The risk of a data breach in the cloud is multiplying and is now costlier and happens more frequently, according to a recent study by the Ponemon Institute.
But this phenomenon, which is dubbed the cloud multiplier effect, can be mitigated by a strengthened security posture, according to Larry Ponemon, chairman of the Ponemon Institute.
"It's funny, I'm a big believer in the cloud," Ponemon said. "I like cloud and I think cloud [has] improved quite a bit from a security perspective."
Cloud computing is not necessarily less secure, Ponemon said, but that is the perception among many of the study's respondents who view on-premises data breach as easier to control and less costly as a result.
"It's kind of a level of complexity you are adding because now you're relying on a third party to do the right steps," Ponemon said.
The fact that many cloud environments are secure is a sentiment echoed by several government CIOs who commented on the security of and possibility of a breach within their own cloud environments. "From what I know, and certainly from a mid-size city characteristic, the reputable cloud vendors have better security than we have," said Michael Armstrong, CIO of Corpus Christi, Texas.
Still, there are notes of cloud security pessimism from IT officials and security practitioners throughout the study, Data Breach: The Cloud Multiplier Effect, published in June. For instance, 66 percent of respondents said their organization's use of a cloud resource diminishes its ability to protect confidential sensitive information, according to the study, sponsored by Netskope.
The study published and commented on the responses from 613 IT practitioners on questions related to cloud security, including who is responsible for a breach after it happens.
Although it's impossible to know the motivations of the study's respondents, Ponemon said he suspects their mixed view of cloud security is itself a mix of truth and perception.
Survey Stats at a Glance
Corpus Christi has had some major business applications in the cloud for five years, including the full Infor Lawson suite of applications in the Infor Business Cloud. Armstrong said there is sensitive information he won't store in the cloud now, though he will likely reconsider in the next decade since cloud vendors are getting more reliable and secure.
Although there is some distrust surrounding security in the cloud, 51 percent of respondents in the study answered that on-premises IT is equal to or less secure than cloud-based services.
"There are things that make the cloud very, very secure. You just have to be careful and have some vigilance," Ponemon said.
King County, Wash., has platforms in place to cover the three areas of cloud computing -- IaaS (infrastructure as a service) with Amazon and DLT, PaaS (platform as a service) with Microsoft CRM, and Office 365 and SaaS (software as a service) with the county's prosecuting attorneys case management system.
Each cloud project was held to the county's security and audit requirements, and had to get clearance from the county's team, including risk managers, prosecuting attorneys, Health Insurance Portability and Accountability Act and criminal justice information services security specialists, an IT security officer, and procurement and contracts officers.
Bill Kehoe, CIO of King County, said he takes time to educate his staff about cloud environments and their risks. "I think you've got to be careful," he said. "You can't just throw your data into any cloud environment."
That's one reason why the county contracts with established cloud vendors, like Amazon and Microsoft, he said, adding that security staff, standard cloud architecture, security controls and diverse audits all figure into the security of larger cloud environments.
According to the study, there is a general feeling that outside forces, not internal security, are to be relied on to protect data in the cloud. That's because 55 percent of practitioners responded that they don't believe their IT leader is responsible for ensuring their information is secure.
"I would submit that it's everyone's responsibility to ensure the safety of the data in the cloud." Encinias said. "It's the service provider's responsibility, it's the data owner's responsibility and, as the commonwealth of Pennsylvania CIO, I'm also definitely responsible."
Though with responsibility distributed, this also makes the terms and conditions with cloud services more difficult to agree on because two parties must decide which will pay and when, said Encinias.
For Pennsylvania's recently executed contract with Unisys, which took four to five months to put together, it states that the cloud provider must offer certain information during a breach and must also help facilitate mitigation. In the case of a breach, responsibility is declared after an analysis, Encinias said.
And once a breach occurs, everything circles back to indemnification, or the protection from having to pay for another's negligence, Corpus Christi's Armstrong said. Indemnification appears in contracts, but cloud users are also protected by regulatory penalties and laws.
"The element of risk that you bear is defined in your contract documents," Armstrong said, "so it really pays, whatever time it takes, to get that right."
King County's Kehoe said he's finding that who is responsible and to what tune varies depending on the cloud environment and what portion of the technology stack the vendor is responsible for. Since breaches are costly, he said this nuance is important for his staff to understand.
"The cloud is so new to government that our security, risk management and legal council need to better understand the risks and how the contracts need to be different in terms of indemnification language for each of the cloud environments," he said.
For instance, IaaS and PaaS can present challenges in parsing responsibility because risk and responsibility are more shared. Whereas with SaaS, the vendor owns everything but the data.
Along with deciding who is responsible for a breach, there also are questions surrounding timely breach notifications from cloud service providers. The survey reports that 71 percent of respondents fear their provider would not immediately notify their organization in a loss or theft of customer data.
Timely notification can be a problem, Ponemon said, along with whether stolen or lost data is discovered by the cloud provider.
Notification of a breach is a contract element, and monitoring data and suspicious activity is the responsibility of the hosting company, Armstrong said. But a lot also depends on the relationship between the vendor and the purchaser.
"At some point you've got to develop a level of trust that they have your interest in mind and that they're going to do the right thing," he said. "If you selected a good partner, if there is a data breach, you'll be able to work through that and understand the root cause of it."
To help with the indemnification and communication questions, many governments, including Corpus Christi, are covering themselves with data breach insurance that protects governments from things like notification costs and federal penalties, which are levied before responsibility is declared.
"None of this stuff is really straightforward yet, so you've got to protect yourself," Armstrong said.
Indeed, the market for insurance is on the rise, with an adoption rate of about 30 percent, Ponemon said. Companies with good security practices are likelier to hold such insurance, according to another Ponemon Institute study quantifying the cost of a data breach.
Options like insurance can protect municipalities that may not have the right tools or resources in a data breach, Ponemon said.
And if going with cloud makes sense, Ponemon suggests organizations make the decision looking at the whole picture: "Make sure it's not just a cost decision, that it's based on cost, quality, the ability to deploy quickly. All of that good stuff should be determined in advance. Then I think it would be, in many cases, a big improvement for government organizations.
"The key," he added, "is if you're going to do cloud, just do it safely."
Jessica Hughes is a regular contributor to Government Technology and Emergency Management magazines.
NEW ON THE PODCAST