Cloud-based software: Who is responsible for security in the cloud?

When it comes to cloud-based software and services, who is responsible for security and compliance in cloud computing? #GRCchat participants weigh in.

More on cloud GRC from SearchCompliance

Cloud computing risk management handbook

Is data safe in the cloud?

In the beginning, CIOs and security teams were hesitant to implement cloud-based software and services, with considerations ranging from data loss to asset protection to governance, risk and compliance (GRC) ramifications. Even as cloud computing has surged in popularity during the past decade, IT managers continue to weigh the risks of cloud against its benefits, and in doing so, must contemplate how existing and emerging regulations fit into the GRC matrix.

In our March #GRCchat, @ITCompliance asked participants, "Is security and compliance becoming more of a priority for cloud providers? Why or why not?" SearchCIO senior news writer Nicole Laskowski kicked things off with this hopeful remark:

Our tweet jammers are right: In a market crowded by a demand for better compliance and increased security, cloud-based software and service providers risk driving their own businesses into extinction should they ignore customer pleas for GRC assurances.

For IT organizations, choosing cloud-based software that fits business needs and carries an appropriate level of security is but one part of the battle. The next challenge is establishing GRC protocols around company assets stored in or accessed via the cloud. We asked our followers, "Who is responsible for security and maintaining GRC of data in the cloud: the company, provider or a combination of both?"

SearchCompliance site editor Ben Cole responded with a firm "both":

Other participants chimed in, insisting most -- if not all -- of the GRC responsibility lies with the organization whose assets are on the line, not the cloud provider providing services to it:

Has your company ever had a disagreement with a provider of cloud-based software or services over GRC responsibilities? Let us know in the comments section below. For more from our #GRCchat, search the hashtag on Twitter. Our next tweet jam will be held on Thursday, April 24, at 12 p.m. EDT.

This was last published in April 2014

Dig Deeper on Enterprise cloud compliance



Find more PRO+ content and other member only offers, here.

Related Discussions

Emily McLaughlin asks:

Who is responsible for maintaining GRC around data in the cloud?

2  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: