Two Australian CIOs are taking a cautious approach to cloud computing, citing fears about the security of cloud service providers.
Speaking at the Security Insights forum - hosted by CIO and CSO - Ramsay Health Care CIO Mick Campbell said that the health provider has taken a conservative approach to cloud computing. So far the organisation has only put its email system into the cloud.
Campbell was speaking as part of a panel, which also included Australian Power and Gas' CIO Phil Ridley, BRM Holdich's director of information security and IT assurance, Jo Stewart-Rattray, and Atlassian's director of security, Craig Davies.
“We have not entertained putting patient data into the cloud yet," said Campbell. "There is no legislation that prohibits that, we just thought of the reputational damage that we could incur as a result of patient data getting released,” Campbell said.
“When you have data within the organisation you can apply a certain level of security to it. When you give data to a cloud provider, you expect a high level of security but we have seen incidences where that is not the case.”
With so many organisations dumping their data into one cloud provider, he said that it becomes a “honey pot” for criminals.
“If patient data gets leaked we’re going to be hitting the front pages of the newspapers and we want to avoid that.”
- Power company opts for DR in the cloud
- Cloud computing adoption increases in Australia: IDC
- Cloud exit strategy 101
Australian Power & Gas CIO Phil Ridley, said that customers want access to their electricity or gas usage online. However, this also means that there is a lot of customer information which would be of value to cyber criminals so this data is not stored in the cloud.
The company underwent a data transformation program two years ago and looked at cloud versus traditional infrastructure.
According to Ridley, it worked out cheaper to have a traditional data centre running a virtual environment. However, it does use the cloud for disaster recovery as a service. “While cloud computing is cost effective in many ways, it does not have the trust and flexibility that we need. We decided that it was too risky to put our primary data into the cloud,” he said.
Meanwhile, BRM Holdich's Jo Stewart-Rattray shared the example of a regulated company which hosted its human resources data in the cloud.
“They had no idea where it was located or if the data was encrypted,” she said.
“It was later discovered that this information was passing to a cloud environment somewhere out there in the world. Had the regulators got onto it, there would have been huge problems.”
Atlassian's Craig Davies said that the company he previously worked for, Cochlear, was a heavy adopter of cloud services. However, Davies questioned where the data was and how it could be protected.
“The government regulators are so far behind that this is causing unnecessary pain for health providers. I have had discussions with health organisations overseas and as soon as you mention the word cloud, they shut up shop,” he said.
The CIO and CSO Security Insights forum was sponsored by IBM. Follow Hamish Barwick on Twitter: @HamishBarwick