The December 2022 issue of IEEE Spectrum is here!

Close bar

This past year, the US federal government announced a "Cloud First" initiative (PDF) across all of federal computing. The goal is to reduce the government's IT service delivery and federal data center infrastructure costs by some 30%, this article in Fierce Government IT reports.

The US government, as well as commercial and state government, view cloud computing as a way to save money and to improve IT security. The belief is that cloud service providers are much better and more capable at IT security than their customers, if you read this Wall Street Journal article. As a result, computing in the cloud offers a safe computing haven.

Well, that belief may be more than a bit misplaced.

For among the findings of a CA Technologies-sponsored survey of 103 cloud service providers in the US and 24 in six European countries conducted by the Ponemon Institute are that:

"The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers."

"The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers."

"Buyer beware - on average providers of cloud computing technologies allocate 10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met."

"Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services."

So, apparently from a cloud provider perspective, it is the cloud computing users' fault that cloud providers aren't making cloud security a high priority. If their customers don't demand it, cloud providers say they aren't going to provide it.

But this belief seems to be undercut by the result of the survey: "... [while] 69 percent of cloud providers see the cloud user as most responsible for security, ... only 35 percent of users believe they are most responsible for ensuring security."

This leads to a situation, the survey notes, where "... neither the company that provides the services nor the company that uses cloud computing seem willing to assume responsibility for security in the cloud."

Hackers must be laughing all the way to the bank. However, as a customer of those companies using cloud computing services, I don't like particularly being put at risk because of the discord. 

You can read Ponemon's detailed survey results (PDF) or a quick summary of the results in an article at eWeek.

The eWeek article reports that the researchers conducting the survey were surprised by the results. However, given the long history of IT security being bolted on instead of being built into vendor products from the beginning, no one really should be.

Words of advice to potential cloud customers: Caveat emptor.

For customers of companies using clouds: Check your credit score often.

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
An illustration of a series
Carl De Torres

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less