Depending on whom you talk to, cloud security is either the industry's biggest oxymoron and won't be resolved anytime soon or it's no big deal because cloud vendors typically have tighter security than do any of their customers.
Wherever you fall on that continuum, the notion of security comes up as a key concern in many surveys on the topic, so it's clearly top-of-mind at most IT shops. There are a few security standards initiatives that might eventually help clear up matters (see sidebar below), but those are a long way from being ready to implement.
One thing is clear, experts say: Don't assume anything before doing your own due diligence. "It would be nice to think the vendors are doing a great job [of protecting the data] and they are building a highly robust application framework that provides a high level of security," says Jay Heiser, an analyst at Gartner who studies risk in the enterprise and regulatory compliance.
Indiana University's Cate says a solid approach to dealing with a new security problem like iPad access to company systems is to do a security audit as part of the deployment. One outcome of the security audit, he says, is that you might discover some of the unknown risks, such as relying too heavily on one strategy. "The more data you put in one place, the bigger target you paint on your back and the more you make it worth someone's time to attack you," he says.
Also, the security evaluation must be granular and look at specific devices like an iPad or smartphone, along with data stores and strategies, he says. This can mean using automated risk management tools and assessing the risk. For example, United Airlines employees will use the iPad mostly for communicating company news initially. If executives decide to deploy the tablets to ground crews at security check-ins, the company should assess the overall risks of doing that, Cate adds.
Robert Keske, the CIO at Nice Shoes, says there are times when clients want to participate in an informal viewing session to see how work is progressing.
The video is streamed over the cloud, but the company controls the security and quality. There are two important considerations. One is obvious: the company does not want anyone to steal the raw footage. The second criterion is that the quality of the streaming video seen by a client in LA or across the globe has to match what the creators see in the New York office in terms of resolution and color.