A new Ponemon Institute survey on cloud security makes for disturbing reading. The responses of over a thousand IT security practitioners and compliance officers indicate that they're not on the same page - or even reading the same book - when it comes to assessing cloud risk, specifically in the infrastructure-as-a-service (IaaS) environment. They disagree on cost benefits, on vendor vetting, and on who's responsible for establishing policy. And, surprisingly, compliance officers, people who are paid to be paranoid, are far more sanguine about cloud security than the IT folk.
In the IaaS environment, your vendor provides the servers, power, upkeep and administration that (in theory) leave you free to focus on your business. You save money, the providers say, because you only pay for what you use, and indeed, over 50 percent of the compliance officers surveyed saw "lower IT operating costs" as a prime benefit of IaaS. (Of course, total cost of ownership in the cloud is endlessly debated. Only 27 percent of the IT people surveyed thought those savings would materialize.) But whenever you move data outside your enterprise, security becomes topic A, so the confidence of compliance officers was notable.
