Cloud security has moved out of the IT department and into the boardroom according to a recent survey from the Cloud Security Alliance (CSA) which states that 61% of executives are now involved in cloud projects. But the rise of cloud to the upper echelons may not be quite the boon to adoption it first appears.
While the report found that concern over security of data was still the biggest barrier to cloud adoption at 73%, 38% of EU companies also cited lack of knowledge and experience among management as another cause of inertia, suggesting a knowledge gap is harming progress.
Cloud security may now be on the boardroom agenda, but with no one in the room experienced enough to guide the conversation, how will this help move migration forward? Uninformed decisions increase risk to the organisation and there’s clear evidence to suggest that such decisions are being taken because the survey also reports that 55% of IT professionals had been pressured to approve an application or device that did not meet the organisations security or compliance requirements.
The inference is that project management and timescales are now taking precedence over security, with IT relegated to being little more than a cog in the wheel of cloud migration.
Balance of power
While the move from purely technical IT-dominated projects to strategic business-driven ones is to be welcomed (after all effective security is about process rather than product), it seems the shift in the balance of power may have gone too far.
In addition to sacrificing the valuable input from IT, many projects are leaving other important players out in the cold. Line-of-business leaders, for instance, were found to be the least likely to be asked to join the company cloud governance committee by the survey. This seems madness given that the enforcement of these policies at grass roots level will need to come from these people, especially given that only 22% of the companies surveyed had an employee awareness programme.
Clearly, management is not focusing on its core competencies by curtailing or excluding these players and nor is it admitting when it needs help. Some of the other top challenges identified by the very comprehensive survey of more than 200 IT and security professionals across the Americas, EMEA and APAC regions were: loss of control over IT services (38%), meeting regulatory compliance (38%), and concern over business continuity and disaster recovery (28%). It seems to me that these issues are all problems the cloud service provider (CSP) could assist with.
Stepping up to the plate
There’s no reason why the organisation shouldn’t seek assistance and even guidance from the CSP on how to effectively protect data in the cloud.
The problem is that CSPs have been averse to stepping up to the plate. CSPs have acted like network providers, doling out capacity, and have avoided getting their hands dirty by dealing with assurance. But this is a prime opportunity for the CSP to build a relationship with the client, differentiate its offering and demonstrate its ability to handle data securely.
A more proactive stance is needed whereby the CSP provides real assurance, guiding the organisation towards the right level of security and the right services for them. Look for CSPs that can offer varying levels or ‘Impact Levels’ of security service that are backed by accreditation and certification.
>See also: How to secure data in the cloud
Thankfully, it’s not all bad news. The survey reports that executives in EMEA are more involved in cloud discussions (68%) compared to other regions because we observe strict data privacy requirements (although this is also down to our ‘suspicions over US surveillance’). Europe also came out on top when it came to the importance awarded to cloud security, with 50% of respondents agreeing this was a priority.
The CSA survey concludes that small businesses need to invest more in security controls to protect data in the cloud, but many SMEs actually benefit from better security in the cloud. The assurance afforded by an integrated secure cloud service far surpasses the network protection most SMEs have inhouse.
The report also suggests large enterprises need to continue to invest in cloud services to gain competitive advantage but it stops short of addressing how they can further improve their cloud security, by looking at disaster recovery provisions for instance.
Look at cloud not as a boardroom issue, nor an IT issue, but as a holistic change for the entire enterprise. Without that consensus, you have no control. Change requires buy-in from all stakeholders, effective management, and the forging of a strong partnership with trusted providers if cloud migration is to succeed.
Sourced from Jamal Elmellas, technical director, tolomy