Businesses fail to monitor cloud security

Businesses are concerned about the privacy of data held by cloud providers, but are not doing anything about it, according to Deloitte.

It's unclear whether that's because they lack the means to make sure cloud providers are actually protecting data the way they say they will or whether businesses don't have the processes established to conduct evaluations, according to a Deloitte report Enterprise@Risk: Privacy & Data Protection Survey.

Of those surveyed, 82.6 percent say they haven't implemented formal programmes to assess how well providers comply with the privacy and data management provisions that they agree to in service contracts, and this is a problem, Deloitte said.

"You cannot put out in a third-party cloud data storage, email and financial applications and say I am obliged to meet data laws, regulations and contractual agreements and not have some mechanism of assurance in place," says Rena Mears, partner and leader with Deloitte's security and privacy services.

But that is what most businesses are doing, according to the survey. It could be that managing cloud vendors is still a new game to corporations, and they haven't matured the process, Deloitte says. Or it could be that it is just too difficult to test and audit providers' cloud environments to see whether they measure up, so the job doesn't get done.

But the bottom line is that the corporation whose data is breached is ultimately liable for the breach, not the service provider that agreed to protect it adequately, Mears says.

So businesses using cloud computing services should perform ongoing risk assessment of the data that is trusted to the cloud, Mears said. Data should be classified for its sensitivity and regarded as a business asset from which the business is trying to derive the maximum return.

Business executives need to weigh the cost savings and benefits of moving data to the cloud against the potential risks that it could encounter in providers' clouds, she added.

It's not that business executives are ignoring problems; they have a lot of new circumstances on their plates that they have not dealt with before. "The marketplace is changing and companies are adapting to data flows in more places to achieve more objectives in complex regulatory environments," Mears said.

Cloud computing isn't just being added to a static business environment, she said. Rather, the environment is changing rapidly, with rising costs, data moving globally and regulations that are getting stricter, more numerous and that can change from country to country. Still, concern about enforcing regulatory and contractual requirements is not the top concern businesses have about cloud computing; it's protecting corporate intellectual property.

Of those who responded, 30 percent worried most about intellectual property, with ability to enforce regulatory and contractual requirements ranking second with 20.7 percent. Unauthorized use of data ranked third with 15.1 percent.

The number of businesses facing these questions today is significant and growing. According to Deloitte, nearly 45 percent of respondents have already bought cloud computing services and 22 percent say they are considering them.

Mears says she expected the industry to come up with acceptable approaches for managing data in the cloud so that it is treated in accordance with business and governmental regulations. The International Organisation for Standardization, National Institute of Standards and Technology as well as ad hoc groups such as the Cloud Security Alliance are working on frameworks for enforcing privacy and protection of data in the cloud.