"Despite some of the concerns, only 29% of the companies in the study say they engage in a heavy or comprehensive review of the cloud service providers' security practices," Herbert says.
In the study, 50% of respondents say they either sometimes or rarely/never assess the geographic location of a cloud provider's data centers. A further 46% say they either sometimes or rarely/never assess the regulatory compliance of cloud providers. And 44% say they either sometimes or rarely/never assess a provider's identity and access management.
This can lead to some unpleasant surprises, according to CompTIA.
"Recently, the City of Los Angeles and Google learned the hard way what happens when an uncertain regulatory variable is introduced into a cloud deployment," CompTIA says in its 9th Annual Information Security Trends Study. "LA had to alter its plan to shift 30,000 city employees to Google Apps when it was discovered that Google Apps was not fully compliant with the FBI's security requirements for connecting to the Criminal Justice Information System (CJIS), a clearinghouse of law enforcement data administered by the Department of Justice."
CompTIA adds, "This is one notable example of what is sure to be a more regular occurrence-organizations making the transition to the cloud only to discover a security-related element that forces a change of plans. As the cloud model matures, some of these issues may naturally work themselves out, but in the shorter-term, IT solution providers and cloud vendors can provide a valuable service in reducing the likelihood of these types of situations, Longer term, third party assessments of cloud service provider security policies, procedures and capabilities may become standard."
Securing the Cloud
In the meantime, security vendors are determined to make the cloud a trusted environment in which organizations can do business.
"The real challenge is that companies need to move to the cloud," says Dave Canellos, CEO of Toronto-based PerspecSys, a provider of privacy, residency and security solutions for the cloud. "This isn't a fad. It's really about how you manage that responsibility and ensure that you protect the information that you are now managing."
Nicholas Popp, vice president of product management and development at Symantec, acknowledges that the cloud is not quite up to par with on-premise installations when it comes to security. But he also says he believes the time is rapidly approaching.
"The cloud eventually will be more secure," he says. "Security as a do-it-yourself operation is getting more and more difficult."
Popp predicted that within three to five years, the cloud will be the more secure environment for small and mid-sized businesses (SMBs), while the horizon for larger enterprises is probably in the 10-year range.