Cloud security still a struggle for many companies, survey finds

You want to embrace cloud computing because it makes your IT operations leaner and less expensive. But your understanding of cloud security hasn’t advanced much in the last year, so you have to be cautious.

2011 Global State of Information Security analysis

• Business partners a growing concern
• The cloud security struggle
• The CIO/CISO disconnect

That’s one of the takeaways from the Eighth Annual Global Information Security Survey CSO conducted along with sister publication CIO and PriceWaterhouseCoopers. Some 12,847 business and technology executives from around the world took the survey, and many admitted they’re still a bit scared with the idea of putting critical data in the cloud.

Also see part 1 of this series: Business partners a growing security concern

Sixty-two percent of you have little to no confidence in your ability to secure any assets that you put in the cloud. Even among the 49 percent of respondents who have ventured into cloud computing, more than a third (39 percent) have major qualms about security.

Asked what they think is the greatest risk to their cloud computing strategy, respondents said they were uncertain about their ability to enforce security policies at a provider site, and were concerned about inadequate training and IT auditing. James Pu, information security officer for the Los Angeles County Employees Retirement Association (Lacera), is among the skeptics. He says he loves the flexibility and agility cloud computing could provide, but he’s just not convinced that today’s cloud technology is ready for prime time.

“As good as it is today, you don’t have the same reliability as you have with a local-area network,” says Pu, who does double duty as Lacera’s CIO. “I also worry about the third parties involved.” Cloud vendors, he notes, use third parties to host data centers and hardware. And those hosts may hire people without doing necessary background screening. “When data goes into the cloud,” Pu says, “all it takes is a software bug to accidentally reveal my data.”

Before cloud computing can become universally accepted as a secure option, a few things have to happen, says Ken Pfeil, CSO for a large mutual fund company in the Boston area and formerly CSO for financial companies Capital IQ and Miradiant.

First, he says, security experts must come up with more specific guidelines for which kinds of data it is acceptable to store in the cloud, be it customer information or intellectual property. He also wants clarification from regulatory agencies such as the Securities and Exchange Commission as to how financial reporting controls should work in the cloud.

He’s not satisfied that those questions have been answered, especially when it comes to the kinds of financial data that can go to the cloud. Therefore, his company is avoiding it for now.

Larry Bonfante, CIO of the United States Tennis Association (USTA), on the other hand, is among those IT leaders who are cautiously moving to the cloud. From a security standpoint, his greatest concern is protecting consumer data — a tall order given that, for example, approximately 80 percent of tickets for U.S. Open matches are purchased online. He isn’t ready to let those transactions happen in the cloud yet because he is not convinced that all the technological pieces are in place to do it securely. But he feels differently about his back-end financial and reporting systems.

He’s moved all internal back-end systems to the Amazon Web Services platform, believing that Amazon’s security resources will supplement those of his own organization. Bonfante says the benefits include lower costs and fewer servers for his IT staff to baby-sit, which has allowed him to deploy new solutions more quickly. He says the cloud has also reduced the USTA’s carbon footprint: Less on-site hardware means less energy is used to power the IT shop.