Companies ignore cloud security

Published 26 April 2010

New study finds that few businesses build security into cloud contracts; in fact, three-quarters of businesses surveyed said they had no procedures and policies for using cloud computing; Sixty-eight percent said end users and business managers — not the organization’s IT professionals — are made responsible for evaluating cloud computing vendors

A new study by Symantec and the Ponemon Institute reveals an alarmingly low number of organizations have procedures in place for approving cloud applications that use sensitive information. One security expert, however, warns the study assumes cloud computing is not secure when, really, the jury is still out.

Techworld’s Kathleen Lau writes that the study shows that only 27 percent of IT professionals surveyed said their organizations have procedures and policies for using cloud computing. The sort of rudimentary process typically seen is based on word of mouth, said Larry Ponemon, chairman and founder of the Ponemon Institute. “If your friend at company X tells you this is a really good product for sales force automation because I see their name on the side of the building, they must be good,” said Ponemon.

The study is based on surveys with IT professionals regarding cloud computing procurement practices. The study also revealed that only 20 percent of those surveyed said information security teams are regularly involved in the decision-making process. Sixty-eight percent said end users and business managers are made responsible for evaluating cloud computing vendors.

Ponemon said the issue has moved from the conventional world of people, process, and checklists to the new cloud computing world where the usual due diligence is often bypassed. “Now we have end users making business decisions and procuring technologies that may be in the sensitive and confidential arena,” he said.

Francis Ho, security expert and executive committee member of the Federation of Security Professionals (FSP) points out that the stats are initially alarming if one assumes cloud computing is fraught with security risks. “But if you are presupposing that cloud computing is secure, then (the numbers) don’t surprise me,” said Ho.

Lau quotes Ho to say that many large companies he has come into contact with do not even have an approval process for traditional applications. As for the high percentage of line of business users tasked with cloud vendor assessments, Ho said cloud computing vendors will naturally push the technology by touting how secure it is. If line of business people are drawn into that vendor marketing, then naturally they will not think to liaise with the information security folks. “Why would I involve the IT folks if I want to buy laundry services for my shirts?” said Ho.