IDC Canada recently published a study highlighting how IT security fears may be inhibiting Canadian enterprises’ business agility and competitiveness. IDC and TELUS Enterprise Cloud Study, 2012: Three Misconceptions Curb Competitiveness sheds light on the concerns of leading Canadian businesses reluctant to implement nontraditional IT delivery methods, including public cloud-based SaaS applications, despite evidence these solutions can improve productivity, efficiency, and adaptability. Based on IDC’s research, more than 85% of the Canadian enterprises surveyed have significant concerns about public cloud security. The executives surveyed ranked security considerations based on their level of importance, and the top three among them:

1. Data encryption — Is data encrypted at rest, in transit and in use?
2. Data access – Who has access to data?
3. Data residency – Where does the data reside?

Despite the executives’ ranking, IDC authors suggested other concerns – data disclosure, ownership, migration, repatriation, disposal, and archiving – will be more worrisome and difficult to overcome. The report acknowledges that data access can be difficult to manage, particularly when cloud providers need to view data subsets that could contain sensitive information, but suggests that time and effort are all that are needed to overcome this obstacle. And even though the data residency issue tends to be a “showstopper” for many organizations, the report implies that fears about this concern are exaggerated and not always well-founded even with legal and industry requirements at play. On the contrary, one only needs to visit the website of the Privacy Commissioner of Canada and search for “Patriot Act” to witness both the volume of concern and the depth of legal analysis on the topic that quite legitimately continues to this day.

Indeed, CIOs, IT security experts, and compliance departments are reluctant to sweep away these genuine concerns as “misconceptions.” In reality, data security, access, and residency are valid challenges that companies need to address when considering cloud applications. The increased reach and sophistication of cybercriminals, as well as the enormous range of differences in international privacy laws dictate that these issues are here to stay.