UK firms have trust in cloud service security, but reality disappoints

UK firms believe moving some IT projects to the cloud will improve their overall security, yet they end up feeling less secure after the move.

Most UK companies believe moving their IT projects to the cloud will actually improve security. However, the reality has been a disappointment, according to the results of a new Symantec survey, as fewer than half of organizations have experienced security improvements via the cloud.

IT staff may not be able to determine the sensitivity of the information assets they are putting into the cloud. That risk-based decision should be taken by the business.

Adrian Seccombe,
Jericho Forum member

Symantec's 2011 State of Cloud Security report was based on a global study conducted last summer by Applied Research-West Inc., which polled C-level staff and IT managers of 5,300 organisations in 38 countries. Earlier this month, Symantec released country-specific findings from the report, including a report on the 200 respondents from the UK.

According to the report, UK companies have taken on cloud services to handle many basic IT projects, including Web security, email management, cloud backup and storage, virtual desktop infrastructure and log management.

The vast majority (91%) of UK respondents believe moving IT projects to the cloud would not damage security, or would improve it, and this positive attitude was reflected in the fact that 76% had either adopted or were in the process of adopting some sort of cloud service, with security services leading the way.

However, UK respondents also expressed worries over several aspects of cloud service security. The biggest fears were:

  • A malware outbreak at the cloud provider (61%);
  • Unintended data sharing in multi-tenanted cloud system (60%);
  • A user storing sensitive data on non-secured cloud services (60%);
  • Cloud provider being hacked (59%);
  • DDoS attack against cloud provider (58%);
  • Loss of data relevant to a court case (58%).

For companies that had already made the move to the cloud, the experience has been patchy. For example, while 86% of UK respondents had expected their security posture to improve with their move to the cloud, only 45% said they have realised this benefit.

Many of the UK respondents said their IT teams lacked the skills and experience to manage the transition of business systems to the cloud. Only one in four UK respondents said their IT staff had experience using the cloud, and around half said their IT teams were ill-prepared for cloud operation. Many said they were making up the shortfall by engaging a range of third parties to help, including value-added resellers and consultants.

Martin Lee, a senior intelligence analyst for the platform, said the actual cloud uptake figures could be higher than the survey findings indicate.

More on cloud adoption and security

UK companies adopt cloud eagerly, but often insecurely

Cloud adoption a higher priority for UK companies

“One large organisation we were talking to recently did an audit and found it was already using 40 different cloud services, even though it had not taken a formal decision to move to the cloud. People were using the cloud anyway to get jobs done,” Lee said. “This raises questions over IT governance, and IT staff need to provide advice to help departments make a success of the cloud.”

Adrian Seccombe, former CISO at pharmaceutical company Eli Lilly and a member of the Jericho Forum, a security think tank, insisted any decision over cloud usage had to be taken in close collaboration with business departments.

“IT staff may not be able to determine the sensitivity of the information assets they are putting into the cloud,” Seccombe said. “That risk-based decision should be taken by the business.”

However, Seccombe said companies tend to avoid undertaking data classification exercises, and this makes it difficult to determine which data is suitable for the cloud, and which isn’t.

“It is all relatively new, and companies have no way of assessing the reputation of different providers,” he said. “My advice is to start small, and to start by choosing information that won’t hurt if it gets compromised. That can be a way of gaining experience.”

Read more on Cloud security