The rapid-fire adoption of cloud computing might offer real advantages for small and mid-size businesses, but it also carries significant risks.

Too often, organizations simply aren't keeping up with the cloud services their employees are using, according to recent research by the Ponemon Institute, an independent think tank focused on privacy and data security, and CA, Inc., an IT solutions provider. More than half of the IT personnel surveyed in the May study said their organization isn't aware of all the cloud services employees have deployed, and less than half said that cloud services are evaluated for security before use.

"I think it shows a potential security meltdown in using cloud computing," said Larry Ponemon, chairman and founder of the Ponemon Institute. "The IT people and the security people are miles away from the users who are deploying these applications and these technologies."

A boon to small businesses

Cloud solutions offer "revolutionary potential" for small and mid-size businesses, says Mark White, chief technology officer for Deloitte Consulting LPP's Technology practice. Flexibility when it comes to contracts, pricing, scale and demand enables small businesses to take on larger competitors.

"The cloud is a real boon to small business. The cloud can be a disruptive force that can help small businesses punch bigger than their size," says Charles Babcock, author of Management Strategies for the Cloud Revolution: How Cloud Computing Is Transforming Business and Why You Can't Afford to Be Left Behind  (McGraw-Hill, 2010). "The cloud overturns the established way of doing things."

A cloud checklist

Understanding how your employees are deploying cloud computing and establishing some sense of control are critical to managing security risks, say experts. Consider taking these steps to get a handle on your cloud computing presence:

  • Conduct a cloud inventory. Evaluate all activity your organization is conducting in the cloud. It's not just a matter of cataloging cloud services embraced by your IT department or at an enterprise level, cautions Babcock. Just because you haven't embraced cloud computing doesn't mean your employees aren't working in the cloud.  White often has conversations with CIOs who tell him their organizations don't use cloud computing, only to find the company's employees are doing so. Quite often, end users look to get their job done in the easiest way possible. "For employees, some enterprise issues of standardization, information privacy and security may not be at the top of their list," White says. Be aware that employees might be reluctant to reveal what they're doing in the cloud if they know they're violating company policy or taking risks.
  • Become the preferred storefront. Making sure your employees go through your IT department gives you a tighter control on security. "Understand those services your organization might want or benefit from, subscribing to the public cloud," says White. "Build a services catalog so it's easier for them to come to you to get that service fulfilled."
  • Establish a cloud computing policy. Management, IT, and end users should have an understanding of when it's appropriate to work in the cloud. In the Ponemon survey, 68 percent of IT professionals thought cloud computing is too risky for financial information and intellectual property. In some instances, your company may be in violation of government regulations if certain data is sent out to the cloud. Sensitive information such as employee personnel records, social security numbers and medical information could be at risk in the cloud. "When you send your data to the cloud, you don't know exactly where it's going," cautions Babcock. "It's not a very good defense for the CIO to stand up in court and say, 'I had no idea where the data was.'"
  • Vet cloud service providers. Eventually, cloud service providers will likely be able to provide some third-party authentication of security practices, predicts Ponemon.  Meanwhile, it's up to you to properly vet the cloud providers your company uses. While the emphasis has generally been on cost, you should be asking questions about the co-mingling of data, the security of data centers and whether cloud service providers conduct background checks of employees. "The cloud service provider should be a close and trusted business partner," Babcock says. "If you don't feel that way with the cloud vendor you're talking to, you probably need to go back to the drawing board and find someone you can trust."

Although cloud computing might pose something of a "security minefield" right now, businesses have little choice but to catch up with the technologies their employees are embracing, says Ponemon. "We're not going to stop the train. It's going pretty fast here," he says. "We know cloud computing is the future. If you're not doing it, you're going to be left behind. We have to figure out what to do with the risks we've already created."