Simply Security - News, Views, and Opinions from Trend Micro

Posted on August 29th, 2012 in Cloud Computing, Cloud Security by Simply Security | Be the first to comment | Tags: cloud computing, Cloud Security

Companies must evaluate third-party environments before migrating sensitive information.

Cloud computing is on the rise in the private sector, lifted by the technology's promise to reduce IT expenses, enhance remote access to application and boost employee performance. Despite this proliferation, many decision-makers are still concerned about the Software-as-a-Service model's ability to secure mission-critical information.

This conclusion comes from a new Gartner study that polled 425 IT risk management executives from companies located around the world. The results revealed that companies fear for the protection of sensitive information and, as a result, tend to implement different risk assessments for cloud service providers, which heavily influences their decision to share data with a third party.

Risk assessments vary is type and importance

Gartner asked companies to weigh in on data security, disaster recovery and risk management procedures in regard to sharing information in different environments. The study found that 38 percent of organizations have policies in place against giving business partners access to mission-critical data. Likewise, about 20 percent of decision-makers said they do not use Platform- or Infrastructure-as-a-Service for hosting sensitive records, while 26 percent said the same for SaaS.

Twenty-nine said they even banned migrating sensitive processes to outsourced data centers, Gartner noted.

"These results make sense, given that sharing data with a partner almost certainly means that one or more of its employees will be accessing the data, while in a SaaS scenario, the data is typically only accessible to the primary customer," said Jay Heiser, research vice president at Gartner.

The study revealed that companies are more likely to use IaaS and PaaS environments than SaaS because of questionnaires deployed to assess the virtual landscape's data protection capabilities. In regard to IaaS and PaaS, decision-makers often leverage the solutions to resolve a unique problem the organization is facing. SaaS evaluations, on the other hand, tend to target the vendor's standards, ensuring it is capable of hosting and securing sensitive resources.

Gartner said that even more companies are against migrating sensitive information to outsourced data centers, making avoidance the No. 1 way to mitigate risk associated with doing so.

"One of the biggest drivers is probably an expectation that the packaged service offerings, which typically claim to be based on cloud computing, are more reliable," Heiser said. "While fault tolerance is a feature of many such offerings, we consider it premature to assume that mission-critical data is safer in a cloud than in a traditional data center in which buyers usually make very specific choices about how data will be backed up."

A separate report by IDC noted that the traditional data center market is experiencing significant challenges as new deployment models, such as cloud computing, outsourcing, hosting and colocation trends, continue to emerge and offer companies a more seamless way to balance cost, efficiency and availability. Since security is still a major factor when it comes to migrating sensitive information off-premise, however, many decision-makers are choosing to keep sensitive solutions on-site.

The best way to mitigate risk when considering moving sensitive information off-premise to a third party's environment is to conduct a robust assessment of the vendor and its policies. In doing so, decision-makers can ensure they only move confidential data to areas that are able to protect it from harm, whether those threats are insiders or outsiders. If a company fails to conduct this analysis, it is putting mission-critical information at risk.

Cloud Security News from SimplySecurity.com by Trend Micro