The cloud is looming over the IT and business information worlds. Cloud computing potentially has much to offer firms. It can relieve their IT departments of much of the burden of managing infrastructure details. And because cloud resources are rented, not purchased, capacity can be quickly adjusted to meet needs. Thus costly data-center capacity needed for peak demands does not have to be left sitting idle the rest of the time.
What the cloud does not do is exempt companies from watching out for their own security. No matter what cloud vendors promise, if something goes wrong it is your data that might be compromised or lost.
This security challenge is growing as the cloud itself grows. The Security for Business Innovation Council, an international group of security professionals drawn from 19 major companies, notes that even "mission-critical apps and regulated data" are now being placed in the cloud.
And as a result, according to the Council, cloud computing is emerging as the leading "disruptive technology" in 2013.
As the Council report, "Information Security Shake-Up," notes, security concerns remain the chief barrier to cloud adoption. Yet companies and even some regulators are increasingly willing to put their faith in the cloud.
Even as some organizations still hold back because of security, others are jumping into the cloud in spite of "gaps" in security planning. At many companies, middle managers are a driving force for cloud adoption. They see good business reasons for cloud computing. But as the Council report warns, " middle managers don't want to use their resources on security."
The report urges security teams to reach out to middle managers. It also advises security professionals to emphasize the need for security controls in dealing with cloud vendors. Another section of the report warns of the related risks from social media. Even employees' personal use of social media can open the door to security threats.
A common thread runs through all these specific points of good advice. Many things can be outsourced, but final responsibility for an organization's security is not one of them. Companies and other organizations cannot trust cloud vendors (or social media firms, or other third parties) to take over protection of their critical data.
