News

Microsoft Faults IT Security Practices in 'Cloud Computing' Report

• By Kurt Mackie
• 05/24/2013

Microsoft this week published an assessment of organizational IT security, based on its own survey tool.

The report, "Trends in Cloud Computing" (PDF), used information polled globally through a new Microsoft survey instrument called the "Cloud Security Readiness Tool" (CSRT). Microsoft claims that its CSRT tool is based on the Cloud Security Alliance's Cloud Controls Matrix, and that organizations can use it to check their existing IT capabilities vs. cloud services capabilities.

Microsoft analyzed 5,700 responses to 27 questions using CSRT data gathered between October 2012 and March 2013. The answers were weighted as either positive or negative to determine IT security "maturity" levels.

The survey results were pretty abysmal, showing an overall lack of security maturity within organizations. However, many of the questions were about procedures or HR policies, rather than direct safeguards. Organizational maturity in handling security issues was only found in just one area – that is, in deploying antivirus or antimalware software. The remaining 26 questions elicited responses indicating an overall lack of organizational maturity on security matters among the respondents.

Lack of maturity was reported in terms of asset management (65 percent) and risk management (70 percent). Even patching seemed to be a disaster area, as described by the report:

• "68 percent of organizations do not attempt to ensure that patches are configured and installed automatically
• "64 percent of organizations do not run a centrally managed and scheduled antivirus program
• "66 percent of organizations do not make use of a stateful firewall"

Numbers like those seem hard to believe, but Microsoft may have lumped together organizations of various sizes and expertise in the survey results.

Microsoft found the greatest organizational maturity among enterprise organizations, which was defined as having more than 500 PCs. The majority (66 percent) of enterprises had maturity in their antimalware efforts, with just 49 percent having maturity in their vulnerability and patch management capabilities.

As for small and medium-size businesses (25 to 500 PCs), the report states that they are "maturing from a very basic state and have not automated their security capabilities entirely."

Microsoft's "Trends in Cloud Computing" report is actually misnamed, because it's not clear that the respondents used cloud technologies or not. It seems to describe traditional IT practices more than cloud computing trends. However, Microsoft seems to be using the report to promote cloud technologies as an alternative to traditional IT approaches.

For instance, the report repeatedly points out that because IT departments aren't handling their own internal security matters well at all, per the survey results, they could solve a lot of these problems by using a cloud resource instead. So, readers can expect to find a big chunk of marketing, along with dispassionate analysis, in this report.