Ponemon Institute is pleased to present the results of Cloud Security: Managing Firewall Risks. Sponsored by Dome9 Security, this research was conducted to determine the challenges organizations face when managing access and securing firewalls and ports in their cloud environments. We believe this is the first study to look at the risk to cloud security because of unsecured ports and firewalls.
The study surveyed 682 IT and IT security practitioners (hereafter referred to as IT practitioners) in the United States. On average, respondents have more than 10 years IT or IT security experience. Only IT practitioners working in organizations that use hosted or cloud servers (dedicated or virtual private server) completed the survey. The majority of respondents report that their organizations use both public clouds and hybrid (semi-public) clouds. Forty percent are employed by organizations with a worldwide headcount of more than 5,000.
According to the majority of these respondents (52 percent), the state of cloud server security management is either fair or poor and 21 percent had no comment. This concern can be partly attributed to the finding that 42 percent fear that they would most likely not know if their organizations’ applications or data was compromised by a security exploit or data breach involving an open port on a cloud server.
The topics addressed in this study include:
- Perceptions about organizations’ ability to mitigate the risk to their cloud servers
- Barriers to efficiently managing security in the cloud server
- Responsibility for managing cloud security risks
- The risk of open ports in a cloud environment
- The importance of certain features to securing the cloud server
The next section reports the key findings of our independently conducted survey research. The results provide strong evidence that organizations’ cloud servers are vulnerable, most IT personnel do not understand the risk and it is a challenge to secure access to and generate reports for cloud servers.
Respondents do not give high marks to their organizations’ cloud server security. More than half (52 percent) rate their organizations’ overall management of cloud server security as fair (27 percent) and poor (25 percent).
Twenty-one percent of respondents have no comment about the status of cloud server management in their organizations, which could indicate a lack of knowledge about how their organizations are managing access and securing firewalls and ports in their cloud environments.
In fact, 54 percent of respondents say the IT personnel within their organization have no knowledge about the potential risk of open firewall ports in their cloud environments.
Manually configuring a cloud server firewall frustrates IT practitioners. Eighty-five percent of respondents strongly agree or agree that configuring their organizations’ cloud server firewall manually is a difficult and sometimes frustrating process. In fact, 79 percent of respondents believe being able to efficiently manage security in the cloud environment is just as important as the security itself.
Most respondents (81 percent) agree that in the cloud environment, opening or closing ports to servers containing their organizations’ applications or data is managed via controls provided by the cloud service provider.
Scalability and cost, according to IT practitioners, are reasons for not having a cloud server firewall management solution. Sixty-one percent of respondents say their organization does not have a cloud server firewall management solution. Of those who do not have the solution, 62 percent say it is because the solutions are not scalable, they cost too much (59 percent) and solutions are not available (57 percent). Of the 39 percent who say they do have a cloud server firewall management solution, more than half (54 percent) say it is because they manage the cloud server firewall manually.
Responsibility for security in the cloud server usually rests with either IT operations and the business units. Forty-one percent of respondents say IT operations is most responsible for ensuring servers that house the organizations’ applications and data in the cloud are adequately secured. The groups most responsible for making sure the cloud provider has adequate security controls in-place are the business functions, according to 37 percent of respondents followed by 35 percent who say it is IT operations.
In general, 36 percent believe the cloud provider is most responsible for ensuring security of the cloud operations that support applications and data followed by 33 percent who say this responsibility is shared between the cloud provider and cloud user.
IT practitioners report that locking out an organization’s access to a cloud server is likely to happen. When asked if a systems administrator could lock-out the organization’s access to a cloud server after configuring the cloud server firewall, 65 percent say this is very likely or likely to happen. Twelve percent say it already has.
Leaving administrative server ports open and vulnerable to hackers is likely to happen, according to respondents. More than half (51 percent) of respondents say it is very likely or likely that in order to access cloud servers the administrative server ports are left open and the company is then exposed to increased hacker attacks and security exploits. Nineteen percent say this has already happened.
Data and applications in the cloud server are at risk because of the inability to manage access and secure ports and firewalls. According to 67 percent of respondents, their organizations are very vulnerable or vulnerable because ports and firewalls in the cloud environment are not adequately secured. Less than half (46 percent) of respondents say they have IT operations and infrastructure personnel who are very knowledgeable or knowledgeable about this risk.
Automated firewall policy management is more important in the cloud environment because it is elastic, according to 40 percent of respondents. Thirty-six percent say their organization cannot manage access or generate reports efficiently and 29 percent say they manage access through the cloud provider’s tools but cannot see the access reports.
Automatic firewall configuration, an inexpensive solution and centralized control over all closed and open ports on cloud servers top the wish list of IT practitioners. Seventy-eight percent of respondents say the feature most important from a proprietary software download to each cloud server containing applications and data is a solution that closes ports automatically. This feature is followed by a solution that costs companies about 20 percent of the cost of the managed service solutions and a solution that provides centralized control over all closed and open ports on cloud servers.
The IT practitioners in our study acknowledge that cloud server security is vulnerable and open ports expose the company to increased hacker attacks and security exploits. According to the findings in this study, some of the main barriers to mitigating risks include the current perception that cloud server security is not a priority and the lack of IT operations and infrastructure employees who are knowledgeable about the importance of securing ports and access.
We also learned that accountability for the security of cloud servers is rarely with IT security but with the business units or IT operations. We believe the primary reason for this perception is that in general the business units and not IT security are most responsible for provisioning cloud services. For example, research and engineering developers are adopting the cloud faster than IT departments and in many cases IT departments are not involved in the adoption and deployment of cloud services.
Based on the findings, it is recommended that organizations take the following steps:
- Create awareness among the organization’s leadership of the importance of cloud server security to safeguarding critical data and applications.
- Investigate solutions that are both efficient and cost effective.
- Create accountability for cloud server security.
- Make sure those who are accountable are knowledgeable about the risks.
- Ensure that the cloud service providers have appropriate controls in place.
- Require cloud service providers to notify those accountable for cloud server security if the organizations’ applications or data are compromised by a security exploit or data breach involving an open port on a cloud server.
As more data and applications migrate to the cloud, security of the cloud server should become a significant priority for the organization. These recommendations should help IT practitioners make a difference in reducing the risk of a potentially costly and damaging attack.
Ponemon Institute – Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.