin access 51% 49%
Limited or no masking of data for test/dev 51% 49%
No data encryption or no key management 50% 50%
Stolen passwords 45% 55%
Unpatched software and insecure 44% 56%

configuration
40% 60%
Legacy web applications
48% 52%
Dont know/unsure
Multiple responses allowed 0 20 40 60 80 100
8
Figure 5: What types of data security assurances are offered by your public
cloud providers (Among public cloud computing users only)?
Notification of data breaches 38%

Notification of security vulnerabilities 36%
Compliance with government
regulations 34%
Notification of unauthorized
access to data 27%
Data is securely deleted upon
termination or contract 24%
None 9%
Dont know/unsure 37%
Figure 6: How do you ensure your public cloud provider is not accessing your
sensitive data (Among public cloud computing users only)?
The cloud provider encrypts my data 32%

The cloud provider does not have
direct access to the encryption keys 28%
The cloud provider audits user
activities 27%
The cloud provider implements
privileged user access controls 26%
The cloud periodically sends
audit or activity reports 22%
We cannot ensure this 25%
Dont know/unsure 33%
9
Figure 7: What are your top security-related reports for the cloud?
Public Private
User creation/updates/deletion report 45% 55%
Read/updates to sensitive data report 42% 58%
Unused user account report 42% 58%
Unusual activity report 41% 59%
User activity report 40% 60%
Privileged user activity report 40% 60%
Privilege and role grants report 40% 60%
User login/logout report 39% 61%
User failed login report 39% 61%
Security configuration report 39% 61%
Locked user account report 38% 63%
User entitlement report 38% 63%
Key management activity report 35% 65%
Dont know/unsure 54% 46%
10
Figure 8: Which of the following would you consider storing in a highly

secure public cloud environment?
Other
Production data for use in testing 51% 9%
Medical data 18%
Customer financial data 32%
Audit data 41%
Salary and HR data 34%
Certificates 38%
Security policies/settings 34%
Encryption keys
35%
11
CLOUD FORMATIONS
Cloud is widespread, with a majority of enterprises now using or considering cloud services for application, platform, and
infrastructure needs. Most deployments at this time are in the early or piloting stages, and involve private clouds. A majority expect
to see the number of applications both within public and private clouds grow to some extent during this time. This expansion is
likely to occur faster within private clouds.
Cloud Service Models the early stages of their cloud journeys. Twenty-eight percent are
What service models are organizations using or considering still evaluating how public cloud will fit into their organizations.
for public or private cloud? Close to eight in 10 either run, or are Another 47% are either actively learning about the technology
moving to, software as a service (SaaS), while just over half are or are in the beginning stages. Only 12% consider themselves to
adopting, or using either or both, platform as a service (PaaS), or be advanced public cloud sites. Enterprises are farther along
infrastructure as a service (IaaS). (See Figure 9.) in their private cloud journeys, however. Twenty-six percent of
On the public cloud side, SaaS-related services are in vogue respondents regard themselves to be advanced users of private
sales and marketing applications dominate. For the private cloud cloud implementations. Another 44% are in the beginning or
side, IT-centric workloads are more the norm: databases, disaster learning stages of private cloud, while 16% are still considering
recovery, and backup. There is a sizable segment of respondents adoption. (See Figure 12.)
however, 65%, running elements of their ERP systems as part of At these early stages of cloud, organizations are still only using
their private cloud environments. (See Figure 10.) a relative handful of services. For the most part, respondents
enterprises are using one to 10 private cloud services and up to
Private versus Public Adoption five public cloud services, the survey finds. (See Figure 13.) A
Private cloud adoption is well ahead of public services. Forty- majority expect to see the number of applications both within
three percent run applications and databases within private public and private clouds grow to some extent during this time.
clouds, almost double the percentage running public cloud This expansion is likely to occur within private clouds at a faster
services. (See Figure 11.) pace. Close to one-fourth of respondents anticipate that the
How far along are organizations in their adoption of private or number of applications within their private cloud settings will
public clouds? Most data managers consider themselves to be in increase substantially. (See Figure 14.)
12
Figure 9: What service model is your organization using or considering for

public or private cloud?
SaaSSoftware IaaSInfrastructure as a Service 56%

as a Service 78%
PaaSPlatform as a Service 55%
Figure 10: What are your leading workloads or applications for cloud?
Public Private
Sales 55% 45%

