Taking up cloud computing undoubtedly introduces new risks into the enterprise. Systems that were once under the complete control of the IT department are supplemented or replaced by infrastructure under the management of a third-party service provider.
Enterprises are still concerned about cloud security, especially data storage location
As such is it unsurprising that concern about cloud security persists as a foremost obstacle to remaking IT. When an enterprise is wary of public cloud computing services, security is typically a big reason why:
- A 2014 Internap survey of organizations in healthcare, software, media and other industries found that, among the ones not exploring public cloud at the time, 40 percent cited security as an issue. Among actual users, though, security significantly trailed performance, compliance and scale.
- A SecureData study from 2013 discovered widespread lack of trust in cloud security among IT managers. Seventy-eight percent of respondents stated that perceived security inadequacies were the top impediment to cloud adoption, leading 59 percent of them to be receptive to fully outsourced, managed cybersecurity solution services.
- According to Lieberman Software's 2014 Cloud Security Survey, 80 percent of IT professionals keep some sensitive data on-premises due to worries about its safety were it stashed in the cloudthe safety of its location. A similar portion feared that applications in use among employees could jeopardize network security, and more than one-third cited surveillance as a deterrent to cloud uptake.
Ensuring cloud security is multifaceted. Stakeholders have to pay attention to whether data is encrypted or not, where it is stored (each nation may have its own applicable regulations), who takes responsibility for implementing the mechanisms that protect it and what happens if it is compromised in a breach.
Following last summer's revelations of the extent of the U.S. National Security Agency's surveillance programs, the cloud security conversation shifted to location. Enterprises became newly aware of the dangers of sending data to cloud infrastructure that could be under the watch of intelligence agencies.
Countries such as Brazil went so far as to propose siloed national Internet infrastructure that would bypass U.S. servers and theoretically block spying. But how well-grounded are such actions? Could organizations be focusing their energies on more pressing aspects of cloud security?
Fixation on where cloud data is stored may be counterproductive
One of the chief benefits of the cloud is the ability to obtain compute, storage and networking resources, or even fully-featured software solutions, via virtually any machine with an Internet connection. Naturally, enterprises have taken advantage of this perk by setting up remote teams or sharing materials with teams in other countries. Large companies such as The Weather Channel have at times turned to outsourced contractors that can provide experience and expertise at lower expense than in-house personnel.
However, such arrangements reveal possible inconsistencies in prevailing enterprise attitudes about cloud security. While organizations are concerned about where data is stored, they seem OK with making critical assets available to workers all over the world.
"The irony is that most of these organizations will be using outsourced development teams in India, who probably have access to live production instances and have access to all the data anyway," stated Don Smith, technical lead for Dell's EMEA information security outfit, according to ZDNet. "They're very happy for their data to be flowing to the US. They're mature about it … They are far more comfortable with being secure and getting good services than they are with a fallacious argument about where their data flows to."
In this way, focusing too intently on where data resides could take enterprises' eyes off the ball, causing them to overlook specific security features as they worry generally about surveillance. That's not to say that being concerned about data security and privacy is wrong, only that protecting information in the cloud requires more than just sending it to a server in Finland or Germany rather than one in the U.S. Enterprises also must look at:
- Who owns the encryption keys, and where are they? This is the real location issue. Encryption is one of the most powerful security tools at companies' disposal, but key management is still a major operational hurdle. Ponemon Institute's 2013 Global Encryption Trends Study found that 30 percent of organizations rated the handling of keys and certificates as a nine or 10 on a scale of 1-10, with 10 being the most difficult.
- While it's easy to be wary of government agencies, enterprises also have to be mindful of cloud service providers. Service-level agreements aren't always well-designed and may leave the provider too much wiggle room when it comes to security obligations and stewardship of data.
- Software-as-service still accounts for the bulk of all cloud spending, with IDC projecting that the majority of all IT spending on cloud services in 2013 went toward SaaS. Going forward, the mix of SaaS, IaaS and PaaS is expected to remain mostly the same, and SaaS applications are also a big part of shadow IT (the use of cloud services not approved by the IT department). Companies have to consider mechanisms such as application gateways to keep tabs on traffic levels and risk profiles.
Are security concerns an excuse for not overhauling IT?
The cloud is no longer the exclusive domain of small startups that are looking to grow without having to manage their own infrastructure. Many of the world's largest banks, airlines and retailers are all heavily invested in the cloud, and in a way cloud computing is not that far a leap from the hosted services and colocation facilities that they have been utilizing for years.
Speaking at Light Reading's Big Telecom Event, Verizon Terremark CTO John Considine argued that cloud security concerns, while often legitimate, are nevertheless overused as excuses not to update and replace legacy IT systems. Enterprises may think that they have to take an all or nothing approach to cloud – which can seem risky – when in fact hybrid infrastructure is becoming increasingly common as a means of balancing on-premises and remotely hosted resources.
Security will always be a key consideration for anything that IT doesn't directly control. Still, the evolution of cloud computing gives enterprises more options than ever for ensuring that everything is in the right place and protected by the proper measures.