More than 80 percent of businesses that are using cloud computing service providers aren't assessing how these firms ensure the data is kept private, says Deloitte.
It's unclear whether that's because they lack the means to make sure cloud providers are actually protecting data the way they say they will or whether businesses don't have the processes established to conduct evaluations, the firm said in a report entitled 'Enterprise@Risk: Privacy & Data Protection Survey'.
It could be that managing cloud vendors is still a new game to corporations, and they haven't matured the process, Deloitte said. Or it could be that it is just too difficult to test and audit providers' cloud environments to see whether they measure up, so the job doesn't get done.
But the bottom line is that the corporation whose data is breached is ultimately liable for the breach, not the service provider that agreed to protect it adequately, says Rena Mears, partner and leader with Deloitte's security and privacy services.
Mears urged businesses using cloud computing services to perform ongoing risk assessment of the data that is trusted to the cloud. Data should be classified for its sensitivity and regarded as a business asset from which the business is trying to derive the maximum return.
Business executives need to weigh the cost savings and benefits of moving data to the cloud against the potential risks that it could encounter in providers' clouds, she said.
It's not that business executives are ignoring problems; they have a lot of new circumstances on their plates that they have not dealt with before. "The marketplace is changing and companies are adapting to data flows in more places to achieve more objectives in complex regulatory environments," Mears said.
Cloud computing isn't just being added to a static business environment, she says. Rather, the environment is changing rapidly, with rising costs, data moving globally and regulations that are getting stricter, more numerous and that can change from country to country.
Still, concern about enforcing regulatory and contractual requirements is not the top concern businesses have about cloud computing; it's protecting corporate intellectual property. Thirty percent said they worried most about intellectual property, with 20.7 percent citing the ability to enforce regulatory and contractual requirements ranking Unauthorised use of data ranked third with 15.1 percent.
The number of businesses facing these questions today is significant and growing. According to Deloitte, nearly 45 percent of respondents have already bought cloud computing services and 22 percent say they are considering them.
Customers of these services use them for data storage (27.7 percent), email (12.8 percent) financial applications (17 percent) and database applications (16.1 percent).
Mears said she expects that the industry will come up with acceptable approaches for managing data in the cloud so it is treated in accordance with business and governmental regulations.
The International Organisation for Standardisation, the National Institute of Standards and Technology and ad hoc groups such as the Cloud Security Alliance are working on frameworks for enforcing privacy and protection of data in the cloud.
See also: Open Cloud Manifesto details emerge