TDR

Most organizations falling short on cloud security policies

April 5, 2010
The vast majority of organizations fail to proactively safeguard sensitive business information that is being stored in the cloud, concluded a report released Monday by the Ponemon Institute.

According to a survey of 637 U.S. IT security practitioners, sponsored by Symantec, fewer than one in ten respondents said their organization evaluates cloud computing vendors or trains internal employees on cloud security.

Just 20 percent of respondents said their information security team is regularly involved in the decision-making process for cloud computing usage. One in four respondents said they were never involved.

Further, 53 percent of respondents said their organization has not yet implemented procedures for approving cloud applications that use sensitive data.

“A lot of organizations lack the right policies and procedures to ensure that sensitive information that is put in the cloud remains secure,” John Magee, vice president of Symantec's cloud strategy, told SCMagazineUS.com on Monday.

Regardless, the cloud computing model is being widely adopted, Magee said. In the survey, 71 percent of respondents said their organization utilized cloud-based business applications, such as Salesforce.com or webmail. Also, 56 percent of respondents said cloud-based storage services are being utilized. And most respondents said that in the future, they plan to make use of cloud computing services more intensively than they do today.

Despite its widespread utilization and potential for growth, cloud computing makes it more difficult to protect confidential or sensitive information, a majority of survey respondents said. Specifically, 80 percent of respondents said cloud computing makes it more difficult to control end-user access and 77 percent said it is harder to evaluate security compliance.

Organizations that adopt cloud computing need to ensure their vendor is adhering to strict data security procedures, Magee said.

“They [organizations] are still at the end of the day responsible for securing their information, regardless of who's delivering the service,” he said.

Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazineUS.com on Monday that the study does not necessarily mean cloud computing is insecure.

“I believe there are probably instances where utilizing cloud computing will improve security,” Ponemon said. “Some cloud computing providers are doing phenomenal job [to secure their customer's data] and others probably have a long way to go.”

If they haven't already, organizations should immediately implement policies and procedures that clearly state the importance of protecting sensitive information in the cloud, according to the report. These policies should outline the type of information that is considered sensitive.

In addition, before handing over any sensitive information to a third-party cloud computing provider, organizations should evaluate the security posture of that vendor, the report states. Specifically, a security or privacy head within the organization should take charge of vetting the purchase and implementation of cloud computing services.

Also, companies should train employees on mitigating the security risks of cloud computing, according to the report.

prestitial ad