Marketing (including social engagement) 54% 46%
Web front ends 54% 46%
Service 46% 54%
Big data management 45% 55%
Development/testing 42% 58%
Application tier
40% 60%
Human capital management
40% 60%
Reporting/BI/analytics
40% 60%
Scientific/technical applications
38% 63%
Production workload/applications
35% 65%
Enterprise resource planning
33% 67%
Storage
31% 69%
Supply chain management
Backup 31% 69%
Disaster recovery/business continuity 29% 71%
Database 28% 72%
Dont know 54% 46%
Multiple responses allowed

0 20 40 60 80 100
13
Figure 11: H
ave you deployed a private cloud or do you use a public cloud
to run your databases/applications?
Public Private
Yes 24%
43%
Under consideration 30%
20%
0 20 40 60 80 100
Figure 12: H
ow far along is your organizations adoption of private or
public clouds?
Public Private
Advancednumerous applications/ 12%

26%
databases
24%
Beginnerfew applications/databases 24%
Learningpiloting or experimenting 23%

20%
Consideringevaluating; doing 28%
feasibility study 16%
Dont know 14%

14%
0 20 40 60 80 100
14
Figure 13: How

many of your applications are in your private or public cloud?
Public Private
100
80
29%
60
21%
40
40%
29%
20 9% 21% 10%
8%
11% 4% 3%
2% 12%
12%
4%
0
00 None 1-5% 6-10% 11-25% 26-50% 51-100% More than Dont know
100%
Figure 14: To
what extent do you expect the number of applications to change
within your private or public cloud over the next two years?
Public Private
Increase substantially 18%

22%
Increase somewhat 40%
37%
0 20 40 60 80 100
15
DATA IN THE CLOUD
Organizations are comfortable with storing or managing large amounts of data within their private clouds. A majority
anticipate increased volumes of data going to both public and private clouds in the near future. One in five indicates that sensitive
data is managed within their private clouds, while one in 10 have sensitive data shared with public services.
Private clouds are the destination of choice when it comes of the public cloud applications they use involve the handling of
to data storage, the survey finds. One-third report they are such data. (See Figure 17.)
entrusting a significant portion of their data (defined in this
survey as more than 25% of their total data stores) to private Regulated Data Types
cloud. However, only 13% entrust this much data to public cloud Many types of regulated data are also making their way to the
providers. Instead, a large segment, 42%, have one-tenth or less cloud. About half of the enterprises in the survey are willing to
of their data in public cloud environments. (See Figure 15.) A store such data with public cloud providers, and more than half
majority expect to see an expansion of data within both their are storing such data in private clouds. The type of data most
public and private cloud implementations. Within private clouds, likely to be stored with public providers is federal compliance,
one in five expects a substantial surge in data over the coming food, drug, and DNA-related information, as well as payment
24 months. (See Figure 16.) card data. Within private clouds, the data most likely to be seen
includes corporate compliance and healthcare data. (See Figure
Sensitive Data Types 18.) However, not all applicable regulations are covered under
What percentage of cloud applications contains sensitive data, service-level agreements with their public cloud providers. A
such as intellectual property, personally identifiable, payment majority of data managers say their public cloud providers either
card, or personal health information? One in five respondents do not cover regulatory compliance requirements for data within
indicates that a majority of their private cloud applications are their service-level agreements, or they simply dont know whether
managing such sensitive data. Likewise, one in 10 says a majority there is such coverage. (See Figure 19.)
16
Figure 15: A
pproximately how much of your data is stored or managed within
your private or public cloud environment?
Public Private
100
80
60
40 18% 14%
15%
28%
25% 10%
20
11% 10% 13%

