OK so there aren’t any actual sharks and the leader does have a shameless pun, but it is an addendum, or part 2, to our original Cloud blog post which you can read here if you haven’t already. (It will open in a new window so you won’t lose you place)
Reading a survey from CIF last week (here), its clear to see that the number or at least the percentage of organisations using Cloud services, is increasing. This includes the public sector, perhaps an enlightened reader can tell us how much of that is driven in UK by G-Cloud.
However, its clear that the research term ‘Use of Cloud services’ could be a bit misleading. There are variations in service types – Platform services, Software Services and Infrastructure services and they are not all in growth.
Geographical references beyond ‘Europe’ are not available in the report, which makes it difficult to deep dive on the cause. However, according to the PWC Global State of Information Security Survey – in terms of ‘Government’, as we had noted Public Sector increased interest, IaaS is over-indexing in terms of uptake on this particular service type.
The same source highlights security concerns amongst Cloud users and if we refer these back to some of the points made in our original blog, the security policies of the data end location is clearly a very important and sensitive issue, this comes through with over 30% of respondents flagging this up and making it the top security threat in this survey.
One of the other things we highlighted back in January was the ability to be able to audit the data centre where your organisation’s data is held, this also comes through as a concern from Cloud users, including ‘Government’ users.
Being able to audit where your data goes or is moved to, as well as fixing the end points for moving your data are very important, as we said back in January. Whether this is achievable if going through a ‘broker’ style relationship for instance, is debatable. In these situations, the cost model the driver and so wherever the broker can source will be where the data sits or is moved to and this may not mean all of the data is in the same place either. Specifying end points, for instance, in a service level agreement may start to push the price up and so it is crucial you understand just what your risk appetite is in terms of what you will allow to happen to your data. Disturbingly, as a footnote to all the security issues highlighted in the PWC data, the CIF survey identified that 1 in 5 respondents were expecting to put their IT security services in the Cloud…
The CIF report states “One sign of the immaturity of the cloud market is reflected in terms of contractual process, as barely half (52 per cent) of cloud users negotiated the legal terms of their contract with their cloud service provider (CSP), with larger organisations more likely to do so. This also infers an evolution of the culture that led to the click-thru agreement online more than a business critical supply agreement.”
Its clear then that organisations need to go into the Cloud with its eyes wide open and armed with a comprehensive Risk Assessment. Whilst it’s easy to label security consultants as Luddites who want to hold back the tide of progress, it is in fact not true. We are realists who want businesses to protect themselves, their clients, their supply chain and their employees and progress into the future securely.