Microsoft Faults IT Security Practices in 'Cloud Computing' Report
Microsoft this week published an assessment of organizational IT
security, based on its own survey tool.
The report, "Trends in Cloud Computing" (PDF), used information polled globally through a new
Microsoft survey instrument called the "Cloud Security Readiness Tool" (CSRT).
Microsoft claims that its CSRT tool is based on the
Cloud Security Alliance's Cloud Controls Matrix, and that organizations
can use it to check their existing IT capabilities vs. cloud services
Microsoft analyzed 5,700 responses to 27 questions using CSRT data
gathered between October 2012 and March 2013. The answers were weighted as
either positive or negative to determine IT security "maturity" levels.
The survey results were pretty abysmal, showing an overall lack of
security maturity within organizations. However, many of the questions
were about procedures or HR policies, rather than direct safeguards.
Organizational maturity in handling security issues was only found in just
one area – that is, in deploying antivirus or antimalware software. The
remaining 26 questions elicited responses indicating an overall lack of
organizational maturity on security matters among the respondents.
Lack of maturity was reported in terms of asset management (65 percent)
and risk management (70 percent). Even patching seemed to be a disaster
area, as described by the report:
- "68 percent of organizations do not attempt to ensure that
patches are configured and installed automatically
- "64 percent of organizations do not run a centrally managed and
scheduled antivirus program
- "66 percent of organizations do not make use of a stateful
Numbers like those seem hard to believe, but Microsoft may have lumped
together organizations of various sizes and expertise in the survey
Microsoft found the greatest organizational maturity among enterprise
organizations, which was defined as having more than 500 PCs. The majority
(66 percent) of enterprises had maturity in their antimalware efforts,
with just 49 percent having maturity in their vulnerability and patch
As for small and medium-size businesses (25 to 500 PCs), the report
states that they are "maturing from a very basic state and have not
automated their security capabilities entirely."
Microsoft's "Trends in Cloud Computing" report is actually misnamed,
because it's not clear that the respondents used cloud technologies or
not. It seems to describe traditional IT practices more than cloud
computing trends. However, Microsoft seems to be using the report to
promote cloud technologies as an alternative to traditional IT approaches.
For instance, the report repeatedly points out that because IT
departments aren't handling their own internal security matters well at
all, per the survey results, they could solve a lot of these problems by
using a cloud resource instead. So, readers can expect to find a big chunk
of marketing, along with dispassionate analysis, in this report.
Kurt Mackie is online news editor for the 1105 Enterprise Computing Group.