Most enterprises lack three essential ingredients to ensure that sensitive information stored in via cloud computing hosts remains secure: procedures, policies and tools. So says a joint survey called “Information Governance in the Cloud: A Study of IT Practitioners” from Symantec Corp. and Ponemon Institute.
“Cloud computing holds a great deal of promise as a tool for providing many essential business services, but our study reveals a disturbing lack of concern for the security of sensitive corporate and personal information as companies rush to join in on the trend,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
Where is cloud security training?
Despite the ongoing clamor about cloud security and the anticipated growth of cloud computing, a meager 27 percent of those surveyed said their organizations have developed procedures for approving cloud applications that use sensitive or confidential information. Other surprising statistics from the study include:
- Only 20% of information security teams are regularly involved in the decision-making process
- Only 25% of information security teams aren’t involved at all
- Only 30% evaluate cloud computing vendors before deploying their products
- Only 23% require proof of security compliance
- A full 75% believe cloud computing migration occurs in a less-than-ideal manner
- Only 19% provide data security training that discusses cloud applications
Focusing on information governance
IT vendors and suppliers, including the survey sponsor, Symantec, are lining up to help fill the evident gaps in enterprise cloud security tools, standards, best practices and culture adaptation. Symantec is making several recommendations for beefing up cloud security, beginning with ensuring that policies and procedures clearly state the importance of protecting sensitive information stored in the cloud.
“There needs to be a healthy, open governance discussion around data and what should be placed into the cloud,” says Justin Somaini, Chief Information Security Officer at Symantec. “Data classification standards can help with a discussion that’s wrapped around compliance as well as security impacts. Beyond that, it’s how to facilitate business in the cloud securely. This cuts across all business units.”
Symantec also recommends organizations adopt an information governance approach that includes tools and procedures for classifying information and understanding risk so that policies can be put in place that specify which cloud-based services and applications are appropriate and which are not.
“There’s a lot of push for quick availability of services. You don’t want to go through legacy environments that could take nine months or a year to get an application up and running,” Somaini says. “You want to get it up an running in a month or two to meet the needs and demands of consumers. Working the cloud into IT is very important from a value-add perspective, but it’s also important to make sure we keep an eye on compliance and security issues as well.”
Evaluating and Training Issues
Beyond governance, there are also cloud security issues around third-parties and employee training that Symantec recommends incorporating into the discussion. Specifically, Symantec promotes evaluating the security posture of third parties before sharing confidential or sensitive information.
Companies should formally train employees how to mitigate the security risks specific to the new technology to make sure sensitive and confidential information is protected prior to deploying cloud technology, said Symantec.
The big question is: Are we getting closer to being able to offer cloud solutions with which enterprises can feel comfortable? Somaini says we’re getting close.
“It's really 'buyer-beware' from a customer perspective. Not all cloud providers are the same. Some work from the beginning in a conscious and deliberate effort to make sure their services are secure. They can provide that confidence in the form of certifications,” Somaini says. “Cloud service providers are going to have to comply and drive security into their solutions and offer that evidence. We’re getting there but we've got some ways to go.”
BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached at http://www.linkedin.com/in/jleclaire and http://www.jenniferleclaire.com.
You may also be interested in: