Microsoft Faults IT Security Practices in 'Cloud Computing' Report

Microsoft this week published an assessment of organizational IT security, based on its own survey tool.

The report, "Trends in Cloud Computing" (PDF), used information polled globally through a new Microsoft survey instrument called the "Cloud Security Readiness Tool" (CSRT). Microsoft claims that its CSRT tool is based on the Cloud Security Alliance's Cloud Controls Matrix, and that organizations can use it to check their existing IT capabilities vs. cloud services capabilities.

Microsoft analyzed 5,700 responses to 27 questions using CSRT data gathered between October 2012 and March 2013. The answers were weighted as either positive or negative to determine IT security "maturity" levels.

The survey results were pretty abysmal, showing an overall lack of security maturity within organizations. However, many of the questions were about procedures or HR policies, rather than direct safeguards. Organizational maturity in handling security issues was only found in just one area – that is, in deploying antivirus or antimalware software. The remaining 26 questions elicited responses indicating an overall lack of organizational maturity on security matters among the respondents.

Lack of maturity was reported in terms of asset management (65 percent) and risk management (70 percent). Even patching seemed to be a disaster area, as described by the report:

  • "68 percent of organizations do not attempt to ensure that patches are configured and installed automatically
  • "64 percent of organizations do not run a centrally managed and scheduled antivirus program
  • "66 percent of organizations do not make use of a stateful firewall"

Numbers like those seem hard to believe, but Microsoft may have lumped together organizations of various sizes and expertise in the survey results.

Microsoft found the greatest organizational maturity among enterprise organizations, which was defined as having more than 500 PCs. The majority (66 percent) of enterprises had maturity in their antimalware efforts, with just 49 percent having maturity in their vulnerability and patch management capabilities.

As for small and medium-size businesses (25 to 500 PCs), the report states that they are "maturing from a very basic state and have not automated their security capabilities entirely."

Microsoft's "Trends in Cloud Computing" report is actually misnamed, because it's not clear that the respondents used cloud technologies or not. It seems to describe traditional IT practices more than cloud computing trends. However, Microsoft seems to be using the report to promote cloud technologies as an alternative to traditional IT approaches.

For instance, the report repeatedly points out that because IT departments aren't handling their own internal security matters well at all, per the survey results, they could solve a lot of these problems by using a cloud resource instead. So, readers can expect to find a big chunk of marketing, along with dispassionate analysis, in this report.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

  • Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

    Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

  • Microsoft Previews New Edge Browser on Windows 7 and Windows 8.1

    Microsoft announced this week that it has released previews of its Chromium-based Microsoft Edge Web browsers for use on Windows 7, Windows 8 and Windows 8.1 systems.

  • Exchange Server June Cumulative Updates Arrive, But with Red Tape

    Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.