Fear Factor: Why Security Is Still The Cloud's Biggest Hurdle


There's little doubt that cloud services are poised for tremendous growth as companies look to cut costs and improve efficiency. But a nagging problem threatens to dampen all the high hopes for cloud computing. A report issued earlier this year by a group of top information security executives from big-name companies such as Coca-Cola, Johnson & Johnson, and Wal-mart put it bluntly: Security remains the No. 1 obstacle to cloud adoption.

Indeed, a lack of trust and a sense that an organization wouldn't have complete control over its data or systems is hindering widespread adoption of cloud computing, solution providers and industry experts say. Regulatory compliance, data integrity and lack of transparency are top concerns for companies contemplating a shift to the cloud. While enterprises are adopting certain cloud-based services, many are keeping a firm grip on the data they believe is the most critical to their operations.

''It's about trust," said Todd O'Bert, president and CEO of Minneapolis-based Productive Corp., a security, storage and infrastructure solution provider. "We're still finding by and large that it's about insourcing vs. outsourcing and right now the stuff they are willing to outsource isn't part of their core operations."

However, confidence in cloud services is growing as industry efforts to create standards mature and cloud providers work to build trust and, experts say. They predict the shift to the cloud will be long and gradual as the cloud security challenges are overcome. Along the way, solution providers have an opportunity to help their customers make the transition to the cloud securely.

HOLDING BACK

Companies have been gradually moving to the cloud over the past decade, beginning with Software-as-a-Service (SaaS), fueled in part by companies such as Salesforce.com, which has had success with its popular CRM software. But providers selling Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) are still working to establish trust with potential clients and attract more businesses.

Jerry Irvine, CIO of Schaumburg, Ill.-based Prescient Solutions, an IT outsourcing firm, said enterprises are concerned about the safety of putting their intellectual property, financial information and personal customer data in a cloud environment. "A number of large corporations that we do business with have no intention of putting certain classes of data in the cloud," he said.

HIPAA, the Payment Card Industry Data Security Standard and various international and local privacy requirements are of major cloud concerns for businesses, Irvine said. Some European countries require that data reside in the host country, a mandate that can be difficult in a multitenant cloud environment. Moreover, IT departments fear losing control if they move data to a cloud provider.

"They have no control over security or management yet they're responsible if their data gets breached," he said.

Irvine cites another reason why some enterprises are shying away from the cloud: the lack of the ability to audit the cloud provider. Large, highly regulated companies often must have the ability to conduct independent tests of a provider's security controls, he said, but cloud providers generally are unwilling to permit such tests.

For small businesses that don't view IT as a critical asset and want to minimize costs as much as possible, security isn't as much of a barrier to cloud adoption, said Paul Hill, senior consultant at SystemExperts, a security consulting services firm based in Sudbury, Mass. Meanwhile, large companies that place a high priority on security and have a lot of resources can put cloud services through formal risk assessments using existing security frameworks such as ISO 27001.

"In between, there are companies that value IT and know security is a concern but don't have an existing way to evaluate risk and are unfamiliar with various frameworks," Hill said. "They're the most reluctant to adopt cloud services. They don't know a way to get a handle on it."

NEXT: Efforts To Bridge The Gap