Manage Learn to apply best practices and optimize your operations.

Cloud-based software: Who is responsible for security in the cloud?

When it comes to cloud-based software and services, who is responsible for security and compliance in cloud computing? #GRCchat participants weigh in.

More on cloud GRC from SearchCompliance

Cloud computing risk management handbook

Is data safe in the cloud?

In the beginning, CIOs and security teams were hesitant to implement cloud-based software and services, with considerations ranging from data loss to asset protection to governance, risk and compliance (GRC) ramifications. Even as cloud computing has surged in popularity during the past decade, IT managers continue to weigh the risks of cloud against its benefits, and in doing so, must contemplate how existing and emerging regulations fit into the GRC matrix.

In our March #GRCchat, @ITCompliance asked participants, "Is security and compliance becoming more of a priority for cloud providers? Why or why not?" SearchCIO senior news writer Nicole Laskowski kicked things off with this hopeful remark:

Our tweet jammers are right: In a market crowded by a demand for better compliance and increased security, cloud-based software and service providers risk driving their own businesses into extinction should they ignore customer pleas for GRC assurances.

For IT organizations, choosing cloud-based software that fits business needs and carries an appropriate level of security is but one part of the battle. The next challenge is establishing GRC protocols around company assets stored in or accessed via the cloud. We asked our followers, "Who is responsible for security and maintaining GRC of data in the cloud: the company, provider or a combination of both?"

SearchCompliance site editor Ben Cole responded with a firm "both":

Other participants chimed in, insisting most -- if not all -- of the GRC responsibility lies with the organization whose assets are on the line, not the cloud provider providing services to it:

Has your company ever had a disagreement with a provider of cloud-based software or services over GRC responsibilities? Let us know in the comments section below. For more from our #GRCchat, search the hashtag on Twitter. Our next tweet jam will be held on Thursday, April 24, at 12 p.m. EDT.

Dig Deeper on Enterprise cloud compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Who is responsible for maintaining GRC around data in the cloud?
The provider needs to ensure their systems are compliant or ready to be, and the company needs to make sure the provider is up to the task, as well as ensuring that their data is secured properly before going to the cloud.
Regulatory governance for cloud GRC is still in the emerging stage. The undefined areas in cloud GRC make both the cloud provider and user responsible.