1. Managing Firewall Risks in the Cloud
Survey of U.S. IT & IT Security Practitioners
Sponsored by Dome9 Security
Independently conducted by Ponemon Institute LLC
Publication Date: November 2011
Ponemon Institute© Research Report

2. Managing Firewall Risks in the Cloud
Ponemon Institute, November 2011
Part 1. Introduction
Ponemon Institute is pleased to present the results of Managing Firewall Risks in the Cloud.
Sponsored by Dome9 Security, this research was conducted to determine the challenges
organizations face when managing access and securing firewalls and ports in their cloud
environments. We believe this is the first study to look at the risk to cloud security because of
unsecured ports and firewalls.
Imagine this. Can this happen to your
organization?
The study surveyed 682 IT and IT security
practitioners (hereafter referred to as IT After configuring a cloud server firewall, a
practitioners) in the United States. On systems administrator inadvertently locks-
average, respondents have more than 10 out your organization’s access to a cloud
years IT or IT security experience. Only IT server, thereby preventing it from
practitioners working in organizations that processing a mission critical application.
use hosted or cloud servers (dedicated or
In order to access cloud servers, your
virtual private server) completed the survey.
organization leaves administrative server
The majority of respondents report that their
ports (such as SSH or Remote Desktop)
organizations use both public clouds and
open. These open ports expose the
hybrid (semi-public) clouds. Forty percent
organization to increased hacker attacks
are employed by organizations with a
and serious security exploits.
worldwide headcount of more than 5,000.
Our research shows that the majority of respondents (68 percent) say their organizations use
public cloud services. The most commonly cited service providers are listed in Bar Chart 1.
Bar Chart 1. The major public cloud service providers used by respondents’ organizations
More than one choice is permitted
60%
47% 49%
50% 45%
38%
40%
28% 30%
30% 24%
20%
10%
0%
All others Terremark GoGRID RackSpace Google Azure AWS EC2
According to the majority of these respondents (52 percent), the state of cloud server security
management is either fair or poor and 21 percent had no comment. This concern can be partly
attributed to the finding that 42 percent fear that they would most likely not know if their
organizations’ applications or data was compromised by a security exploit or data breach
involving an open port on a cloud server.
Ponemon Institute© Research Report Page 1

3. The topics addressed in this study include:
 Perceptions about organizations’ ability to mitigate the risk to their cloud servers
 Barriers to efficiently managing security in the cloud server
 Responsibility for managing cloud security risks
 The risk of open ports in a cloud environment
 The importance of certain features to securing the cloud server
The next section reports the key findings of our independently conducted survey research. The
results provide strong evidence that organizations’ cloud servers are vulnerable, most IT
personnel do not understand the risk and it is a challenge to secure access to and generate
reports for cloud servers.
Ponemon Institute© Research Report Page 2

4. Part 2. Key findings
Respondents do not give high marks to their organizations’ cloud server security. Bar
Chart 2 shows more than half (52 percent) rate their organizations’ overall management of cloud
server security as fair (27 percent) and poor (25 percent).
Bar Chart 2. How do you rate your organization’s overall management of cloud server
security today?
30% 27%
25%
25%
21%
20% 18%
15%
9%
10%
5%
0%
Excellent Good Fair Poor No comment
Twenty-one percent of respondents have no comment about the status of cloud server
management in their organizations, which could indicate a lack of knowledge about how their
organizations are managing access and securing firewalls and ports in their cloud environments.
In fact, as shown in Bar Chart 3, 54 percent of respondents say the IT personnel within their
organization are not knowledgeable (41 percent) or have no knowledge (13 percent) about the
potential risk of open firewall ports in their cloud environments.
Bar Chart 3. How knowledgeable are IT operations and infrastructure personnel within
your organization about the potential risk caused by open ports in the cloud environment?
45% 41%
40%
35% 32%
30%
25%
20%
14% 13%
15%
10%
5%
0%
Very knowledgeable Knowledgeable Not knowledgeable No knowledge
Ponemon Institute© Research Report Page 3

