Venyu Blog

Talk about things that make you go hmmm…

According to research published by consultancy firm Ernst & Young and published in Computerworld, 69 percent of Australian companies surveyed were using or considering the use of Cloud computing services within the next 12 months.

That’s good.

On the other hand in that same survey of more  than 1,700 companies including 165 in Australia, 76 percent of respondents said they was an increasing level of risk due to external threats. But get this: only 42 percent of these firms had updated their information security strategy in the past year.

That’s bad.

The upside evidenced by this research — including 66 percent of respondents favoring external Cloud certification and another 35 percent adding that the certification should be based only on an agreed-upon standard — suggests there is an undercurrent of confidence in cloud computing.

But, is there a relationship between these two dynamics? Well, when companies appear to abdicate their position of data custodian to their managed services provider I think there is. In fact security by proxy is never a good idea, especially when it’s spurred by the belief that once data is out of sight, out of mind and off premises that security measures aren’t needed for what remains.

“Despite increasing Cloud adoption, many organizations in Australia are still unclear of the security implications of Cloud and are slow to adopt [strategies] therefore falling behind their global counterparts,” said Ernst & Young Australia information security leader, Mike Trovato.

“What we are seeing are organizations either moving to the Cloud prematurely and without appropriately considering the associated risk, or avoiding it altogether.”So, while their greatest fear is losing sight of data in the Cloud, few actually go looking for controls,” Trovato said.

Interestingly, while implementing and enforcing hardened security measures appear to go wanting, when it comes to the risks posed by social media, 55 percent of Australian respondents indicated that they were implementing policy adjustments, while 48 per cent had introduced security and social media awareness programs.

Trovato added that 11 per cent of respondents were presenting information security topics at each board meeting while 40 per cent were presenting topics every quarter. However, only 49 per cent stated that their information security strategy was meeting the needs of the company.

Ultimately, Trovato champions structured risk management policies aligned to migrating data to the cloud. “It’s time that security was elevated to the board room with a defined strategy that will support the business in the Cloud and elsewhere,” he said.

I think the take-away from this news is that like any new server or human resource the cloud at its core is a strategic asset to help you parse, manage and protect data. Of course there’s less risk of data loss associated with cloud computing; however, taking for granted that the cloud effectively substitutes for holistic security across your entire ecosystem is equivalent to giving the cloud too much credit for something it may not (yet) be able to deliver.

Moreover, I thoroughly reject the proposition that there is risk – considerable or otherwise – in migrating to or backing up data in the cloud. In fact, it’s precisely the insecurity of data – an inability to lock it down onsite – that enables and fortifies both the value and validation of the cloud as information warden, albeit a virtual one.

Indeed, no matter how the cards are cut, security― like safety― begins at home, or in this case your own data center.

Apparently it’s a lesson many Australian companies are still learning, or need to.