In the rush to realize the cost savings offered by cloud computing, many companies are foregoing safety concerns. That's the conclusion of a just released survey conducted by the Ponemon Institute and sponsored by Symantec.
"Despite widespread interest in adopting cloud computing technologies, many organizations are 'flying blind' with respect to making them secure, potentially putting their business operations, company data and customer information at risk," said Justin Somaini, Symantec's chief information security officer.
What makes this situation potentially even more dangerous is that frequently this move to the cloud is being carried out without the approval or even the knowledge of the CIO and/or CSO and the security concerns involved. "Over and over we see a tendency for organizations to rush to adopt a new technology without fully understanding the security implications, and it's no different with cloud computing," Larry Ponemon, chairman and founder of the Ponemon Institute, told CIOZone. "Our research shows a disturbing lack of concern for strategic thinking with cloud computing. We know that organizations with a CIO/CSO with oversight responsibility for critical processes are a lot better prepared for managing the information security risk."
The survey was based on responses from 637 senior IT practitioners working for medium to large U.S. companies that have adopted cloud platforms.
Here are nine factors that CIOs and CSOs should be aware of as their companies move to the cloud.
Who Evaluates the Vendors?
In the majority of organizations, major gaps exist between those currently evaluating cloud computing vendors and the IT and security chiefs that ideally should be responsible. Of the organizations surveyed, 68 percent indicated that ownership for evaluating cloud vendors resides with end users and business managers. Only 20 percent of the organizations surveyed reported that the IT security teams are regularly involved in the decision-making teams, while more than a quarter said IT security was not involved at all.
Word of Mouth
According to the survey, almost two thirds of organizations evaluate cloud services by word of mouth. More than half also take the vendor's word on contractual agreements and assurances. Only 23 percent require proof of security compliance such as SAS 70. Less than 20 percent require in-house security assessment.
Not quite 70 percent indicated they would prefer to see IT security or corporate IT teams lead the cloud decision-making process. At the same time, more that 75 percent noted that the cloud migration was occurring in a less-than-ideal manner, due to lack of control over end users, lack of resources to conduct proper evaluations and lack of leadership to oversee the process.
Less than 20 percent of survey respondents indicated that their company's data security training includes cloud applications while 42 percent said their training does not specifically discuss the cloud applications
Based on the survey findings, Symantec is recommending that policies and procedures be put in place stating the importance of securing sensitive information stored in the cloud. The policies should define what information is sensitive and proprietary.
Symantec also says organizations should adopt an information governance approach to cloud computing that includes tools and procedures for classifying their information and understanding risk so that policies can be implemented that specify which cloud-based services and applications are appropriate and which are not.
As part of the vendor evaluation process corporate IT and/or information security experts should conduct a thorough review and audit of the vendor's security qualifications.
Finally, before deploying cloud technology, companies should formally train employees on how to mitigate cloud-based security risks.