The Global state of information security survey conducted by PWC makes for some interesting reading in the context of data security. In my previous post I discussed the issue of the location of data being a key stumbling block to the acceptance of cloud computing but this survey shows that organizations are not doing particularly well so far, cloud or not.
The highlights for Financial Services has an interesting statistic - "most sector respondents (54%) report their organization does not have an accurate inventory of where personal data for employees and customers is collected, transmitted and stored". So if your bank advertises that they comply to the Data Protection Act, or any other regulation, they are probably blowing smoke up your... never mind. Which, while worrying is hardly surprising - in my experience the gears in the financial services engine are driven by Excel spreadsheets which can land up anywhere and besides, we know that financial services have a tendency to spread our data around to 'partners' who try and sell us more financial services than we want or need.
The numbers get worse with healthcare, where "62% of provider respondents report that they do not have an accurate inventory of where personal data for patients and employees is collected, transmitted, and stored" - considering that healthcare providers store a lot of very personal (personal as in you wouldn't want your mum to know) information it is a worrying statistic. Would you, as a tech-savvy person prefer to have your personal health history in the hands of those people or locked away in a Live Mesh folder where you can approve, marshal and decline requests for small bit-sized chunks of relevant information? Personally I'd be happier managing that myself in the cloud than have a bunch of buffoons copying it to CD and leaving it lying around.
The anti-cloud noise quotes regulatory compliance as a big reasons for not adopting the cloud but most respondents (44%) don't do any compliance testing. So if they are not testing their existing systems and processes for compliance, then how much do they really care about compliance in general and is it a valid reason for excluding the cloud?
Advocates of cloud computing should be highlighting the benefits of cloud computing with respect to security of data instead of running away from the issues. With a cloud provider, you may get a clear, audited statement about the arrangement with your third-party supplier (who stores data) - at least one that is clearer than existing arrangements. A cloud provider can be clear and confident about encryption, auditing, non-repudiation and detailed reports, audit trails and case history can be provided to back up claims.
Of course, putting data into a secure place on the cloud does not guarantee that security issues are resolved. Retrieving data from the cloud into a spreadsheet that can be saved to a local disk presents a weakness in the security chain. Cloud architects need to help business to understand all the issues and help build new application architectures which are fundamentally more secure, simply by the way that users and administrators interact with the system.
Although in the cloud you may not know exactly where data is, it seems cloud based systems where you can say that data is only in this part of the cloud, and nowhere else, will improve data location and security issues dramatically.
Simon Munro