The pace of Cloud Computing deployment is outstripping the reach of enterprise security policies and practices.  That was one of the stark warnings emerging from two studies by EMC's RSA security division which address the increased risks posed by Cloud-based services and social networking.

The reports findings – based on responses from 100 security chiefs - were that companies are under increased pressure to cut costs and are turning to a variety of Web-based services, from online collaboration tools to social networking platforms, without considering the increased risks they pose and in some cases failing to inform IT security.

Nearly half of those surveyed either have enterprise applications or business processes running in The Cloud or are beginning migration in the next 12 months, but  two-thirds do not have a security strategy in place for Cloud Computing. More than 8 of 10 respondents are concerned that pressure to cut costs and generate revenue has increased their exposure to security risks.

"The rapid adoption of nascent Web, social and mobile technologies combined with the rising use of outsourcing is quickly dissolving what remains of the traditional boundaries around our organisations and information assets," said Art Coviello, executive vice president at EMC and president at RSA.  "There is a gap between the adoption of new technology and the ability to secure it, but just because we'll never have perfect security, that doesn't mean we should stick our heads in the send and hope for the best.

"Everyone on the IT team should have a basic idea of best practices. They think they're saving money or being faster to market when they rush it but they'll pay more money later to retrofit security in than they would have had it been a part of the project from its inception."

Seven steps to security

The Security for Business Innovation Council - a group of 10 security executives chosen by RSA from JP Morgan Chase, Motorola, EMC's own CSO, eBay, CSO Confidential, Time Warner, Genzyme, Diageo, Cigna, and Novartis -  has identified seven ways to properly address the threats posed by Cloud-based services and have a strategy in place to protect against data leakage.

They include the need for security professionals to communicate their value or risk being ignored when the company turns to external service providers to cut costs. Security needs to be involved in assessing external service providers to examine their capabilities, performance and how they fit into the company's current environment, warns the Council. Security professionals also need to work with the business to create a transition plan for the use of Cloud Computing.

"Looking forward, security services in many enterprises will be delivered by an internal team in conjunction with a tightly-integrated supply chain of vendors and external service providers," according to the report. "This will require the internal team to determine their set of security offerings and then honestly assess their own internal capabilities."

Thinking again

All of this will mean a re-evaluation of security practices for many firms. "We need to develop an intelligence capability so we know what's coming and we can prevent things from happening in the first place," Dave Cullinane, CISO and vice president of eBay Marketplaces said in the report. "It means moving to a more preventative security model and being able to share information with each other. Building a new model of security means being rapid, flexible and adaptive.”

Dr. Paul Dorey, director of security consultancy CSO Confidential, said :"The ability to define the perimeter of the enterprise has now firmly disappeared. That's both in a technical and business sense, with the level of third-party workers, outsourcing, supply chain, and 'in the cloud' services. All of these are making it much harder to define where one enterprise ends and another begins.”

Claudia Natanson, chief security officer at brewery giant Diageo, said there was a need to stop and think. “When we have such a rapidly-changing environment, we need to absolutely cry, ‘Time out!’,” she said. “We need to step away from it, and we need to examine if our programme has all the right gears. Why are the risks increasing? Without a doubt, it is the pace of change in the environment. You can wake up tomorrow and a risk that wasn't there yesterday is there today. There is no period of development; there is nothing necessarily on the horizon that will let you say, 'I can see what's coming'.”