Seeking Alpha

Dana Gardner's  Instablog

Dana Gardner
Send Message
Dana Gardner is president and principal analyst at Interarbor Solutions (www.interarbor-solutions.com), an enterprise IT analysis, market research, and consulting firm. Gardner, a leading identifier of software productivity trends and new IT business growth opportunities, honed his skills and... More
My company:
Interarbor Solutions, LLC
My blog:
Dana Gardner's BriefingsDirect
  • Governance grows more integral to managing cloud computing security risks, says IT practitioner survey 0 comments
    Apr 7, 2010 9:58 AM | about stocks: SYMC, AMZN, GOOG, MSFT, HPQ, IBM, ORCL
    Most enterprises lack three essential ingredients to ensure that sensitive information stored in via cloud computing hosts remains secure: procedures, policies and tools. So says a joint survey called “Information Governance in the Cloud: A Study of IT Practitioners” from Symantec Corp. and Ponemon Institute.

    Cloud computing holds a great deal of promise as a tool for providing many essential business services, but our study reveals a disturbing lack of concern for the security of sensitive corporate and personal information as companies rush to join in on the trend,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

    Where is cloud security training?

    D
    espite the ongoing clamor about cloud security and the anticipated growth of cloud computing, a meager 27 percent of those surveyed said their organizations have developed procedures for approving cloud applications that use sensitive or confidential information. Other surprising statistics from the study include:
    • Only 20% of information security teams are regularly involved in the decision-making process
       
    • Only 25% of information security teams aren’t involved at all
       
    • Only 30% evaluate cloud computing vendors before deploying their products
       
    • Only 23% require proof of security compliance
       
    • A full 75% believe cloud computing migration occurs in a less-than-ideal manner
       
    • Only 19% provide data security training that discusses cloud applications
    Focusing on information governance

    IT
    vendors and suppliers, including the survey sponsor, Symantec, are lining up to help fill the evident gaps in enterprise cloud security tools, standards, best practices and culture adaptation. Symantec is making several recommendations for beefing up cloud security, beginning with ensuring that policies and procedures clearly state the importance of protecting sensitive information stored in the cloud.

    “There needs to be a healthy, open governance discussion around data and what should be placed into the cloud,” says Justin Somaini, Chief Information Security Officer at Symantec. “Data classification standards can help with a discussion that’s wrapped around compliance as well as security impacts. Beyond that, it’s how to facilitate business in the cloud securely. This cuts across all business units.”

    Symantec also recommends organizations adopt an information governance approach that includes tools and procedures for classifying information and understanding risk so that policies can be put in place that specify which cloud-based services and applications are appropriate and which are not.

    “There’s a lot of push for quick availability of services. You don’t want to go through legacy environments that could take nine months or a year to get an application up and running,” Somaini says. “You want to get it up an running in a month or two to meet the needs and demands of consumers. Working the cloud into IT is very important from a value-add perspective, but it’s also important to make sure we keep an eye on compliance and security issues as well.”

    Evaluating and Training Issues

    B
    eyond governance, there are also cloud security issues around third-parties and employee training that Symantec recommends incorporating into the discussion. Specifically, Symantec promotes evaluating the security posture of third parties before sharing confidential or sensitive information.

    Companies should formally train employees how to mitigate the security risks specific to the new technology to make sure sensitive and confidential information is protected prior to deploying cloud technology, said Symantec.

    The big question is: Are we getting closer to being able to offer cloud solutions with which enterprises can feel comfortable? Somaini says we’re getting close.

    “It's really 'buyer-beware' from a customer perspective. Not all cloud providers are the same. Some work from the beginning in a conscious and deliberate effort to make sure their services are secure. They can provide that confidence in the form of certifications,” Somaini says. “Cloud service providers are going to have to comply and drive security into their solutions and offer that evidence. We’re getting there but we've got some ways to go.”
    BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached at http://www.linkedin.com/in/jleclaire and http://www.jenniferleclaire.com.
    You may also be interested in:


    Disclosure: Long GOOG.
Back To Dana Gardner's Instablog HomePage »

Instablogs are blogs which are instantly set up and networked within the Seeking Alpha community. Instablog posts are not selected, edited or screened by Seeking Alpha editors, in contrast to contributors' articles.

Comments (0)
Track new comments
Be the first to comment
Full index of posts »
Latest Followers

StockTalks

More »
Posts by Themes
Instablogs are Seeking Alpha's free blogging platform customized for finance, with instant set up and exposure to millions of readers interested in the financial markets. Publish your own instablog in minutes.