CLOUD COMPUTING

Look Who's Not So Worried About Data in the Cloud

Dennis Barker | Date: 11-21-11 | Comments

A new survey reveals that compliance managers are less concerned with cloud infrastructure security than their IT counterparts.

Data security has to be a concern when talking about cloud computing, especially when talking about regulated data such as patient records, credit card numbers and other personal information. Laws require that type of data to be given special protection. So, it might be surprising to learn that compliance practitioners�those people whose job it is to make sure that type of data is secure�are less concerned about cloud security than their colleagues in the IT department.

A new survey by the Ponemon Institute asked IT security managers and compliance professionals about their sense of risk when using public or private cloud infrastructure services. Compliance officers apparently are either more optimistic or less paranoid than the guys in IT. Asked if they think infrastructure-as-a-service (IaaS) environments are as secure as their in-house data center, about half of the compliance respondents said "yes." Only one-third of the IT respondents felt that way. And when asked if their organization has adequate technology to maintain a secure IaaS environment, 42 percent of compliance people said "yes," whereas only 35 percent of the IT people responded affirmatively.

"There is also a significant difference in agreement between IT and compliance respondents wit respect to whether their organization has sufficient policies and procedures that enable the safe and secure use of cloud infrastructure," the Ponemon analysts report.

The survey found that only 34 percent of IT respondents believe this, as opposed to 52 percent of the compliance respondents.

However, the compliance managers do exhibit more caution when it comes to one thing: Trusting the people in the IT department. They believe encryption should be used to prevent IT administrators from accessing regulated data. IT respondents, on the other hand, favor encryption to prevent their IaaS providers from accessing data. By the way, only 31 percent of those surveyed said their cloud provider uses encryption.

If you keep up with threats to IT systems, such as this recent one, you might scratch your head over several other key findings in the survey:

1) While there are concerns about security, the evaluation of the security of IaaS providers is rated as a low priority or not a priority.

2) A majority of IT and compliance respondents agree that their organizations "are not proactive in ensuring the security of cloud providers" and that cloud providers are selected with no vetting of their security practices. They don't even ask internal auditors to do a review.

3) There is uncertainty over who in the organization is responsible for making sure data stored in the cloud is secure, "making it difficult to implement an enterprisewide data security strategy."

Ponemon's researchers conclude that despite differences between the IT and compliance samples, both groups are concerned about the security of sensitive or confidential data placed in the cloud infrastructure environment. They might say they're concerned, but other responses make you wonder if they're planning to act upon that concern.

Perhaps the most baffling revelation is this: 73 of the 613 IT security practitioners who took the survey said they are "not familiar" with cloud computing. Really, IT Guy? Really?