'

Cloud computing may make IT compliance auditing even cloudier

Most IT pros are unprepared for a compliance audit, survey shows. Is cloud to blame, at least partially?

Compliance is one of those thankless activities that add a lot more pain than gain to IT managers' and professionals' worklives. It's a matter of doing the minimum that needs to get done and be done with it, so one can get back to the good things, like building commerce and analytics systems.

forms-survey-2-photo-by-joe-mckendrick.jpg
Photo: Joe McKendrick

Accordingly, most IT departments are ill-prepared for any audits that may come their way. A new survey finds three out of five IT professionals say they're not ready for compliance audits.

That's the key takeaway from a survey of 313 IT professionals sponsored by Ipswitch. A majority, 59 percent, said they were not fully prepared to undergo an audit. Underscoring the point, 75 percent even admitted they lack the confidence that colleagues authorized to work with sensitive information are adequately protecting it.

There may be several issues at work that reduce IT's preparedness for compliance audits. Time is likely the leading culprit, as tending to compliance reporting is one more thing to be squeezed into a busy day. Related to that is lack of resources -- short-staffed IT departments may find it difficult to put someone on the case more than a few hours a week.

Some industry observers say cloud computing has made the matter of compliance even, well, cloudier. The results are "not surprising when you consider the degree to which cloud systems and mobile access have penetrated most enterprises," says Gerry Grealish, CMO of Perspecsys. "Cloud SaaS systems and BYOD policies take the control of enterprise data -- including sensitive data -- away from enterprise IT teams and put it in the hands of third party vendors. This makes conducting audits exponentially more difficult and time consuming."

Granted, Perspecsys' bread and butter is cloud security, but the amount of cloud activity bursting on the scene does dramatically raise the risk profile for data security -- and makes it even more complicated to track where data goes, who accesses it, and who abuses it. Plus, remember that 75 percent of IT pros are wary of how other parties are handling data.

Special Feature

Cloud Computing: Moving to IaaS

Infrastructure as a Service providers make a very compelling argument for businesses to stop running their own data centers and simply purchase server capacity on-demand and scale up and down as needed. This is our deep dive on IaaS strategy and best practices

Read More

The most costly aspects of compliance audits found in the Ipswitch survey include allocation of IT resources (52 percent), actual dollars spent (17 percent), critical project delays (18 percent), and emotional strain and stress (13 percent).

In fact, almost half of the IT professionals said they would rather do the following than go through a compliance audit: undergo a root canal procedure, work over the holidays, live without electricity for a week or eat a live jellyfish.

Not to worry, though -- data security audits, like root canal procedures or servings of jellyfish cuisine, tend to be few and far between. In a survey of 353 data managers I helped design and publish last year, we found that a large segment, 34 percent, only see audits once a year, if ever. Another 26 percent go through quarterly audits, and only 16 percent are audited, at a minimum, on a monthly basis. (The survey was underwritten by Oracle.)

Automating as much of the security process as possible may help address the challenges wrought by cloud. "Techniques such as on-the-fly tokenizing or encrypting data that policies identify as sensitive can help make the use of cloud applications much more manageable," says Grealish, noting that too much heavy-handed security approaches up front will only encourage more shadow IT.

The authors of the Ipswitch report also advise preparing for audits "with a managed file-transfer solution that provides centralized audit logs and reports for file transmission."