These issues have happened over and over, so they're likely to happen again, Hieser said during a webinar hosted by Gartner this week. Despite this being one of the biggest concerns for cloud users, Heiser says only half of companies recently surveyed by Gartner had a process to evaluate their business continuity processes. He adds that security breaches should not be ignored, but the more pressing concern is around business continuity.
The cloud industry is slowly addressing these concerns, but vendors, users and third-party bodies that are attempting to push cloud security improvements could all be doing more, he says.
Vendors have been reluctant to address security recoverability from data loss in service-level agreements (SLA), he says. "It remains a common complaint that cloud service providers are being ambiguous around what they're specifically doing to protect customers," he says. Some providers may not divulge information because doing so could represent a security threat, they say. Providers many times claim a high level of availability and confidentiality of users' data, but Heiser says they provide little evidence for customers to verify those statements.
Buyers could do more too though, he says. One of the first things users need to do is classify which data really needs to be protected. Incomplete or nonexistent data classification is a common problem. "If the buyer doesn't know what the security requirements are for a specific piece of data compared to other data, it's difficult to assess whether the provider can meet provide adequate security," he says.
Third-party organizations are working to create standards and certifications for this area, but Heiser says those are still weak at this point. The Cloud Security Alliance, for example, has undertaken broad measures to address a variety of topics, but he questions how in depth those efforts have been at drilling down into specific areas.
FedRAMP is a program by the federal government that seeks to have a common set of security criteria for each provider the federal government uses for cloud computing, but it's in the early stages and may not be operational until 2014, he says. "We're beginning to get glimpse of what we need," Heiser says, but more work is needed to have standard controls, evaluation practices and global consensus. Buyers are in the best position to put pressure on vendors to be as transparent as possible on these issues, he adds.