Governance grows more integral to managing cloud computing security risks, says survey
Most enterprises lack three essential ingredients to ensure that
sensitive information stored in via cloud
computing hosts remains secure:
policies and tools. So says a joint survey called
“Information Governance in
the Cloud: A Study of IT Practitioners” from
Corp. and Ponemon
holds a great deal of promise as a tool for providing many
essential business services, but our study reveals a disturbing
lack of concern
for the security of sensitive corporate and personal
information as companies rush to join in on the
trend,” said Dr. Larry Ponemon,
chairman and founder of the Ponemon Institute.
Where is cloud security training?
ongoing clamor about
cloud security and the
anticipated growth of cloud computing, a meager 27 percent of
those surveyed said their organizations have developed procedures for approving cloud
applications that use sensitive or confidential information.
Other surprising statistics from the study include:
- Only 20% of information security teams are regularly involved
in the decision-making process
- Only 25% of information security teams
aren’t involved at all
- Only 30% evaluate cloud computing vendors before deploying
- Only 23% require proof of security compliance
- A full 75% believe cloud computing migration occurs in a
- Only 19% provide data security training that discusses cloud
Focusing on information governance
IT vendors and suppliers, including the survey sponsor, Symantec,
are lining up to help fill the evident gaps in enterprise cloud
security tools, standards, best practices and culture adaptation.
Symantec is making several recommendations for beefing up cloud
security, beginning with ensuring that policies and procedures
clearly state the importance of protecting sensitive information
stored in the cloud.
“There needs to be a healthy, open governance
discussion around data and what should be placed into the
cloud,” says Justin
Somaini, Chief Information Security Officer at Symantec.
classification standards can help with a discussion
that’s wrapped around compliance as well as
security impacts. Beyond that, it’s how to
facilitate business in the cloud securely. This cuts across all
Symantec also recommends organizations adopt an information
governance approach that includes tools and procedures for
classifying information and understanding risk so that policies
can be put in place that specify which cloud-based services and
applications are appropriate and which are not.
“There’s a lot of push for quick
availability of services. You don’t want to go
through legacy environments that could take nine months or a year
to get an application up and running,” Somaini
says. “You want to get it up an running in a
month or two to meet the needs and demands of consumers.
Working the cloud into IT is very important from a value-add
perspective, but it’s also important to make
sure we keep an eye on compliance and security issues as
Evaluating and Training Issues
Beyond governance, there are also cloud security issues around
third-parties and employee training that Symantec recommends
incorporating into the discussion. Specifically, Symantec
promotes evaluating the security posture of third parties before
sharing confidential or sensitive information.
Companies should formally train employees how to mitigate the
security risks specific to the new technology to make sure
sensitive and confidential information is protected prior to
deploying cloud technology, said Symantec.
The big question is: Are we getting closer to being able to offer
cloud solutions with which enterprises can feel comfortable?
Somaini says we’re getting close.
“It's really 'buyer-beware' from a customer
perspective. Not all cloud providers are the same. Some work from
the beginning in a conscious and deliberate effort to make sure
their services are secure. They can provide that confidence in
the form of certifications,” Somaini says.
“Cloud service providers are going to have to
comply and drive security into their solutions and offer that
evidence. We’re getting there but we've got some
ways to go.”
BriefingsDirect contributor Jennifer LeClaire provided editorial
assistance and research on this post. She can be reached at
You may also be interested in: