Cloud Computing Security Policies, Procedures Lacking

The majority of companies deploying cloud computing solutions have no cloud-specific security policies and procedures in place and have no measures to approve or evaluate cloud applications that use sensitive of confidential information, Symantec uncovered in a recent survey.

According to the findings of the survey, conducted by Symantec and the Ponemon Institute, fewer than one in 10 companies evaluates their cloud vendors or trains their employees when it comes to cloud security.

Justin Somaini, Symantec’s Chief Information Security Officer, said the cloud’s has been a draw as businesses find the ability to work better and faster utilizing cloud services and applications, but many companies are hitching their wagons to the cloud without going through IT or the appropriate channels. Many of them are ’flying blind,’ he said.

’It’s as simple as signing up, logging in and going to town,’ Somaini said in an interview.

Somaini said the recent Symantec and Ponemon Institute survey highlights that the majority of companies lack adequate security policies to protect cloud-based data. The study, called ’Information Governance in the Cloud: A Study of IT Practitioners’ queried 637 senior IT practitioners working for midsized to large U.S. companies with 1,000 to 25,000 employees that have adopted cloud computing platforms.

The survey found that 27 percent of respondents’ organizations’ don’t have procedures in place for approving cloud applications that contain sensitive data. Meanwhile, 68 percent of respondents said that the ownership for evaluating cloud computing vendors resides with end users and business managers. ’Data is in the power of the users,’ Somaini said.

Additionally, just 20 percent of organizations queried said that their information security teams are involved in the decision making process while roughly 25 percent said the information security team never participated at all.

’There’s no formal vetting process,’ Somaini said. ’This is being done in a very ad-hoc and immature manner to some degree.’

And while Somaini said the survey revealed there are few policies and procedures in place regarding cloud security, 69 percent of responded did note that they would prefer to see the information security team or corporate IT lead the cloud decision making process.

’They are breaking the processes put into place to historically protect data,’ Somaini said. ’We know the cloud is becoming a more valuable technology, so this survey is a call to arms.’

Somaini said security in the cloud is only going to get worse before it gets better.

NEXT: Recommendations For A Secure Cloud Computing Environment

According to Somaini, only 30 percent of survey respondents said they evaluate cloud computing vendors prior to deploying their products; 65 percent of organizations evaluate cloud services by word of mouth; and only 23 percent require proof of security compliance such as SAS 70. Additionally, 18 percent of organizations said they rely on in-house security assessments while six percent rely on third-party assessments by security experts or auditors.

Somaini added that more than 75 percent of respondents noted that their cloud computing migrations were occurring in a less than ideal manner due to lack of control over end users; lack of resources to conduct proper evaluations; and lack the leadership to oversee the evaluation process.

The survey also revealed that only 19 percent of respondents’ companies’ provide general data security training that mentions cloud applications, while 42 percent said their companies offer general data security training that does not specifically address cloud applications.

’Cloud computing holds a great deal of promise as a tool for providing many essential business services, but our study reveals a disturbing lack of concern for the security of sensitive corporate and personal information as companies rush to join in on the trend,’ said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. ’In order to properly address information security concerns we encourage organizations to immediately incorporate policies and processes for determining vendor qualifications.

To quell potential cloud security problems, Symantec and the Ponemon Institute recommend companies formulate policies and procedures that state the importance of data protection in the cloud while outlining what is considered sensitive and proprietary information. It is also recommended that companies evaluate the security posture of third parties before sharing confidential information in the cloud and conduct thorough reviews and audits of vendor security qualifications. Somaini also suggested organizations adopt an information governance approach to include tools and procedures for classifying information and understanding risks to put in place policies that specify which cloud services and applications are appropriate and which are not. And before deploying cloud computing solutions companies should train employees on how to mitigate security risks to make sure data is protected, Symantec and Ponemon recommended.

’Today, organizations need stronger information governance for managing corporate information and enabling confidence in the cloud,’ Somaini said. ’The success of cloud computing hinges on the trust and confidence that can only occur when the information security teams have better visibility into the security posture and operations of cloud initiatives.’