IT-Analysis.com
IT-Analysis.com Logo
Business Issues Compliance
Business Issues Channels Enterprise Services SME Technology
Module Header
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - Managed Print Services: Are SMBs Ready?
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - The Managed Print Services (MPS) Opportunity for SMBs
Simon HollowayThe Holloway Angle
Simon Holloway
11th April - Intellinote - capture anything!
David NorfolkThe Norfolk Punt
David Norfolk
11th April - On the road to Morocco
Philip HowardBloor IM Blog
Philip Howard
10th April - Attunity Gold Client

Analysis

Governance grows more integral to managing cloud computing security risks, says survey
Dana Gardner By: Dana Gardner, Principal Analyst, Interarbor Solutions
Published: 8th April 2010
Copyright Interarbor Solutions © 2010
Logo for Interarbor Solutions

Most enterprises lack three essential ingredients to ensure that sensitive information stored in via cloud computing hosts remains secure: procedures, policies and tools. So says a joint survey called “Information Governance in the Cloud: A Study of IT Practitioners” from Symantec Corp. and Ponemon Institute.

Cloud computing holds a great deal of promise as a tool for providing many essential business services, but our study reveals a disturbing lack of concern for the security of sensitive corporate and personal information as companies rush to join in on the trend,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

Where is cloud security training?

Despite the ongoing clamor about cloud security and the anticipated growth of cloud computing, a meager 27 percent of those surveyed said their organizations have developed procedures for approving cloud applications that use sensitive or confidential information. Other surprising statistics from the study include:

  • Only 20% of information security teams are regularly involved in the decision-making process
  • Only 25% of information security teams aren’t involved at all
  • Only 30% evaluate cloud computing vendors before deploying their products
  • Only 23% require proof of security compliance
  • A full 75% believe cloud computing migration occurs in a less-than-ideal manner
  • Only 19% provide data security training that discusses cloud applications

Focusing on information governance

IT vendors and suppliers, including the survey sponsor, Symantec, are lining up to help fill the evident gaps in enterprise cloud security tools, standards, best practices and culture adaptation. Symantec is making several recommendations for beefing up cloud security, beginning with ensuring that policies and procedures clearly state the importance of protecting sensitive information stored in the cloud.

“There needs to be a healthy, open governance discussion around data and what should be placed into the cloud,” says Justin Somaini, Chief Information Security Officer at Symantec. “Data classification standards can help with a discussion that’s wrapped around compliance as well as security impacts. Beyond that, it’s how to facilitate business in the cloud securely. This cuts across all business units.”

Symantec also recommends organizations adopt an information governance approach that includes tools and procedures for classifying information and understanding risk so that policies can be put in place that specify which cloud-based services and applications are appropriate and which are not.

“There’s a lot of push for quick availability of services. You don’t want to go through legacy environments that could take nine months or a year to get an application up and running,” Somaini says. “You want to get it up an running in a month or two to meet the needs and demands of consumers. Working the cloud into IT is very important from a value-add perspective, but it’s also important to make sure we keep an eye on compliance and security issues as well.”

Evaluating and Training Issues

Beyond governance, there are also cloud security issues around third-parties and employee training that Symantec recommends incorporating into the discussion. Specifically, Symantec promotes evaluating the security posture of third parties before sharing confidential or sensitive information.

Companies should formally train employees how to mitigate the security risks specific to the new technology to make sure sensitive and confidential information is protected prior to deploying cloud technology, said Symantec.

The big question is: Are we getting closer to being able to offer cloud solutions with which enterprises can feel comfortable? Somaini says we’re getting close.

“It's really 'buyer-beware' from a customer perspective. Not all cloud providers are the same. Some work from the beginning in a conscious and deliberate effort to make sure their services are secure. They can provide that confidence in the form of certifications,” Somaini says. “Cloud service providers are going to have to comply and drive security into their solutions and offer that evidence. We’re getting there but we've got some ways to go.”

BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached at http://www.linkedin.com/in/jleclaire and http://www.jenniferleclaire.com.

You may also be interested in:

Advertisement



Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761
Email: