Risk assessment key to cloud adoption, says Isaca
There is mass confusion among small and medium businesses about cloud computing, says Amar Singh, chair of Isaca UK
There is mass confusion among small and medium businesses about cloud computing, according to Amar Singh, chair of security advisory group Isaca UK.
“Most are not aware of what to do, mainly because of the mass of offerings,” he told the opening session of the EuroCACS Information Security and Risk Management Conference in London.
Singh said he has lost track of the cloud offering due to a deluge of services including software, infrastructure, governance, risk and storage.
But this is a challenge all organisations need to meet, because Singh believes everyone is going to move to the cloud eventually because cloud is the default platform for all new products and services.
The key, he said, is for the migration to be led by the business, according to carefully conducted risk assessments. “Risk must be addressed at the business level,” said Singh.
According to CapGemini, just over 45% of businesses currently want to move to the cloud, compared with 46% of IT departments.
“This is a good thing, because business needs to drive and understand the value of the cloud,” said Singh.
The challenges to cloud adoption lie in things such as the location of data, leaving cloud services, the number of parties involved in cloud services, and government surveillance, he said.
more on cloud security
- Why the cloud is not a security nightmare
- Enterprise security moving to the cloud, says Gartner
- Cloud: security threat or solution?
- Cloud security still top concern for UK CIOs, survey shows
- Six security issues to tackle before encrypting cloud data
“All these things need to be included in the risk assessment process. If this is done properly, it will identify what are the most appropriate and valuable cloud services for any business,” he said.
Singh said that while the cloud had many benefits to offer, not all services are right for all businesses, so it is important to select only those appropriate to a business in the light of a proper risk assessment.
Another key to cloud adoption is to make security around using cloud as easy as possible, he said, warning that if security is too onerous, people in the business will use cloud services secretly without supervision or control.
Ultimately, the cloud security challenge is more about people, process and policy than technology, said Singh.
But, as a final word of caution, he said anyone using cloud storage should not do so without encrypting their data: “Failure to encrypt data in the cloud is asking for trouble.”