Yet more evidence emerges that your data is safer with a cloud provider than it is when stored on an enterprise's own IT systems. eWeek last week reported a survey by the Ponemon Institute and security company Imperva found that only a third of smaller companies have bothered to implement the Payment Card Industry's (PCI) Data Security Standard, introduced in 2005 by the major credit card companies to protect customer's personal information. Here's the most disturbing finding from the survey of 560 US and multinational organizations:
"According to the survey, 79 percent have experienced a data breach involving the loss or theft of credit card information and 60 percent of respondents didn't think they had sufficient resources to comply with PCI and bring about a necessary level of cardholder security."
IDG News Service reported another disturbing finding:
"Around 10 percent of the respondents who said they were PCI DSS compliant said they weren't using basic security software such as antivirus, firewalls and SSL (Secure Sockets Layers), [Amichai] Shulman, [Imperva's CTO] said ... 'I would find it very hard to explain why I'm not using SSL as part of my PCI compliance,' Shulman said. 'It seems to me that there is too much room for misinterpretation of the requirement, and companies are abusing it'."
In my personal view, none of these businesses have the least excuse for their cavalier attitude to the security of customer data. If they're not prepared to invest in adequate security, then they should move their payment processing to a SaaS provider without a moment's delay. Any reputable SaaS provider will provide robust PCI compliance as a default feature. Not using SaaS in such circumstances is a gross dereliction of duty.
Security depends on how an organization implements it not whether it is on-premise or off-premise. In many cases, on-premise solutions tend to lack in the proper application security and the firewall prevents a false sense of security. But it is not an on-premise vs. off-premise comparison. For every unsecure on-premise case study their is an unsecure off-premise case study.
Thanks for the comment, Mike, but I disagree.
Off-premise - or more explicitly, on-cloud - has more scrutiny because there are multiple clients of the service rather than a single one. Therefore the cloud or SaaS provider is far less likely to take (or overlook) risks with security.
In other words, this is not a random distribution of careless security on and off the cloud. On-premise is, on average, significantly less reliably secure than on-cloud.
Phil, your response is probably true on average. But I have to agree it's case by case. And who cares how secure it is if the provider goes out of business or locks you in to how and where you can keep and use your data.
In general, it also needs to be clear that SaaS and cloud are not synonymous. Any multi tenant cloud provider, whether SaaS, PaaS, IaaS, or even managed host will be providing on average a better compliance based environment. And when it's not SaaS, on average, the customer will have more flexibility.
Phil,
You are spot on. The cloud vendors have way more responsibility and obligation to make the deployment more secured. I have blogged on this topic many times in the past. Here is the recent blog post that is about debunking a Forrester report on the security.
http://cloudcomputing.blogspot.com/2009/07/debunking-cloud-security-issues.html
Thanks!
Chirag
Taking a step back - IT and internet security is not the core competency of most (all?) of the respondents to the survey. Even if they have outsourced the implementation, it is not part of their core business to maintain and evolve their infrastructure within this fast paced and fast changing field of technology. And so they won't. The decision making process would probably be "fire and forget" once the minimum requirements were perceived to have been met. The data reveals to me what should be intuitive.
Generally speaking Phil, I agree with you. I would also add that tokenization is an additional layer of security merchants can add to increase credit card data security. By replacing credit card information with faux data (tokens), even if a merchant is breached (on-premise or in the cloud), there is nothing of value to be stolen.
"Any reputable SaaS provider will provide robust PCI compliance as a default feature..." well said.
I think when a Small business owner installs software on premise, because of "over confidence", he/she may not maintain international data security standards. The cost factor towards security infrastructure can also be a reason. Where as you can find built in data and privacy standards in most of the credible cloud based software solutions.
In the case of a medium sized and large business organizations, IT Department would be looking after software in use. They can ensure data security and privacy aspects of any OnPremise applications.