5. Manually configuring a cloud server firewall frustrates IT practitioners. Bar Chart 4 lists
seven (7) attributions or statements about the state of cloud security in respondents’
1
organizations. Eighty-six percent of respondents strongly agree or agree that configuring their
organizations’ cloud server firewall manually is a difficult and sometimes frustrating process. In
fact, 79 percent of respondents believe being able to efficiently manage security in the cloud
environment is just as important as the security itself. Most respondents (81 percent) agree that in
the cloud environment, opening or closing ports to servers containing their organizations’
applications or data is managed via controls provided by the cloud service provider.
Bar Chart 4. Respondents’ perceptions about the state of cloud security and remote
management of firewalls
Strongly agree and agree response combined.
Configuring your organization’s cloud server
firewall manually is a difficult and sometimes 86%
frustrating process.
In the cloud environment, opening or closing
ports to servers containing your organization’s
81%
applications or data is managed via controls
provided by the cloud service provider.
In the cloud environment, being able to efficiently
manage security is just as important as the 79%
security itself.
In the cloud environment, the physical security of
servers containing your organization’s
77%
applications or data is primarily determined by the
cloud service provider.
In the cloud environment, cloud server firewalls
are the first place to stop attacks and prevent 73%
exploits of OS and application vulnerabilities.
In the cloud environment, user access to
applications and data is primarily determined by 72%
username and passwords.
The security of cloud servers containing my
organization’s applications and data is a 52%
significant priority.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
1
In our survey we used attributions to capture the perceptions of respondents concerning the security of
cloud computing environments. These attributions or statements are evaluated using a five-point adjective
scale ranging from strongly agree to strongly disagree. A favorable or affirmative response is defined as a
strongly agree or agree response. A negative or non-affirmative response is defined as a strongly disagree,
disagree or unsure response.
Ponemon Institute© Research Report Page 4

6. Scalability and cost, according to IT practitioners, are reasons for not having a cloud
server firewall management solution. Pie Chart 1 shows 61 percent of respondents say their
organization does not have a cloud server firewall management solution. Of those who do not
have the solution, Bar Chart 5 shows 62 percent say it is because the solutions are not scalable,
they cost too much (59 percent) and solutions are not available (57 percent). Of the 39 percent
who say they do have a cloud server firewall management solution, more than half (54 percent)
say it is because they manage the cloud server firewall manually.
Pie Chart 1. Does your organization have a Bar Chart 5. If no, why not?
cloud server firewall management solution The solution is . . .
deployed today?
Not scalable 62%
Cost too much 59%
Yes;
39% Not available 57%
No;
61% Overly complex 49%
Not dependable 43%
0% 20% 40% 60% 80%
Ponemon Institute© Research Report Page 5

7. Responsibility for security in the cloud server usually rests with either IT operations and
the business units. Bar Chart 6a shows 41 percent of respondents say the IT operations
department or function is most responsible for ensuring servers that house the organizations’
applications and data in the cloud are adequately secured. Bar Chart 6b shows the groups most
responsible for making sure the cloud provider has adequate security controls in-place, which are
the business functions (37 percent) followed by IT operations (35 percent). It is interesting to see
in both charts that IT security is relatively low in terms of having the most responsibility in
ensuring cloud server security.
Bar Chart 6. Who within your organization is most responsible?
6a. Who within your organization is most responsible 6b. Who within your organization is most
for ensuring servers that house your organization’s responsible for determining whether a given cloud
applications and data in the cloud are adequately provider has adequate security controls in-place to
secured? protect your organization’s applications and data?
IT operations 41% Business functions 37%
Managed service
20% IT operations 35%
provider
IT security 17% IT security 21%
Business functions 15% Legal & compliance 5%
Data center 5% Data center 2%
0% 10% 20% 30% 40% 50% 0% 10% 20% 30% 40%
Bar Chart 7 reports 36 percent believe the cloud provider is most responsible for ensuring
security of the cloud operations that support applications and data followed by 33 percent who
say this responsibility is shared between the cloud provider and cloud user.
Bar Chart 7. In general, who is most responsible for ensuring the security of cloud
operations that support your applications and data?
40% 36%
35% 33%
31%
30%
25%
20%
15%
10%
5%
0%
Cloud user Both are equal Cloud provider
Ponemon Institute© Research Report Page 6

8. IT practitioners report that locking out an organization’s access to a cloud server is likely
to happen. As noted in Bar Chart 8, when asked if a systems administrator could lockout the
organization’s access to a cloud server after configuring the cloud server firewall, 12 percent say
this has already happened and 43 percent say this is very likely to happen.
Bar Chart 8. Two cloud server firewall risk management scenarios.
How likely is likely is each scenario?
50%
45% 43% 42%
40%
35%
30%
25% 22%
19% 18%
20%
16%
14%
15% 12%
9%
10%
5%
5%
0%
Already happened Very likely to happen Likely to happen No likely to happen Will never happen
After configuring a cloud server firewall, a systems administrator inadvertently locks-out the
organization’s access to a cloud server.
In order to access cloud servers, your organization leaves administrative server ports open. These open
ports expose the company to increased hacker attacks and security exploits.
Leaving administrative server ports open and vulnerable to hackers is likely to happen, according
to respondents. The above chart also shows 19 of respondents say their organization
experienced additional hacker risk or security exploits because of exposed open ports on cloud
servers. Another 42 percent say it is very likely that administrative server ports are left open and,
thus, the company is exposed to increased hacker attacks and security exploits.
Ponemon Institute© Research Report Page 7

9. Data and applications in the cloud server are at risk because of the inability to manage
access and secure ports and firewalls. According to Bar Chart 9, two-thirds (67 percent) of
respondents, their organizations are very vulnerable or vulnerable because ports and firewalls in
the cloud environment are not adequately secured. Less than half (46 percent) of respondents
say they have IT operations and infrastructure personnel who are very knowledgeable or
knowledgeable about this risk.
Bar Chart 9. How vulnerable is your organization because it does not adequately secure
ports and firewalls in cloud environments?
40%
35%
35% 32%
30%
24%
25%
20%
15%
9%
10%
5%
0%
Very vulnerable Vulnerable Not vulnerable Unsure
Automated firewall policy management is more important in the cloud environment because it is
elastic, according to 40 percent of respondents. Thirty-six percent say their organization cannot
manage access or generate reports efficiently and 29 percent say they manage access through
the cloud provider’s tools but cannot see the access reports.
Bar Chart 10. Relative to on-premises computing, how important is automated firewall
policy management in the cloud environment?
More important in the cloud environment because
40%
it is elastic
Equally important in both on-premises and cloud
32%
environments
Unsure 20%
Less important in the cloud environment 8%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Ponemon Institute© Research Report Page 8

10. Automatic firewall configuration, an inexpensive solution and centralized control over all
closed and open ports on cloud servers top the wish list of IT practitioners. Bar Chart 11
lists features relating to cloud firewall risk management solutions. Seventy-eight percent of
respondents say the feature most important is a solution that closes ports automatically without
having to reconfigure the firewall manually. The second most important feature, according to 73
percent of respondents, is a solution that costs less than traditional managed service solutions.
Seventy-two percent of respondents say a solution providing centralized control over all closed
and open ports on cloud servers is most important to them.
Bar Chart 11. How important are the following technology features regarding cloud server
2
firewall security?
Very important and important response combined
The solution closes ports automatically, so you
78%
don’t have to manually reconfigure your firewall.
The solution is inexpensive, costing companies
about 20% of the cost of managed service 73%
solutions.
The solution provides centralized control over all
72%
closed and open ports on cloud servers.
The solution is scalable to all cloud servers
69%
irrespective of location.
The solution keeps all administrative ports closed
on your servers without losing access and 69%
control.
The solution can consolidate security
management across the cloud (i.e., multiple cloud 65%
providers).
The solution securely accesses your cloud
63%
servers without fear of getting locked out.
The solution provides audited reports showing
who has access, when it occurred, what servers 62%
were accessed, and why access was granted.
The solution provides delegated administration so
an organization can segregate who can access 61%
and who can manage a given cloud server.
The solution dynamically opens any port on-
59%
demand, any time and from anywhere.
The solution sends time and location-based
56%
secure access invitations to third parties.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
2
Respondents were asked to assume that the above-mentioned features result from a proprietary software
download to each cloud server containing their organization’s applications and data.
Ponemon Institute© Research Report Page 9

