A new study by Symantec and the Ponemon Institute reveals an alarmingly low number of organisations have procedures in place for approving cloud applications that use sensitive information. But one security expert warns the study assumes cloud computing is not secure when, really, the jury is still out.

The study shows that only 27 per cent of IT professionals surveyed said their organisations have procedures and policies for using cloud computing. The sort of rudimentary process typically seen is based on word of mouth, said Larry Ponemon, chairman and founder of the Ponemon Institute. "If your friend at company X tells you this is a really good product for sales force automation because I see their name on the side of the building, they must be good," said Ponemon.

The study is based on surveys with IT professionals regarding cloud computing procurement practices. The study also revealed that only 20 per cent of those surveyed said information security teams are regularly involved in the decision-making process. And, 68 per cent said end users and business managers are made responsible for evaluating cloud computing vendors.

Ponemon said the issue has moved from the conventional world of people, process and checklists to the new cloud computing world where the usual due diligence is often bypassed. "Now we have end users making business decisions and procuring technologies that may be in the sensitive and confidential arena," he said.

Francis Ho, security expert and executive committee member of the Federation of Security Professionals (FSP) points out that the stats are initially alarming if one assumes cloud computing is fraught with security risks. "But if you are presupposing that cloud computing is secure, then (the numbers) don't surprise me," said Ho.

Ho said many large companies he's come into contact with don't even have an approval process for traditional applications.

As for the high percentage of line of business users tasked with cloud vendor assessments, Ho said cloud computing vendors will naturally push the technology by touting how secure it is. And if line of business people are drawn into that vendor marketing, then naturally they won't think to liaise with the information security folks. "Why would I involve the IT folks if I want to buy laundry services for my shirts?" said Ho.

Brian O'Higgins, a security consultant, said the lack of procedure could also be a result of cloud computing being relatively easy to use without the usual hassle of implementation and training. "It's like if you want to plug in a toaster you buy a toaster and plug it in the electrical outlet. But if you have to wire in the outlet you wouldn't do it," said O'Higgins.

A new security issue that comes with cloud computing, said O'Higgins, is one of classifying or labelling data. If it's sensitive information then it must have a policy dictating how it's treated.

The cloud is forcing organisations to rethink the processes and people involved with data storage and management, said John McGee, vice-president of product marketing with security software vendor Symantec.

McGee suggests organisations ensure they have the right employees and security approaches, and give attention to compliance issues when dealing with the cloud. "It's making sure the right people are involved in the process early on. It's not just an upfront process but an ongoing management of that cloud vendor," said McGee.