Cloud FUD far removed from reality, finds research

There is a discrepancy between the perception of data security in the cloud and the actual security breaches experienced by cloud users

Research has revealed a discrepancy between the perception ofdata security in the cloud and the actual security breaches experienced by enterprises using cloud services in the UK, making cloud fear, uncertainty and doubt (FUD) baseless.

The study by industry body the Cloud Industry Forum (CIF) found that data security and data protection were the primary concerns for senior IT and business decision-makers in the UK when it came to cloud services.

A wide majority (88%) of respondents said they were concerned to some extent about their data in the cloud.

Security still ranks as the number one reason for organisations not wishing to move specific applications to the cloud (75%), the study found.

About 61% of respondents cited data security as their key cloud concern, while 54% cited data privacy and 28% admitted to fears around data sovereignty in the cloud.

Yet only 2% of organisations admitted to experiencing a cloud service-related data security breach.

While cloud adoption continues to increase at pace, the perceived threat is clearly not the real position, so must be countered and resolved by a professional industry and informed users, according to the Cloud Industry Forum.

Only 2% of organisations admitted to experiencing a cloud service-related data security breach

The findings should be seen as solid reinforcement that the perception of cloud being inherently less secure than on-premise IT is far removed from the reality experienced by users of cloud services, said CIF chief executive Alex Hilton.

“Despite the significant growth in adoption and penetration of cloud services, it’s clear from the research that the market remains somewhat confused and uncertain as to the legal, regulatory and security environment surrounding the market. This is arguably driven by the continued FUD being peddled in the media following recent developments in European data protection regulation and the revelations about Prism.”

The study also revealed that enterprises rated cloud applications related to data backup/disaster recovery as the highest risk (36%), followed by HR applications such as payroll and personnel (33%) and data storage services (30%).

The research also found that just under half (44%) have actively changed the way they use cloud following the Prism revelations, including almost one in 10 having changed their cloud service provider entirely.

“This issue is as much about perceptions as actual risk, presenting something of a challenge for the industry, said Richard Pharro, chief executive of APM Group, CIF’s independent certification partner.

“Although more businesses than ever are open to cloud to some extent, changing the perception that cloud is insecure will take time,” he said.

There are, however, a number of things that the industry can do to hurry the process along – certification being one of them, experts advised: “It’s simply not enough to say ‘trust that we will look after your data’ – the industry must prove its worth."

The CIF Code of Practice offers cloud providers the chance to demonstrate their capabilities and commitment in an open, upfront and verifiable way, helping to build trust with users,” said Pharro.

Larger regulated businesses are most cautious about cloud adoption, and this is where hybrid cloud becomes relevant, said CIF's Hilton.

“Hybrid cloud enables organisations to combine the best of both worlds to fit both their technology needs and mandatory regulatory requirements. This will also help them manage data concerns. Businesses are right to be concerned about their data, but this applies as much to cloud environments as to on-premise,” he said.

At a recent Westminster eForum seminar on cloud computing, experts argued that cloud can be secure and can drive business innovation, but only when implemented correctly. To overcome security concerns, organisations must outline cloud usage policies and guidelines and train and educate their staff, experts advised delegates at the seminar.

Read more on Datacentre disaster recovery and security