11. Part 3. Methods
A random sampling frame of 18,997 adult-aged individuals who reside within the United States
was used to recruit and select participants to this survey. Our randomly selected sampling frame
was built from proprietary lists of highly experienced IT and IT security practitioners with bona fide
credentials. As shown in Table 1, 727 respondents completed the survey. Of the returned
instruments, 64 surveys failed reliability checks. A total of 831 surveys were available before
screening. One screening questions were used to remove respondents who did not have relevant
experience or knowledge. This resulted in a final sample of 682 individuals.
Table 1. Survey response Freq. Pct%
Sampling frame 18,997 100.0%
Total returns 727 3.8%
Rejected surveys 64 0.3%
Sample before screening 863 4.5%
Final sample 682 3.6%
Table 2 reports the respondent’s organizational level within participating organizations. Fifty-six
percent of respondents are at or above the supervisory levels. On average, respondents had
more than10 years of overall experience in either the IT or IT security fields, and nearly five years
in their present position.
Table 2. Respondents’ position level Pct%
Vice President 2%
Director 15%
Manager 21%
Supervisor 18%
Technician 37%
Staff 4%
Contractor 3%
Total 100%
Table 3 shows that the most frequently cited reporting channels among respondents are the CIO
(58 percent), CISO (20 percent) and chief risk officer (8 percent).
Table 3. Respondents’ primary reporting channel Pct%
Chief Information Officer 58%
Chief Information Security Officer 20%
Chief Risk Officer 8%
Chief Financial Officer 4%
Chief Security Officer 4%
General Counsel 3%
Compliance Officer 3%
Total 100%
Ponemon Institute© Research Report Page 10

12. Table 4 reports the worldwide headcount of participating organizations. It reports that 65 percent
of respondents are located in organizations with more than 1,000 employees.
Table 4. Worldwide headcount of respondents’ organizations Pct%
< 500 16%
500 to 1,000 19%
1,001 to 5,000 25%
5,001 to 25,000 18%
25,001 to 75,000 13%
75,001 to 100,000 4%
101,000 to 150,000 3%
> 150,000 2%
Total 100%
Table 5 reports the respondent organization’s global footprint. As can be seen, a large number of
participating organizations are multinational companies that operate outside the United States.
Table 5: Geographic footprint of respondents’ organizations Pct%
United States 100%
Canada 75%
Europe 68%
Middle East & Africa 41%
Asia-Pacific 58%
Latin America 43%
Pie Chart 2 reports the industry distribution of respondents’ organizations. As shown, financial
services (including retail banking, insurance, brokerage and payments), public sector (federal,
state and local), and healthcare and pharmaceuticals are the three largest industry segments.
Pie Chart 2: Industry distribution of respondents’ organizations
Financial services
3% 2%
3% Public sector
3% 20%
3% Health & pharmaceuticals
Industrial
4%
Services
5% Retailing
Hospitality
Education & research
5% 12%
Technology & Software
Communications
6% Consumer products
Energy
7% 11% Entertainment & media
Transportation
8% 8% Defense
Ponemon Institute© Research Report Page 11

