Top 5 Stories


Information security professionals baulk at putting sensitive data in cloud

11 May 2012

Despite the apparent enthusiasm around cloud computing, a survey of information security professionals by Wisegate revealed that more than half believe the cloud is too risky and only suitable for commodity applications like CRM or e-mail.

When asked if they were moving protected class data into the public cloud, 53% of senior IT practitioners from companies in financial services, healthcare, consumer products, and automotive industries, as well as from government agencies, said that the cloud was too risky and they have no near-term plans to adopt cloud for such applications.

“There is a chasm between what we are hearing in the hype over cloud computing and where security people really are”, commented Sara Gates, founder and chief executive officer of Wisegate, a social networking site for information security professionals. “People are taking a measured approach to the kinds of things that they are moving to the cloud”, she told Infosecurity.

Only 16% of Wisegate members responded that they were moving ahead with cloud computing plans but emphasized they would need a comprehensive contract and a service-level agreement (SLA) agreement in place with the cloud provider. Another 25% said their organization was apprehensive about cloud computing but they have some near-term plans in place.

A number of Wisegate members reported that government or industry regulations (such as the Health Insurance Portability and Accountability Act or Sarbanes-Oxley) deter them from adopting cloud-based applications.

“The risk for a healthcare company to move protected health data into the cloud is huge. If I have some medical condition and the information gets breached, it is never unbreached”, Gates observed.

For those organizations that are putting applications like email in the cloud, Wisegate members offered a couple of keys for doing so: (1) ensure that SLA agreements cover connectivity, response time, uptime, and issue resolution; (2) know what the maximum “send” and “receive” limits are for each mailbox and for the entire organization; and (3) understand the disaster recovery and digital archiving processes offered by the service provider.

In terms of lessons learned about adopting cloud computing, Wisegate members advised organizations “to start small, be really crisp with your use cases and requirements, and, when negotiating with a vendor, get specific on the vendor’s responsibility” regarding security, Gates concluded.

This article is featured in:
Application Security  •  Cloud Computing  •  Compliance and Policy  •  Internet and Network Security  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×