How contract issues impact cloud security and 4 things you can do about it

Learn how IT managers can break down barriers to understanding cloud security responsibilities.

Why security is the top barrier in enterprise cloud adoption

Cloud vendors have invested significant resources and effort into securing the cloud—not only in procuring tools and technology for security, but also in obtaining certifications from outside auditors and agencies. Yet enterprises and small- and medium-sized businesses continue to experience anxiety when it comes to cloud security.

"A major area where organizations experience problems with cloud computing is understanding where a cloud provider's responsibilities end and where the enterprise picks up," said Brian Wood, director of cloud marketing for Teradata. "Many companies we speak with have a good understanding of how to deploy their applications and data in the cloud, but they are unsure of the security responsibility. Yet, if you look at cloud providers' contracts, the security responsibilities are clearly delineated."

SEE: Policy pack: Workplace ethics  (Tech Pro Research)

However, few contracts are thoroughly read by IT, especially when it gets down to the fine print of where security responsibilities are often defined. This is precisely where CIOs and IT managers need to step in to ensure that security responsibilities and handoffs are clearly understood by IT and vendors—and that the appropriate handoffs are made in any security situation.

How can IT managers break down barriers to understanding cloud security accountability? Below are four examples.

1. Vet vendors

Because it is so easy to deploy in the cloud, end-business users often engage cloud vendors without IT's knowledge. While this strategy might speed application time to market, traditional IT responsibilities like security can get cast aside.

"This is problematic because end users may not possess all of the security and cloud vendor vetting skills that are needed," said Wood.

One solution is to have a corporate cloud (or any IT) procurement policy that requires IT, and possibly legal, to vet vendors for security and other IT elements such as integration before any contracts are signed. The company C-Level should support and enforce this policy without fail.

2. Bring in legal

An IT security team is great at assessing vendor security, but it might not understand the legal liabilities and contractual limits of what a cloud vendor says about security. However, an attorney or a legal/compliance person in the company will understand and those legal folks, as well as IT, should review contracts with cloud vendors before contracts are signed.

SEE: Top five on-premises cloud storage options (free PDF) (TechRepublic)

3. Define all governance

"Organizations should have strong business, and IT governance standards and policies in place before they sign up for cloud services," said Wood. "The elements of governance should address security of systems and data, but also the needs of the business, the needs of IT, and the costs of the service. In many cases, we have seen organizations that are anxious for time to market with cloud, but they actually end up deploying in the cloud before they are ready. They could have benefited from taking deployment a little slower, and making sure that they had all of the governance defined and communicated to the cloud vendor as service requirements."

4. Bring in finance

Although cloud costs are not part of security it can impact cloud investments. The cost models used by cloud vendors are complex. Many end users and IT groups don't understand them . As a result, companies get surprised with unexpected cloud cost overruns.

"This is an area where finance, which has the ability to understand the complex cost formulas, can be a tremendous help," said Wood. "As part of any cloud cost study, finance should be a key player."

Also see

businessman touching Cloud with Padlock icon on network connection, digital background. Cloud computing and network security concept

Image: Getty Images/iStockphoto