With companies increasingly shifting to the cloud for their data center needs, the focus on cloud security policies has been getting more attention — especially with cyberattacks intensifying. While the majority of companies using the cloud have security policies, an alarming number do not, according to a Cloud Security Alliance report.
Out of the companies surveyed, 25.5 percent said they did not have a cloud security policy. And 6.4 percent weren’t sure if their companies had such a policy.
In another recent study, this one by the Ponemon Institute, about 50 percent of all cloud services are not governed by the companies’ respective IT departments. However, 54 percent of the 3,476 IT officials surveyed said they had a good handle on “all the cloud computing applications, platforms or infrastructure services in use.” That’s a 9 percent increase from the rate in a 2014 survey.
Also, the study revealed that 73 percent agreed with the statement that it is more challenging and complex to manage privacy and data protection regulations in the cloud than it is at physical data center locations. A minority of the respondents — 43 percent — said their companies had specific roles and accountability outlined for safeguarding sensitive information in the cloud.
Managing risks in the cloud
In light of these more complex challenges, companies should take steps to boost the security of their data in the cloud.
For example, it’s important to develop and regularly update policies and practices about securing access, ensuring that all employees, APIs, servers, and applications have identity and access levels. The process should include developing strong authentication standards and passwords. Also, regular training of employees is a critical component in best practices.
In addition, it’s important to identify who is responsible for managing these security policies and practices. Also clearly determine the responsibilities of company and the cloud vendor in providing security. For example, the company should be responsible for the security of the data and how it is used, while the vendor should take responsibility for managing the security around the data, according to Seth Robinson, director of technology analysis at CompTIA.