Firms warned not to rush into the cloud

Security experts are warning that companies are rushing into cloud adoption without first understanding the risks and challenges involved.

William Beer, director of the assurance group at PricewaterhouseCoopers, said at the launch of the annual Global Information Security Survey (PDF) that he is seeing a lot of client interest in cloud computing, but that not enough focus is being put on governance and information security.

Two-thirds of survey respondents said that they are unaware of where their data is currently stored, and Beer argued that this problem will be compounded "from a physical and legal point of view" if and when they move to the cloud.

"There is far too much focus on the technology and cost savings aspects of cloud, and a common lack of understanding of the risks and challenges," he said.

"We are seeing clients moving very quickly into the cloud without undertaking a risk assessment, and that is a great concern to us. Some vendors might not provide enough rigour around their controls and processes."

The survey also highlighted the fact that many chief security officers place too great a focus on security technology rather than security policies, explained Beer.

For example, the number of firms with data loss prevention capabilities jumped from 29 percent in 2008 to 44 percent in 2009, but fewer than half of this year's respondents said that their organisation's security policies actually address the protection, disclosure and destruction of data.

"We are seeing too much focus on technology," said Beer. "There is also a disconnect between technology, policy and a clear understanding of where the data actually is."