13. Part 4. Limitations
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most web-based surveys.
 Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals in IT and IT security located in the United
States, resulting in a large number of usable returned responses. Despite non-response
tests, it is always possible that individuals who did not participate are substantially different in
terms of underlying beliefs or perceptions about data protection activities from those who
completed the instrument.
 Sampling-frame bias: The accuracy is based on contact information and the degree to which
the sample is representative of individuals in the IT and IT security fields. We also
acknowledge that the results may be biased by external events.
We also acknowledge bias caused by compensating respondents to complete this research
within a holdout period. Finally, because we used a web-based collection method, it is
possible that non-web responses by mailed survey or telephone call would result in a
different pattern of findings.
 Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated
into the survey process, there is always the possibility that certain respondents did not
provide accurate responses.
Ponemon Institute© Research Report Page 12

14. Part 5. Conclusion
The IT practitioners in our study acknowledge that cloud server security is vulnerable and open
ports expose the company to increased hacker attacks and security exploits. According to the
findings in this study, some of the main barriers to mitigating risks include the current perception
that cloud server security is not a priority and the lack of IT operations and infrastructure
employees who are knowledgeable about the importance of securing ports and access.
We also learned that accountability for the security of cloud servers is rarely with IT security but
with the business units or IT operations. We believe the primary reason for this perception is that
in general the business units and not IT security are most responsible for provisioning cloud
services. For example, research and engineering developers are adopting the cloud faster than IT
departments and in many cases IT departments are not involved in the adoption and deployment
of cloud services.
Based on the findings, it is recommended that organizations take the following steps:
 Create awareness among the organization’s leadership of the importance of cloud server
security to safeguarding critical data and applications.
 Investigate solutions that are both efficient and cost effective.
 Create accountability for cloud server security.
 Make sure those who are accountable are knowledgeable about the risks.
 Ensure that the cloud service providers have appropriate controls in place.
 Require cloud service providers to notify those accountable for cloud server security if the
organizations’ applications or data are compromised by a security exploit or data breach
involving an open port on a cloud server.
As more data and applications migrate to the cloud, security of the cloud server should become a
significant priority for the organization. These recommendations should help IT practitioners
make a difference in reducing the risk of a potentially costly and damaging attack.
Ponemon Institute© Research Report Page 13

15. Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey
questions contained in this study. All survey responses were captured over a three-week period
ending in October 2011.
Survey response Freq. Pct%
Sampling frame 18,997 100.0%
Total returns 727 3.8%
Rejected surveys 64 0.3%
Sample before screening 863 4.5%
Final sample 682 3.6%
Part 1. Screening question
S1. Does your organization use hosted or cloud servers (dedicated or
virtual private server (VPS))? Freq. Pct%
Yes 682 79%
No (stop) 181 21%
Total 863 100%
Part 2. General questions
Q1a. Please check the types of cloud environments your organization
presently uses. Pct%
Private cloud 31%
Public cloud 68%
Hybrid (semi-public) cloud 50%
Other 2%
Total 151%
Q1b. How many of the following major cloud service providers does your
organization use? Please select all that apply. Pct%
Windows Azure 47%
Goggle App Engine 45%
Amazon EC2 49%
RackSpace 38%
GoGRID 30%
Terremark 28%
None of the above 24%
Total 261%
Attributions. Please rate the following statements using the five-point Strongly
scale provided below each statement. Strongly agree and agree responses. agree Agree
Q2a. The security of cloud servers containing my organization’s
applications and data is a significant priority. 27% 25%
Q2b. In the cloud environment, cloud server firewalls are the first place to
stop attacks and prevent exploits of OS and application vulnerabilities. 38% 35%
Q2c. In the cloud environment, user access to applications and data is
primarily determined by username and passwords. 38% 34%
Q2d. In the cloud environment, the physical security of servers containing
your organization’s applications or data is primarily determined by the cloud
service provider. 40% 37%
Q2e. In the cloud environment, opening or closing ports to servers
containing your organization’s applications or data is managed via controls
provided by the cloud service provider. 44% 37%
Ponemon Institute© Research Report Page 14