15% 10% 15%
7%
5% 3% 3%
0
None >5% 5-10% 11-25% 26-50% 51-75% 76-100% Dont know
17
Figure 16: T o what extent do you expect the amount of data stored or managed
within your private or public cloud environment to change over the
next two years?
Public Private
17%
Increase substantially 21%
39%
Increase somewhat 38%
22%
Not really change 21%
0%
Decrease somewhat 2%
1%
Decrease substantially 2%
Dont know 19%

18%
0 20 40 60 80 100
18
Figure 17: W
hat percentage of your cloud applications contains sensitive data
(for example, intellectual property, personally identifiable, payment
card, or personal health information)?
Public Private
100
80
60 20%
40 42%
15% 12%
20
11% 10% 13%
10% 14%
11% 9% 7%
8%
4% 4% 6%
0
None 1-5% 6-10% 11-25% 26-50% 51-75% 76-100% Dont know
19
Figure 18: W
hat types of regulated data are you storing or planning to store
in the cloud?
Public Private
Federal data (e.g., FISMA) 35% 65%
Food, drug, & DNA-related data (e.g., FDA) 35% 65%
Power & energy-related data (e.g., NERC) 33% 67%
Payment card data (e.g., PCI) 33% 67%
Educational records (e.g., FERPA) 31% 69%
State & local government data 30% 70%
Personally identifiable information (PII) 28% 72%
Internal Controls Audit data 27% 73%

(e.g., SAS 70, SSAE16)
National defense-related data (e.g., ITAR) 24% 76%
Corporate financial data (e.g., SOX) 23% 77%
Healthcare data (e.g., HIPAA/HITECH) 23% 77%
None 54% 46%
0 20 40 60 80 100
Figure 19: A
re all of your applicable regulations mentioned in the previous
question covered under your service-level agreement with your
public cloud provider (among public cloud users only)?
Yes 43%
Dont know 33%
Some
17%
No 7%
20
CONCLUSION
The ever-expanding movement of data into the cloud opens enterprise data centers are capable of delivering, according
up new challenges to enterprises concerned about security. For to close to half of enterprise data managers. However, cloud
users of external or public cloud services, there are perceived providers are not yet stepping up to this opportunity. Most of
risks to having sensitive corporate data maintained by a third the professionals in this survey say they do not have assurances
party. Private and hybrid clouds are not immune to security that their public cloud providers are doing enough to protect
vulnerabilities, however. The proliferation of data across various their data.
parts of the enterprise, along with potential insider abuse, also Still, many enterprise data managers are now comfortable
creates new data security issues. with the idea of moving their data to the cloudwhether public
There is a need to balance security with transparency and or private. However, as cloud data management and storage
access, as found in this survey of 306 IT professionals. Nearly become more ubiquitous in enterprises, this survey shows that
one-third of respondents expect to experience some type of a shift is necessary in security from merely detecting breaches
data breach within their cloud environments over the coming to more preventive measures such as encryption and stronger
year. Public cloud services may offer greater protection than access control.
21
DEMOGRAPHICS
Figure 20: What is your primary job title?
Database Administrator (DBA) 26%
Architect/Engineer (security,
systems, data, etc.) 14%
Chief/VP
(CIO, CSO, CTO, IT, IS, etc.) 12%
Director/Manager of IS/IT or
computer-related function 9%
Programmer/Developer 7%
IT/Cloud Operations Manager 6%
Project Manager 5%
Systems Administrator 4%
Director/Manager of a business
unit (non-computer-related) 4%
Analyst/Systems Analyst 3%
Director/Manager of Security
Functions 1%
Applications Administrator 2%
Other 7%
0 20 40 60 80 100
22
Figure 21: H
ow many employees are in your entire organization (include all
locations, branches, and subsidiaries)?
1-100 employees 21%
101-500 employees 15%
501-1,000 employees 10%
1,001-5,000 employees 18%
5,001-10,000 employees 11%
More than 10,000 employees 26%
0 20 40 60 80 100
Figure 22: H
ow long has your organization been in business?
Less than 1 year 1%
1-2 years 3%
2-5 years 4%
6-10 years 11%
More than 10 years 81%
0 20 40 60 80 100
23
Figure 23: What is your primary industry?
IT Services/Consulting/
System Integration 21%
Financial Services 10%
Government (all levels) 10%
Education (all levels) 8%
Healthcare/Medical 7%
Software/Application
Development 7%
Business Services 6%
Insurance 4%
Manufacturing 4%
Non-Profit 3%
Retail/Distribution 3%
Utilities 2%
Telecommunications 2%
Transportation 2%
High-Tech Manufacturing 2%
Consumer Services 1%
Construction/Engineering 1%
Energy (oil, gas, etc.) 1%
Other 7%
0 20 40 60 80 100

