Despite enthusiasm surrounding setting a cloud computing strategy, IT professionals lack confidence in their organizations’ abilities to secure cloud solutions and keep them compliant, a new SearchCompliance.com survey finds.
Only a third of survey respondents said they were confident that their cloud solutions were adequately secure and in compliance with all legal and regulatory requirements. Another 22% said their solutions weren’t secure or compliant. Perhaps most disconcerting? Close to half (45%) weren’t sure, meaning two thirds of respondents either do not know if their cloud solutions are secure, or are absolutely certain they are not.
“Most organizations don’t have a clue of what information they have and where it is stored, especially when it comes to the cloud,” said information security expert Kevin Beaver, during SearchCompliance.com’s Dec. 7 virtual trade show (VTS), “Making the Case for the Cloud,” from which the survey was procured. “I see organizations with formal information classification and retention programs for their internal information, but not a single piece of data within the cloud is included in that.”
Despite the wariness surrounding cloud security and compliance, it’s definitely not stopping businesses from moving forward with their cloud initiatives. The SearchCompliance.com survey of 235 IT professionals found respondents evenly split when asked if their organization had a cloud computing strategy in place, with 45% saying yes and 55% saying no.
Of those that answered no, however, 100% said their organizations planned to implement one in the next 12 months. When in the planning stages, it’s important to figure out exactly what services you need, said Dave Shackleford, chief technology officer at IANS Research.
“When you think about network security options and models available to you, it really depends on who your cloud providers are, as well as how you are using the cloud,” Shackleford said. “Different providers have different capabilities -- you need to do some homework here and understand exactly what they’ll offer you.”
Although respondents seemed enthusiastic about cloud deployment, most acknowledged that their organizations aren’t past the discussion phase. Sixty-five percent of those surveyed said their companies were “in discussions” for usage or deployment of a cloud computing strategy, while 16% are in the trial or piloting stage. Only 6.3% of respondents said they were actually implementing a cloud strategy, and 5% were in the production phase.
Cloud security a priority
Perhaps companies still in the cloud planning stages are busy trying to ensure that their data is protected: Security issues were by far cited as the greatest obstacle to cloud deployment, with 88% saying it was their biggest concern. This was followed by loss of ownership (62%) and vendor costs (40%).
To offset the security concerns, VTS presenters suggested communicating these concerns to cloud providers from the outset and asking how, exactly, they plan to handle them.
“Identity access management is really an issue -- you have to control the access to your information as it is on the cloud and you have to talk to your service providers about how your data is protected,” said independent governance, risk and compliance consultant Urs Fischer. “You have to have that in your contract and in your service-level agreements.”
Fischer said pointed questions such as “Where is the data sent?” and “How is it protected?” can help providers communicate a clearly defined cloud security strategy. It also helps to give hypothetical security scenarios and to ask how the service providers would plan to deal with them, he added.
“The service provider must show you how effective and robust their security controls are -- they have to assure you that your information is properly secured against unauthorized access,” Fischer said.
But despite the concerns surrounding cloud computing strategy, respondents were well aware of the potential benefits. Lower total cost of ownership was cited as the top driver of cloud deployment, followed by increased efficiency and enabled growth and expansion.
Simply moving to the cloud does not automatically achieve these benefits, however. Companies should complete a cost/benefit analysis and carefully outline exactly what they want in cloud security and their cloud service, and what makes sense from their business perspective.
“You need to understand your requirements -- please don’t go out and let a vendor sell you on what they have,” said Diana Kelley, a partner at Security Curve, during her presentation on choosing Software as a Service (SaaS) security. “You know what you have, what you need and what is important for success in your organization.”
Different providers have different capabilities -- you need to do some homework here and understand exactly what they’ll offer you.
Dave Shackleford, CTO, IANS Research
In what may be a reflection of the economy, companies seem unwilling to pay that much for the cloud security benefits. Fifty-five percent of respondents said less than 10% of their companies’ budgets are concentrated on cloud strategy, and 30% said cloud budgeting is 10% to 14% of overall spending.
However, 64% of respondents said they planned to invest in SaaS in 2012, and more than 40% said they planned to invest in storage and backup and/or Infrastructure as a Service. Forty-six percent said they planned to invest in cloud computing services for data management or storage, while 36% said they planned to use the cloud for applications specific to their industry.
Because cloud budgets are already tight, companies need to protect themselves when developing cloud service agreements to prevent incurring even more costs down the road, said Andrew Baer, a partner at Baer Crossey LLC.
“When choosing the terms of a contract, understand that technology changes rapidly in the cloud,” Baer said. “While the vendor may offer substantial pricing discounts if you sign up for a three- or five-year term, consider whether that allows you the flexibility you need to move to a different solution if the technology changes rapidly.”
The push for thorough planning and communication when developing a cloud computing strategy was a common theme throughout the VTS. As survey respondents showed, it’s important to think long-term and understand that with the many benefits that come with moving to the cloud, companies need to be prepared for the innumerable risks that go with it.
“The information risks we face aren’t going away, especially as we lose more and more control over security as we move toward the cloud,” Beaver said. “It’s up to you to hold people accountable and make things happen.”
Let us know what you think about the story; email Ben Cole, Associate Editor.