Cloud computing may make IT compliance auditing even cloudier
Accordingly, most IT departments are ill-prepared for any audits that may come their way. A new survey finds three out of five IT professionals say they're not ready for compliance audits.
That's the key takeaway from a survey of 313 IT professionals sponsored by Ipswitch. A majority, 59 percent, said they were not fully prepared to undergo an audit. Underscoring the point, 75 percent even admitted they lack the confidence that colleagues authorized to work with sensitive information are adequately protecting it.
There may be several issues at work that reduce IT's preparedness for compliance audits. Time is likely the leading culprit, as tending to compliance reporting is one more thing to be squeezed into a busy day. Related to that is lack of resources -- short-staffed IT departments may find it difficult to put someone on the case more than a few hours a week.
Some industry observers say cloud computing has made the matter of compliance even, well, cloudier. The results are "not surprising when you consider the degree to which cloud systems and mobile access have penetrated most enterprises," says Gerry Grealish, CMO of Perspecsys. "Cloud SaaS systems and BYOD policies take the control of enterprise data -- including sensitive data -- away from enterprise IT teams and put it in the hands of third party vendors. This makes conducting audits exponentially more difficult and time consuming."
Granted, Perspecsys' bread and butter is cloud security, but the amount of cloud activity bursting on the scene does dramatically raise the risk profile for data security -- and makes it even more complicated to track where data goes, who accesses it, and who abuses it. Plus, remember that 75 percent of IT pros are wary of how other parties are handling data.
The most costly aspects of compliance audits found in the Ipswitch survey include allocation of IT resources (52 percent), actual dollars spent (17 percent), critical project delays (18 percent), and emotional strain and stress (13 percent).
In fact, almost half of the IT professionals said they would rather do the following than go through a compliance audit: undergo a root canal procedure, work over the holidays, live without electricity for a week or eat a live jellyfish.
Not to worry, though -- data security audits, like root canal procedures or servings of jellyfish cuisine, tend to be few and far between. In a survey of 353 data managers I helped design and publish last year, we found that a large segment, 34 percent, only see audits once a year, if ever. Another 26 percent go through quarterly audits, and only 16 percent are audited, at a minimum, on a monthly basis. (The survey was underwritten by Oracle.)
Automating as much of the security process as possible may help address the challenges wrought by cloud. "Techniques such as on-the-fly tokenizing or encrypting data that policies identify as sensitive can help make the use of cloud applications much more manageable," says Grealish, noting that too much heavy-handed security approaches up front will only encourage more shadow IT.
The authors of the Ipswitch report also advise preparing for audits "with a managed file-transfer solution that provides centralized audit logs and reports for file transmission."