16. Q2f. Configuring your organization’s cloud server firewall manually is a
difficult and sometimes frustrating process. 46% 39%
Q2g. In the cloud environment, being able to efficiently manage security is
just as important as the security itself. 40% 39%
Q3a. Does your organization have a cloud server firewall management
solution deployed today? Pct%
Yes 39%
No 61%
Total 100%
Q3b. If yes, what best describes the solution used by your organization
today? Pct%
We manage the cloud server firewall manually 54%
We use managed security services for our cloud server firewalls 20%
We have a third-party solution that allows us to manage cloud server
firewalls remotely 26%
Other (please specify) 0%
Total 100%
Q3c. If no, why not? Please select all that apply. Pct%
Solutions are overly complex 49%
Solutions are not scalable 62%
Solutions cost too much 59%
Solutions are not available 57%
Solutions are not dependable 43%
Other (please specify) 2%
Total 272%
Q3d. If you are using a third party service provider to manage cloud server
security, approximately what do you pay each month per server for this
service (do not include hosting cost)? Your best guess is welcome. Pct%
Less than $20 35%
$21 to $50 38%
$51 to $100 8%
$101 to $150 3%
More than $150 2%
Don't know 14%
Total 100%
Extrapolated value ($ each month per server) 34.0
Q4. In your opinion, how likely are the following scenarios? Please rate the
following events using the scale provided below each item.
Q4a. After configuring a cloud server firewall, a systems administrator
inadvertently locks-out the organization’s access to a cloud server. Pct%
Already happened 12%
Very likely to happen 43%
Likely to happen 22%
No likely to happen 18%
Will never happen 5%
Total 100%
Ponemon Institute© Research Report Page 15

17. Q4b. In order to access cloud servers, your organization leaves
administrative server ports (e.g., SSH, Remote Desktop, etc) open. These
open ports expose the company to increased hacker attacks and security
exploits. Pct%
Already happened 19%
Very likely to happen 42%
Likely to happen 9%
Not likely to happen 14%
Will never happen 16%
Total 100%
Q5. In your opinion, how vulnerable is your organization because it does
not adequately secure ports and firewalls in cloud environments? Pct%
Very vulnerable 32%
Vulnerable 35%
Not vulnerable 9%
Unsure 24%
Total 100%
Q6. In your opinion, how knowledgeable are IT operations and
infrastructure personnel within your organization about the potential risk
caused by open ports in the cloud environment? Pct%
Very knowledgeable 14%
Knowledgeable 32%
Not knowledgeable 41%
No knowledge 13%
Total 100%
Q7. Which one statement best describes how your organization manages
access to cloud servers and generates reports that show who had access,
when access occurred, and what servers were accessed. Pct%
Our organization uses the cloud service provider’s tools 21%
Our organization manages access through the cloud provider’s tools, but it
cannot see access reports 29%
Our organization manages access and generate reports directly from each
cloud server, but it is manual 14%
Our organization cannot manage access or generate reports efficiently 36%
Total 100%
Q8. Relative to on-premises computing, how important is automated
firewall policy management in the cloud environment? Pct%
More important in the cloud environment because it is elastic 40%
Equally important in both on-premises and cloud environments 32%
Less important in the cloud environment 8%
Unsure 20%
Total 100%
Ponemon Institute© Research Report Page 16

18. Q9. How important are the following eleven (11) features regarding cloud
server security. Please rate each feature from very important = 1 to
irrelevant = 4. Assume that these features result from a proprietary
software download to each cloud server containing your organization’s
applications and data. Shown only are the very important and important Very
responses. important Important
The solution provides audited reports showing who has access, when
access occurred, what servers were accessed, and for what purpose
access was granted. 21% 40%
The solution provides delegated administration so an organization can
segregate who can access and who can manage a given cloud server. 20% 41%
The solution can consolidate security management across the cloud (i.e.,
multiple cloud providers). 28% 37%
The solution keeps all administrative ports closed on your servers without
losing access and control. 37% 32%
The solution dynamically opens any port on-demand, any time and from
anywhere. 34% 25%
The solution sends time and location-based secure access invitations to
third parties. 23% 33%
The solution closes ports automatically, so you don’t have to manually
reconfigure your firewall. 38% 40%
The solution securely accesses your cloud servers without fear of getting
locked out. 35% 28%
The solution is scalable to all cloud servers irrespective of location. 28% 41%
The solution is inexpensive, costing companies about 20% of the cost of
managed service solutions. 33% 40%
The solution provides centralized control over all closed and open ports on
cloud servers. 35% 37%
Q10. Who within your organization is most responsible for ensuring servers
that house your organization’s applications and data in the cloud are
adequately secured? Pct%
Managed service provider 20%
IT operations 41%
IT security 17%
Data center management 5%
Business functions 15%
Other 2%
Total 100%
Q11. Who within your organization is most responsible for determining
whether a given cloud provider has adequate security controls in-place to
protect your organization’s applications and data? Pct%
IT operations 35%
IT security 21%
Legal and compliance 5%
Data center management 2%
Business functions 37%
Other 0%
Total 100%
Ponemon Institute© Research Report Page 17

19. Q12. In general, who is most responsible for ensuring the security of cloud
operations that support your applications and data? Pct%
Cloud provider 36%
Cloud user 31%
Both are equal 33%
Total 100%
Q13. If your organization’s applications or data was compromised by a
security exploit or data breach involving an open port on a cloud server,
how would you know? Pct%
The cloud provider would inform us. 39%
Our system would provide a warning or other message signaling the event 19%
Most likely, we wouldn’t know 42%
Total 100%
Q14. How do you rate your organization’s overall management of cloud
server security today? Pct%
Excellent 9%
Good 18%
Fair 27%
Poor 25%
No comment 21%
Total 100%
Part 3. Demographics and organizational characteristics
D1. What organizational level best describes your current position? Pct%
Senior Executive 0%
Vice President 2%
Director 15%
Manager 21%
Supervisor 18%
Technician 37%
Staff 4%
Contractor 3%
Other 0%
Total 100%
D2. Check the Primary Person you or your IT security leader reports to
within the organization. Pct%
Chief Information Officer 58%
Chief Information Security Officer 20%
Chief Risk Officer 8%
Chief Financial Officer 4%
Chief Security Officer 4%
General Counsel 3%
Compliance Officer 3%
Total 100%
D3. Total years of relevant experience Mean Median
Total years of IT or IT security experience 10.19 10.00
Total years in present position 4.83 4.50
Ponemon Institute© Research Report Page 18

20. D4. What industry best describes your organization’s industry focus? Pct%
Financial services 20%
Public sector 12%
Health & pharmaceuticals 11%
Industrial 8%
Services 8%
Retailing 7%
Hospitality 6%
Education & research 5%
Technology & Software 5%
Communications 4%
Consumer products 3%
Energy 3%
Entertainment & media 3%
Transportation 3%
Defense 2%
Total 100%
D5. Where are your employees located? (check all that apply): Pct%
United States 100%
Canada 75%
Europe 68%
Middle East & Africa 41%
Asia-Pacific 58%
Latin America 43%
D6. What is the worldwide headcount of your organization? Pct%
< 500 16%
500 to 1,000 19%
1,001 to 5,000 25%
5,001 to 25,000 18%
25,001 to 75,000 13%
75,001 to 100,000 4%
101,000 to 150,000 3%
> 150,000 2%
Total 100%
Ponemon Institute© Research Report Page 19

21. If you have any questions about this research, please contact Ponemon Institute at
research@ponemon.org, or contact us via our toll free number 1.800.887.3118.
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or organization identifiable information in our business research). Furthermore,
we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.
Ponemon Institute© Research Report Page 20