PwC 2012 Information Security Breaches Survey asserts that more focus on security is needed for data stored in the cloud, but CIF believe the conclusion over simplifies the situation
Findings announced this week by PwC have shown that only 38 per cent of large firms using the cloud ensure that their data is encrypted and 56 per cent of small businesses do not check their external provider’s security levels. However a conclusion that widespread adoption of encryption of data remediates the issue oversimplifies the reality, costs and nature of risks asserts the Cloud Industry Forum.
In general CIF welcomes the PwC study and the fact it highlights the risks around a lack of understanding and/or due diligence by end-users adopting cloud based services, and we advocate the need for more education on the issues around security, privacy, sovereignty and portability of data, says Andy Burton, chairman of the Cloud Industry Forum.
Andy Burton says:
“However, in our opinion this survey highlights that much more needs to be done to mitigate the security risks around IT in general and not just cloud computing. From a cloud perspective though, three things need to happen to tackle this problem. Firstly, cloud providers need to be clearer up front with their prospects and customers at communicating the approach to security that they provide, and what options are available to adapt this, without of course compromising security in the process.
“Secondly, the language about classification of security risks and solutions need to be communicated in a standardised way, allowing procurers to easily compare and contrast different providers when making purchasing decisions. Thirdly, there needs to be a level of education amongst end-users on what they need to look out technically, commercially and legislatively to ensure data security when migrating to a cloud-based solution.”
"Whilst universal encryption may be appropriate as a solution in some scenarios it may equally be operationally inefficient and costly versus the identified risks in other scenarios where access control, firewalls, VPNs becomes more attractive and in any event a pragmatic approach is required to assess and balance risk and efficiency. For example, IaaS solutions where private clouds link to on-premise installations may be deployed for elements of commercial workflow and high data access may not be best served by encryption, whereas the laying down of large files of email or transaction data from a regulated industry may be better served by encryption – there is no universal silver bullet."
"The important principle is to remember that from a governance point of view end-users should not “outsource” the decision on their security requirement but should use the same best practices they use internally. In much the same way end-users cannot transfer their liability for Data Protection they should not assume without validating by due diligence or trusted standards that a Cloud Service provider is automatically operating to acceptable standards for the customer, industry or data type."
"The Cloud Industry Forum has taken important steps to address these issues by launching its industry-wide Code of Practice. The Code, which cloud service providers certify themselves against, is a practical way to gain the much needed transparency in the cloud industry."
Andy Burton continues:
“Cloud providers that are certified by the CIF Code of Practice have made a commitment to communicate their cloud offering in clear unambiguous terms and in a way that allows them to be compared to other providers. We advise all end-users to take the CIF Code of Practice as a blueprint for what information they should be demanding from potential suppliers of cloud solutions.”
“This research further validates the urgent need for end-user education and the importance of the professional industry players to adopt best practice and certifiable standards.”