'

UK business cloud usage under 10 percent, says survey

Professor says security is "lowly bedfellow" in cloud assessment, and more stringency is needed

Use of cloud computing is "immature" and few companies that have not already embraced it have plans to do so, according to a survey of IT and security professionals released Tuesday.

Just 8.9 percent of UK respondents to the survey, conducted by the Information Systems Audit and Control Association (Isaca), said they planned to use cloud computing for their mission-critical IT services. Nearly one-third said they would not use cloud computing for any IT services though 40 percent already use it in some form, the survey found.

Isaca, a global organisation that represents 86,000 technology professionals, said cloud computing usage was "relatively immature" and that organisations often failed to balance the risks and benefits. Many respondents to the survey admitted they found risk assessment difficult, with 54 percent of UK respondents classing their organisation as being only "somewhat effective".

"Organisations need an integrated risk management approach to identify, assess and prioritise risks, so that they only take appropriate gambles with acceptable consequences or level of reward. Enterprises must never crash and burn because the risk was ignored or misjudged," Paul Williams, Isaca's strategy chair, said.

However, 31 percent of organisations surveyed said they were hampered in assessing risk by budgetary constraints.

John Walker, a professor at Nottingham Trent University's School of Computing and Informatics, said that only some businesses were proficient at judging risk. They are usually the organisations that are holding back from cloud computing, he told ZDNet UK on Wednesday.

"There is a big push to push everything away into someone else's hands. They [businesses] should be far more stringent about requiring from the holder of their information the information that they require. Security policies should be extended outside the business the same as you would have inside the business, because the security issues are the same in the cloud as in the corporate," Walker said.

The professor warned that organisations were usually evaluating cloud computing as a means of saving money, but security was often undervalued. "In the majority of reviews I've done, the initial requirement is to save costs with security being a lowly bedfellow. A lot of people will take that risk," he said.

As well as security, there are three other risks to cloud computing, Walker said. These are gradually increasing costs, the security of suppliers' systems, and the difficulty organisations could face in terms of skills shortages if they subsequently bring their systems back in-house.

Despite the concerns around cloud computing, several initiatives have recently been established to help inform businesses. One, launched in February, is a consortium of service providers, vendors, government organisations and consultants that aims to provide a Common Assurance Metric (CAM), trying to make it easier for businesses to compare the security features offered by cloud-computing providers.

Education on how to manage the risks of cloud computing is being provided by the European Network and Information Security Agency (Enisa) — the EU's security advisory agency — and the Cloud Security Alliance, a group which now includes most of the world's largest security vendors.