Cloud Computing Security Policies, Procedures Lacking


The majority of companies deploying cloud computing solutions have no cloud-specific security policies and procedures in place and have no measures to approve or evaluate cloud applications that use sensitive of confidential information, Symantec uncovered in a recent survey.

According to the findings of the survey, conducted by Symantec and the Ponemon Institute, fewer than one in 10 companies evaluates their cloud vendors or trains their employees when it comes to cloud security.

Justin Somaini, Symantec’s Chief Information Security Officer, said the cloud’s has been a draw as businesses find the ability to work better and faster utilizing cloud services and applications, but many companies are hitching their wagons to the cloud without going through IT or the appropriate channels. Many of them are “flying blind,” he said.

“It’s as simple as signing up, logging in and going to town,” Somaini said in an interview.

Somaini said the recent Symantec and Ponemon Institute survey highlights that the majority of companies lack adequate security policies to protect cloud-based data. The study, called “Information Governance in the Cloud: A Study of IT Practitioners” queried 637 senior IT practitioners working for midsized to large U.S. companies with 1,000 to 25,000 employees that have adopted cloud computing platforms.

The survey found that 27 percent of respondents’ organizations’ don’t have procedures in place for approving cloud applications that contain sensitive data. Meanwhile, 68 percent of respondents said that the ownership for evaluating cloud computing vendors resides with end users and business managers. “Data is in the power of the users,” Somaini said.

Additionally, just 20 percent of organizations queried said that their information security teams are involved in the decision making process while roughly 25 percent said the information security team never participated at all.

“There’s no formal vetting process,” Somaini said. “This is being done in a very ad-hoc and immature manner to some degree.”

And while Somaini said the survey revealed there are few policies and procedures in place regarding cloud security, 69 percent of responded did note that they would prefer to see the information security team or corporate IT lead the cloud decision making process.

“They are breaking the processes put into place to historically protect data,” Somaini said. “We know the cloud is becoming a more valuable technology, so this survey is a call to arms.”

Somaini said security in the cloud is only going to get worse before it gets better.

 

NEXT: Recommendations For A Secure Cloud Computing Environment