Skip to content
Microsoft Secure

clip_image002As cloud computing matures, a growing number of organizations are interested in moving to cloud environments to help lower IT costs, increase efficiencies, and realize greater flexibility.

However, organizations that consider cloud computing have also voiced a number of concerns. In multiple studies over the past several years, security and privacy are commonly cited as top concerns.  For example, Intel IT Pro Research (May 2012) of 800 IT pros found that more than 54% were very concerned and 87% were very or moderately concerned about security and data protection in public clouds.

These concerns speaks to a larger issue, that of trusting one’s information assets to the policies, processes and procedures of another organization.

Today Microsoft releases the Trends in cloud computing report, which analyzes the results of current IT maturity and adoption practices of organizations worldwide that have used the free Cloud Security Readiness Tool (CSRT). The data consists of answers provided by people who used the CSRT over a six-month period between October 2012 and March 2013. Approximately 5700 anonymous responses to the CSRT’s 27 questions were received from around the world.

In October 2012, Microsoft Trustworthy Computing released the free Cloud Security Readiness Tool to help organizations accelerate their assessment of adopting cloud computing. The CSRT builds on the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) and is an interactive, easy-to-use survey that consists of 27 questions. The questions are designed to obtain information about an organization’s industry and the maturity level of the organization’s current IT infrastructure. Each question relates to a control area in the CSA CCM.

The CSRT uses respondent information to provide relevant guidance in a custom report that helps organizations better understand their existing IT capabilities, more easily evaluate cloud services in critical areas, and learn about compliance issues. It considers several areas, including security policy capabilities, personnel capabilities, physical security capabilities, privacy capabilities, asset and risk management capabilities, and reliability capabilities.

The CSRT has been available for a little over six months and has been used by hundreds of organizations around the world to help them better understand their current IT state and the potential cloud benefits listed in the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR). This report analyzes the response data from this time period in an effort to learn about the current IT maturity levels of organizations that have used the tool.

At the highest level of analysis, most respondents indicated that their existing IT states were still getting started or making progress. Respondent answers to only one question (question 25, which relates to deploying antivirus/antimalware software), appears to indicate relative maturity for the average respondent.



The answers that reflected the most advanced maturity levels overall were in the following areas:

  • #25. (CCM IS-21). Information Security. Antivirus / Antimalware Software (+14.7%)
  • #27. (CCM SA-12). Security Architecture. Clock Synchronization (- 0.4%)
  • #6. (CCM FS-02). Facility Security. User Access by Role (- 5.8%)

It is perhaps encouraging that malware protection is relatively mature on average, but less so when you consider that almost 45% of respondents indicated they are getting started or making progress.

The answers that reflected the least advanced maturity levels overall—and therefore the areas in which organizations could most benefit from the cloud—were in the following areas:

  • #11. (CCM HR-02). Human Resources Security. Employment Agreements
  • #21. (CCM OP-03). Operations Management. Capacity / Resource Planning
  • #19. (CCM IS-23). Information Security. Incident Reporting
  • #5. (CCM LG-01). Legal. Nondisclosure Agreements
  • #9. (CCM OP-04). Operations Management. Equipment Maintenance

Although there is not a clear common theme that ties these answers together, it is noteworthy that these areas all require budget beyond deployment of a technical solution.

I encourage you to read the new trends in cloud computing report to learn about IT maturity and adoptions practices of global companies; and run the tool survey and review your organization’s custom report. These steps can provide a solid picture of your organization’s current IT state so you’re in a better position to evaluate the benefits and concerns of cloud adoption or grow services to meet your changing business needs over time.