Is security really still the biggest barrier to Cloud adoption?
March 15, 2012
Grazed from BusinessCloud9. Author: Pat Phillips.
Whatever your view of Cloud computing, there’s no denying the fact that it’s a game changer for the IT industry, enabling companies to be more flexible, reduce costs and save time. Conservative estimates from IDC predict that the global market will reach about $55billion by 2014. However a recent survey by the Cloud Industry Forum spells out a different picture, and found that Cloud adoption rates in the UK is currently only around 53 per cent. With the clear advantages of using the Cloud, it’s difficult to understand why more UK companies have not joined the Cloud Computing revolution and sent adoption into the mainstream.
Even though the number of Cloud advocates continues to rise, there is still a significant number of UK companies that have niggling concerns over the security implications of moving to the cloud. A recent study by Vanson Bourne found that only 10 percent of the 250 UK CIOs surveyed were ‘completely confident’ about the security and efficiency of third party Cloud Computing services providers. The concerns are driven by the perception that holding data in a third-party data centre means compromising on security, control and access. Indeed, many areworried poor security could result in their data being lost or stolen, reputation damaged, or worse a security breach that would allow competitors to gain access to highly sensitive information…
In addition to the security fears, a move to the Cloud can also mean new regulations to abide by. The latest EU data protection rules on regulation state that customers have the right to have their data deleted and companies and organisations must notify the national supervisory authority of serious data breaches within 24 hours. If companies violate this, the EU is being empowered to fine companies up to €1 million or 2 per cent of the global annual turnover.
For this reason, Cloud adoption can often feel a little like being in a 200-metre hurdle race – after the gun goes off, there’s an ever-increasing number of difficult barriers to clear. For the most part, the biggest hurdle in this scenario is a systemic lack of trust from CIOs around the safety of some Cloud providers and their solutions. As a result, a number of companies are holding off on moving to the public Cloud as they are yet to be convinced it’s a safe place for their mission critical applications. So, what’s the answer to getting UK businesses to hurdle the security barrier and reap the rewards that await on the other side?
Whose job is it anyway?
In recent months, Cloud vendors have become even more determined to ensure that the Cloud is a trusted environment in which organisations can do business. However, all too often, Cloud providers only deliver a token response to demonstrate their security credentials, with many providing little more than a whitepaper on the subject. Even more confusingly, we often see the line blurred between different Cloud providers and Cloud subscribers regarding who is actually responsible for security in the first place.
For instance, it’s commonplace for IaaS (infrastructure as a service) subscribers to take ownership of the securityaround their Cloud operations. However, PaaS (platform as a service) and SaaS (software as a service) subscribers often do not need to take on quite as much in terms of managing the security infrastructure components themselves and can leave some of this up to the Cloud provider. Understandably, this can be very confusing for CIOs in terms of managing both who is responsible for their company’s security and ensuring that the correct checks and balances are in place. With this in mind, I would always recommended that subscribers should collaborate very closely with their Cloud service provider on security, especially in areas such as identity and access management
Building on strong foundations
To overcome their security fears, CIOs must learn to view Cloud security as predominately about visibility and control, with the right to a security audit included as a bare minimum in all service level agreements (SLAs). This would make it significantly easier for organisations to keep an overview of where their data is going and provides access to logs and backups for both regulatory compliance and the capability to perform forensics for audits.
Crisis, what crisis?
CIOs should also be asking their Cloud provider if they have a crisis strategy in place for when things go wrong, and conduct due diligence on how it will work in practice. Defining roles and responsibilities should follow, so that there’s no ambiguity when it comes to who is in charge of each area of security. In other words, the same best practice proceduresthat are applied to the rest of the company should be incorporated into theCloud provider negotiations. If it’s felt that the provider does not have a comprehensive strategy, then CIOs must learn to walk away and find one thatdoes.
To sum up, Cloud Computing represents a dramatic shift in technology and IT management and thus brings with it a host of benefits and advantages. This shift can only be realised, however, if UK providers and subscribers ensure that security is top of the agenda. As long as CIOs ask the right questions about security strategies, make sure they havedefined roles and responsibilities and have the right to audit in their SLAs, then Cloud adoption rates in the UK will soar – and organisations will become far more confident about hurdling the security barrier.