Governance Grows More Integral to Managing Cloud Computing Security Risks, Says Survey

Updated: April 07, 2010

Despite the ongoing clamor about cloud security and the anticipated growth of cloud computing, a meager 27 percent of those surveyed said their organizations have developed procedures for approving cloud applications that use sensitive or confidential information. Other surprising statistics from the study include:

  • Only 20% of information security teams are regularly involved in the decision-making process

  • Only 25% of information security teams aren't involved at all

  • Only 30% evaluate cloud computing vendors before deploying their products

  • Only 23% require proof of security compliance

  • A full 75% believe cloud computing migration occurs in a less-than-ideal manner

  • Only 19% provide data security training that discusses cloud applications

Focusing on information governance

IT vendors and suppliers, including the survey sponsor, Symantec, are lining up to help fill the evident gaps in enterprise cloud security tools, standards, best practices and culture adaptation. Symantec is making several recommendations for beefing up cloud security, beginning with ensuring that policies and procedures clearly state the importance of protecting sensitive information stored in the cloud.


"There needs to be a healthy, open governance discussion around data and what should be placed into the cloud," says Justin Somaini, Chief Information Security Officer at Symantec. "Data classification standards can help with a discussion that's wrapped around compliance as well as security impacts. Beyond that, it's how to facilitate business in the cloud securely. This cuts across all business units."

Symantec also recommends organizations adopt an information governance approach that includes tools and procedures for classifying information and understanding risk so that policies can be put in place that specify which cloud-based services and applications are appropriate and which are not.

"There's a lot of push for quick availability of services. You don't want to go through legacy environments that could take nine months or a year to get an application up and running," Somaini says. "You want to get it up an running in a month or two to meet the needs and demands of consumers. Working the cloud into IT is very important from a value-add perspective, but it's also important to make sure we keep an eye on compliance and security issues as well."

Featured Research