Cloud security still a struggle for many companies, survey finds
Despite the value many companies see in cloud computing, a lot of you are still afraid of the security implications, according to this year's Global Information Security Survey.
By Bill Brenner , Senior Editor
September 30, 2010 — CSO —
You want to embrace cloud computing because it makes your IT operations leaner and less expensive. But your understanding of cloud security hasn't advanced much in the last year, so you have to be cautious.
That's one of the takeaways from the Eighth Annual Global Information Security Survey CSO conducted along with sister publication CIO and PriceWaterhouseCoopers. Some 12,847 business and technology executives from around the world took the survey, and many admitted they're still a bit scared with the idea of putting critical data in the cloud.
Sixty-two percent of you have little to no confidence in your ability to secure any assets that you put in the cloud. Even among the 49 percent of respondents who have ventured into cloud computing, more than a third (39 percent) have major qualms about security.
Asked what they think is the greatest risk to their cloud computing strategy, respondents said they were uncertain about their ability to enforce security policies at a provider site, and were concerned about inadequate training and IT auditing. James Pu, information security officer for the Los Angeles County Employees Retirement Association (Lacera), is among the skeptics. He says he loves the flexibility and agility cloud computing could provide, but he's just not convinced that today's cloud technology is ready for prime time.
"As good as it is today, you don't have the same reliability as you have with a local-area network," says Pu, who does double duty as Lacera's CIO. "I also worry about the third parties involved." Cloud vendors, he notes, use third parties to host data centers and hardware. And those hosts may hire people without doing necessary background screening. "When data goes into the cloud," Pu says, "all it takes is a software bug to accidentally reveal my data."
Before cloud computing can become universally accepted as a secure option, a few things have to happen, says Ken Pfeil, CSO for a large mutual fund company in the Boston area and formerly CSO for financial companies Capital IQ and Miradiant.
First, he says, security experts must come up with more specific guidelines for which kinds of data it is acceptable to store in the cloud, be it customer information or intellectual property. He also wants clarification from regulatory agencies such as the Securities and Exchange Commission as to how financial reporting controls should work in the cloud.