"Concerns about cloud service provider security have become counterproductive, and are distracting CIOs and CISOs from establishing the organisational, security and governance processes that prevent Cloud security and compliance mistakes," says Jay Heiser, Vice President of Gartner Research
"The naive belief that cloud providers are entirely responsible for their customers' security means that many enterprises are failing to address how their employees use external applications," adds Heiser. Such an approach leaves them free to share "huge amounts" of often-inappropriate data with other employees, external parties and sometimes the entire internet.
"The characteristics of the parts of the Cloud stack under customer control can make it easy for inexperienced users to adopt poor Cloud practices, which can lead to widespread security or compliance failures," explains Heiser.
"Secure and regulatory-compliant use of public Clouds requires that enterprises implement and enforce clear policies on usage responsibility and cloud risk acceptance processes," he added. "Organisations that don't take a strategic approach to the secure use of Cloud computing could find themselves in an un-secure, inflexible or uncompetitive situation."
Ultimately, the responsibility for security lies with customers to exert control over Cloud and the data within it, not just the cloud provider.
Cloud and Security are Business Enablers
Cloud security is now regarded as a supporter of business growth and innovation rather than as an inhibitor. This is the complete opposite to how security has been traditionally thought of, that is, as the brakes to innovation and the counter to usability.
This change has come with the creation of the Chief Information Security Officer (CISO), which is becoming an increasing common role in enterprises, giving security more influence at the strategy level. This is allowing security strategies to be built alongside company-wide digital strategies.
Having an agreed upon security strategy communicated with senior management, means that security considerations can influence product and service development projects from an early stage. For enterprises where this is established, it becomes less a matter of the CISO saying "we can't do this", to it being more a matter of, "here are the risks and the cost to secure it". This moves security into a business decision that's factored in at an early stage, rather than a separate cost which is tacked on later.
Crucially, issues pertaining to cloud and security have become more an issue of clearly and accurately communicating levels of risk to project stakeholders, agreeing upon the acceptable level of risk and then managing it, rather than trying to block projects altogether.
Furthermore, the ability to demonstrate certain security compliance standards can also help win business by acting as a business differentiator. This is certainly the case when applying for Government tenders in Singapore and is likely to become an increasingly common aspect of contracts in the near future, which will help attach a dollar value to the benefits of security compliance beyond just reduced risk.
Sign up for CIO Asia eNewsletters.