Cloud-based software: Who is responsible for security in the cloud?

When it comes to cloud-based software and services, who is responsible for security and compliance in cloud computing? #GRCchat participants weigh in.

More on cloud GRC from SearchCompliance

Cloud computing risk management handbook

Is data safe in the cloud?

In the beginning, CIOs and security teams were hesitant to implement cloud-based software and services, with considerations ranging from data loss to asset protection to governance, risk and compliance (GRC) ramifications. Even as cloud computing has surged in popularity during the past decade, IT managers continue to weigh the risks of cloud against its benefits, and in doing so, must contemplate how existing and emerging regulations fit into the GRC matrix.

In our March #GRCchat, @ITCompliance asked participants, "Is security and compliance becoming more of a priority for cloud providers? Why or why not?" SearchCIO senior news writer Nicole Laskowski kicked things off with this hopeful remark:

Our tweet jammers are right: In a market crowded by a demand for better compliance and increased security, cloud-based software and service providers risk driving their own businesses into extinction should they ignore customer pleas for GRC assurances.

For IT organizations, choosing cloud-based software that fits business needs and carries an appropriate level of security is but one part of the battle. The next challenge is establishing GRC protocols around company assets stored in or accessed via the cloud. We asked our followers, "Who is responsible for security and maintaining GRC of data in the cloud: the company, provider or a combination of both?"

SearchCompliance site editor Ben Cole responded with a firm "both":

Other participants chimed in, insisting most -- if not all -- of the GRC responsibility lies with the organization whose assets are on the line, not the cloud provider providing services to it:

Has your company ever had a disagreement with a provider of cloud-based software or services over GRC responsibilities? Let us know in the comments section below. For more from our #GRCchat, search the hashtag on Twitter. Our next tweet jam will be held on Thursday, April 24, at 12 p.m. EDT.

This was last published in April 2014

Dig Deeper on Enterprise cloud compliance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Who is responsible for maintaining GRC around data in the cloud?
Cancel
The provider needs to ensure their systems are compliant or ready to be, and the company needs to make sure the provider is up to the task, as well as ensuring that their data is secured properly before going to the cloud.
Cancel
Regulatory governance for cloud GRC is still in the emerging stage. The undefined areas in cloud GRC make both the cloud provider and user responsible.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close