Most organisations falling short on cloud security policies

The vast majority of organisations fail to proactively safeguard sensitive business information that is being stored in the cloud, according to a report released by the Ponemon Institute.

According to a Symantec-sponsored survey of 637 IT security practitioners in the US, fewer than one in ten respondents said their organisation evaluates cloud computing vendors or trains internal employees on cloud security.

Just 20 percent of respondents said their information security team is regularly involved in the decision-making process for cloud computing usage. One in four respondents said they were never involved.

Further, 53 percent of respondents said their organisation has not yet implemented procedures for approving cloud applications that use sensitive data.

“A lot of organisations lack the right policies and procedures to ensure that sensitive information that is put in the cloud remains secure,” John Magee, vice president of Symantec's cloud strategy, told SCMagazineUS.com.

Regardless, the cloud computing model is being widely adopted, Magee said. In the survey, 71 percent of respondents said their organisation utilised cloud-based business applications, such as Salesforce.com or webmail. Also, 56 percent of respondents said cloud-based storage services are being utilised. And most respondents said that in the future, they plan to make use of cloud computing services more intensively than they do today.

Despite its widespread utilisation and potential for growth, cloud computing makes it more difficult to protect confidential or sensitive information, a majority of survey respondents said. Specifically, 80 percent of respondents said cloud computing makes it more difficult to control end-user access and 77 percent said it is harder to evaluate security compliance.

Organisations that adopt cloud computing need to ensure their vendor is adhering to strict data security procedures, Magee said.

“They [organisations] are still at the end of the day responsible for securing their information, regardless of who's delivering the service,” he said.

Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazineUS.com that the study does not necessarily mean cloud computing is insecure.

“I believe there are probably instances where utilising cloud computing will improve security,” Ponemon said. “Some cloud computing providers are doing a phenomenal job [to secure their customer's data] and others probably have a long way to go.”

If they haven't already, organisations should immediately implement policies and procedures that clearly state the importance of protecting sensitive information in the cloud, according to the report. These policies should outline the type of information that is considered sensitive.

In addition, before handing over any sensitive information to a third-party cloud computing provider, organisations should evaluate the security posture of that vendor, the report states. Specifically, a security or privacy head within the organisation should take charge of vetting the purchase and implementation of cloud computing services.

Also, companies should train employees on mitigating the security risks of cloud computing, according to the report.

See original article on scmagazineus.com

Cloud Computing