More Debits & Credits Posts

Ernst & Young Sees Risk in the Cloud

November 1, 2011

Ernst & Young has released a new survey that indicates persistent security threats at organizations despite the move to cloud computing at many companies.

In a survey of nearly 1,700 information security and IT leaders in 52 countries, the firm found that 72 percent of respondents see an increasing level of risk due to external threats in the last 12 months.

E&Y found that no single technology or process is able to stop advanced persistent security threats, and traditional security methods are proving to be ineffective against such threats. Protecting against the threats requires organizations to put in place several layers of defense.

Among the targets of such threats are government contractors, technology providers and manufacturers. Fifty-nine percent of the respondents to E&Y’s survey expect their information security budget to increase over the next year.

Uncertainty about security extends to newer technologies such as tablets and cloud computing. One in five respondents to the survey said their organization does not currently permit the business use of tablets and has no plans to change that policy over the next year.

However, organizations have been using cloud computing. Sixty-one percent said they are either currently using cloud computing, or evaluating or planning use of the cloud within the next year.

But more than half said they have done almost nothing to mitigate the new or increased risks related to the use of cloud computing. Those strategies could include increased due diligence of service providers, stronger identity and access management controls, encryption techniques, and onsite inspection by a security or IT risk team.

E&Y recommends choosing verification above trust of cloud service providers and understanding who owns the risks before entering into a cloud services agreement.

Organizations still need to use the standard security processes and techniques they have used in the past, even when they are outsourcing to a cloud technology provider, and they need to continuously assess the risks to comply with regulations and industry standards.

E&Y is planning to host a webcast featuring the firm’s information security professionals on Wednesday, November 2, at 11:00 am EDT. For more information, visit .

Comments (3)
Nonsense! The risks remain the same and the only difference is by whom they are addressed.

Let's see. For the non-fortune 100 crowd, who is your IT professional? What are their credentials? It is naive to believe that a non-tech business, even in the fortune 100 category, could attract and afford to employ the rock-star developers, security specialists, white-hack hackers and operational staff that a Google or an Intacct can. It's pretty simple. The economies of scale and focus on core competency (operational excellence, technical capability) lead to a small/medium business being able to afford resources they could not would they have to do them on their own.

Not trusting the cloud, in general, is analogous to not trusting the water supply or the power grid. The answer lies in service levels. Your cloud provider should publish uptime, response time and offer a contractual Service Level Agreement (SLA). As well, you will be best served by purchasing services from your cloud provider as opposed to infrastructure or "hosting". Those who provide true multi-tenant Software as a Service (SaaS) will be more likely to provide far more robust applications than those who simply take a legacy application and host it on your behalf.

In Summary, The risks are exactly the same, but leveraging the cloud allows you to, through economies of scale and increased focus on core competency, experience both enhanced security and better service. But, choose your providers carefully.
Posted by SingerLewakSys | Tuesday, November 01 2011 at 2:47PM ET
I have to agree with E & Y, to be more specific, my clients data is already hard enough to protect from threats storing data on site. To allow this data to be floating around in cyber space both tax and accounting would be irresponsible on my part. If the government (defense, state, etc..) can not keep themsleves from being hacked into, what makes these cloud computing companies believe they can protect my client data? To be safe and responsible for my clients our data will remain in our file server. If the client wants to trust cyber space he/she can take that risk alone. Does our E & O policies protect us from off premise data storage cyber intrusion?
Posted by Mike1956 | Tuesday, November 01 2011 at 11:30AM ET
I would like to suggest that your caption " Ernst & Young Sees Risk in the Cloud" is misleading and may mischaracterize a new and promising technology. The summary you provide of the Ernst & Young survey says the cloud has risks just as other mediums of electronic exchange have risk. Yet the caption implies the cloud has extraordinary risks based on its design and habitat. Please consider re-wording the caption for future readers?
Posted by | Tuesday, November 01 2011 at 11:09AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.