Businesses are concerned about the management and privacy of data they entrust to cloud computing service providers, but not many are doing anything about it, according to a Deloitte survey.
It's unclear whether that's because they lack the means to make sure cloud providers are actually protecting data the way they say they will or whether businesses don't have the processes established to conduct evaluations, according to the survey report "Enterprise@Risk: Privacy & Data Protection Survey."
Of those surveyed, 82.6% say they haven't implemented formal programs to assess how well providers comply with the privacy and data management provisions that they agree to in service contracts, and this is a problem, Deloitte says.
"You cannot put out in a third-party cloud data storage, e-mail and financial applications and say I am obliged to meet data laws, regulations and contractual agreements and not have some mechanism of assurance in place," says Rena Mears, partner and leader with Deloitte's security and privacy services.
But that is what most businesses are doing, according to the survey. It could be that managing cloud vendors is still a new game to corporations, and they haven't matured the process, Deloitte says. Or it could be that it is just too difficult to test and audit providers' cloud environments to see whether they measure up, so the job doesn't get done.
But the bottom line is that the corporation whose data is breached is ultimately liable for the breach, not the service provider that agreed to protect it adequately, Mears says.
So businesses using cloud computing services should perform ongoing risk assessment of the data that is trusted to the cloud, Mears says. Data should be classified for its sensitivity and regarded as a business asset from which the business is trying to derive the maximum return.
Business executives need to weigh the cost savings and benefits of moving data to the cloud against the potential risks that it could encounter in providers' clouds, she says.
It's not that business executives are ignoring problems; they have a lot of new circumstances on their plates that they have not dealt with before. "The marketplace is changing and companies are adapting to data flows in more places to achieve more objectives in complex regulatory environments," Mears says.
Cloud computing isn't just being added to a static business environment, she says. Rather, the environment is changing rapidly, with rising costs, data moving globally and regulations that are getting stricter, more numerous and that can change from country to country. Still, concern about enforcing regulatory and contractual requirements is not the top concern businesses have about cloud computing; it's protecting corporate intellectual property. Of those who responded, 30% worried most about intellectual property, with ability to enforce regulatory and contractual requirements ranking No.2 with 20.7%. Unauthorized use of data ranked third with 15.1%.
The number of businesses facing these questions today is significant and growing. According to Deloitte, nearly 45% of respondents have already bought cloud computing services and 22% say they are considering them.
Customers of these services use them for data storage (27.7%), e-mail (12.8%) financial applications (17%) and database applications (16.1%).
Mears says she expects that the industry will come up with acceptable approaches for managing data in the cloud so it is treated in accordance with business and governmental regulations. The International Organization for Standardization, National Institute of Standards and Technology as well as ad hoc groups such as the Cloud Security Alliance are working on frameworks for enforcing privacy and protection of data in the cloud.