Despite the progress that has been made in developing cloud security and convincing enterprises that their data is safe, many enterprises are still avoiding the use of software as a service (SaaS) for critical or sensitive data, defined as "data concerned with confidentiality and secrecy," according to Gartner.

It also shows that organizations that need to share data or content with third-parties have a number of different approaches to risk management.

Data Storage, Business Partners

Digging deeper into the research entitled Survey Analysis: Assessment Practices for Cloud, SaaS and Partner Risks, 2012, it also seems that business critical information is still being stored on-premises rather than in the cloud.

This is reflected in the fact that as cloud vendors continue to push the virtues of cloud computing, particularly in terms of back-up and disaster recovery, many enterprises still seem unwilling to hand company data to third-parties, or outsourced data-centers.

The research questioned 425 respondents from IT risk management disciplines in the US, UK, Germany and Canada between December 2011 to January 2012.

It shows that, generally speaking, enterprises will entrust sensitive data to cloud providers before business partners.

According to Gartner, 38 percent of organizations say they have a policy of not sharing "sensitive data or processes" with business partners. This compared to 29 percent for outsourced data center providers, 26 percent for software-as-a-service providers and 20 percent for platform or infrastructure-as-a-service providers.

This year we asked about both data availability and data confidentiality policies. Survey respondents indicated 10 percent less willingness to place mission-critical data into a SaaS offering than to place sensitive data into it. They were even less willing to place mission-critical data into outsourced data centers, with over one-third of respondents saying that they do not allow it,” said Jay Heiser, research vice president at Gartner.

Data Outsourcing?

But it’s not just they won’t put data in data centers; they actually have an active police of NOT putting mission-critical data into an outsourced data center, saying that a policy of avoiding such centers was the most secure way of protecting data.

This is significantly higher than for either of the other two service models. Twenty-nine percent said this policy applied to SaaS, and only 22 percent said it applied to IaaS/PaaS.

In terms of assessing the security of out-sourced data centers, the number of companies sending company staff to evaluate data center controls has dropped by over 40 percent over three years, with the use of standards-based questionnaires increasing. If you are interested in more on this, the full (paid) report is here