When asked if they were moving protected class data into the public cloud, 53% of senior IT practitioners from companies in financial services, healthcare, consumer products, and automotive industries, as well as from government agencies, said that the cloud was too risky and they have no near-term plans to adopt cloud for such applications.
“There is a chasm between what we are hearing in the hype over cloud computing and where security people really are”, commented Sara Gates, founder and chief executive officer of Wisegate, a social networking site for information security professionals. “People are taking a measured approach to the kinds of things that they are moving to the cloud”, she told Infosecurity.
Only 16% of Wisegate members responded that they were moving ahead with cloud computing plans but emphasized they would need a comprehensive contract and a service-level agreement (SLA) agreement in place with the cloud provider. Another 25% said their organization was apprehensive about cloud computing but they have some near-term plans in place.
A number of Wisegate members reported that government or industry regulations (such as the Health Insurance Portability and Accountability Act or Sarbanes-Oxley) deter them from adopting cloud-based applications.
“The risk for a healthcare company to move protected health data into the cloud is huge. If I have some medical condition and the information gets breached, it is never unbreached”, Gates observed.
For those organizations that are putting applications like email in the cloud, Wisegate members offered a couple of keys for doing so: (1) ensure that SLA agreements cover connectivity, response time, uptime, and issue resolution; (2) know what the maximum “send” and “receive” limits are for each mailbox and for the entire organization; and (3) understand the disaster recovery and digital archiving processes offered by the service provider.
In terms of lessons learned about adopting cloud computing, Wisegate members advised organizations “to start small, be really crisp with your use cases and requirements, and, when negotiating with a vendor, get specific on the vendor’s responsibility” regarding security, Gates concluded.