Perspectives From Leading It Professionals 2016 Ioug Cloud Security Survey

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Perspectives From Leading It Professionals 2016 Ioug Cloud Security Survey

Uploaded by

Copyright:

Available Formats

PERSPECTIVES

By Joseph McKendrick, Research Analyst

Data in the Cloud15

Read on to learn more about our latest findings on the state of

Highly unlikely 15% 27%

Somewhat unlikely 23% 23%

Somewhat likely 24% 21%

Dont know 28% 24%

Figure 3: What are the greatest threats to your cloud environment?

Figure 4: What are the greatest risks or vulnerabilities to your cloud

Limited or no auditing of admin access 57% 43%

Lack of security personnel and processes 53% 47%

Unknown software vulnerabilities (zero-day

Limited or no control on admin access 51% 49%

Limited or no masking of data for test/dev 51% 49%

No data encryption or no key management 50% 50%

Stolen passwords 45% 55%

Unpatched software and insecure 44% 56%

Multiple responses allowed 0 20 40 60 80 100

Notification of data breaches 38%

Multiple responses allowed 0 20 40 60 80 100

The cloud provider encrypts my data 32%

Multiple responses allowed 0 20 40 60 80 100

Read/updates to sensitive data report 42% 58%

Unused user account report 42% 58%

Unusual activity report 41% 59%

User activity report 40% 60%

Privileged user activity report 40% 60%

Privilege and role grants report 40% 60%

User login/logout report 39% 61%

User failed login report 39% 61%

Security configuration report 39% 61%

Locked user account report 38% 63%

User entitlement report 38% 63%

Key management activity report 35% 65%

Dont know/unsure 54% 46%

Multiple responses allowed 0 20 40 60 80 100

Figure 8: Which of the following would you consider storing in a highly

Salary and HR data 34%

Figure 9: What service model is your organization using or considering for

SaaSSoftware IaaSInfrastructure as a Service 56%

PaaSPlatform as a Service 55%

Sales 55% 45%

Disaster recovery/business continuity 29% 71%

Database 28% 72%

Dont know 54% 46%

Multiple responses allowed

Advancednumerous applications/ 12%

Learningpiloting or experimenting 23%

Dont know 14%

Figure 13: How

Increase substantially 18%

DATA IN THE CLOUD

11% 10% 13%

Dont know 19%

Food, drug, & DNA-related data (e.g., FDA) 35% 65%

Power & energy-related data (e.g., NERC) 33% 67%

Payment card data (e.g., PCI) 33% 67%

Educational records (e.g., FERPA) 31% 69%

State & local government data 30% 70%

Personally identifiable information (PII) 28% 72%

Internal Controls Audit data 27% 73%

National defense-related data (e.g., ITAR) 24% 76%

Corporate financial data (e.g., SOX) 23% 77%

Data in the Cloud15

Figure 3: What are the greatest threats to your cloud environment?

Figure 4: What are the greatest risks or vulnerabilities to your cloud

Figure 8: Which of the following would you consider storing in a highly

Figure 9: What service model is your organization using or considering for

Database Administrator (DBA) 26%

IT/Cloud Operations Manager 6%

1-100 employees 21%

101-500 employees 15%

501-1,000 employees 10%

1,001-5,000 employees 18%

5,001-10,000 employees 11%

More than 10,000 employees 26%

Less than 1 year 1%

6-10 years 11%

More than 10 years 81%

Financial Services 10%

Government (all levels) 10%

Education (all levels) 8%

Energy (oil, gas, etc.) 1%