Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Cloud computing security skeptics abound

There are lingering questions about where data might be stored geographically, or what contractual arrangements are required in the event of a data breach, or how back-up is done

The prospect of data security in cloud computing — particularly public-cloud computing — has security professionals taking a cautious approach.

"We are a very conservative risk-adverse company by nature," says Mark Pfefferman, assistant vice president and director of identity and access-management program at Western & Southern Financial Group. "As a life-insurance company, managing risk is part of our DNA." While his company has outsourced some data applications such as payroll to ADP, Pfefferman says there's no interest in turning to a cloud provider to store and process customer-related data.

Top cloud computing security risk: One company gets burned

The main reason springs from the sense that "I don't feel I have good control of the data out in the cloud," Pfefferman says. The company retains its own data center with a staff of IT professionals, and a look at some of the possibilities in cloud computing has left the impression that it not only is not as much of a cost-savings as sometimes claimed, it raises risks substantially.

There are lingering questions about where data might be stored geographically, or what contractual arrangements are required in the event of a data breach, or how back-up is done, Pfefferman says. While Western & Southern Financial Group is making limited use of Google collaboration applications, the intention is to avoid inclusion of any sensitive information.

Gartner Symposium ITxpo preview

These are some of the issues related to cloud computing that will come under focus at the Gartner Symposium ITxpo next week in Orlando, the annual techfest which this year features keynote addresses from Cisco CEO John Chambers, Microsoft CEO Steve Ballmer and Salesforce.com CEO Marc Benioff.

Among numerous Gartner conference sessions related to enterprise use of cloud computing will be "Three Styles of Securing Public and private Cloud Computing," with Gartner analyst John Pescatore.

"Fortune 1000 companies have to worry about compliance and security," notes Pescatore, who says there's a lot of reasonable skepticism in those ranks regarding public-cloud computing and security. But he adds that small businesses and city governments, "which don't have two nickels to rub together" in these troubled financial times, are looking at cloud-computing as a less-expensive option.

The federal government is regarded by cloud providers like Microsoft and Google as among the biggest fish to land."Microsoft and Google are chasing the federal e-mail business," says Pescatore, adding he doubts Google really cares much about enterprise business. A recent Gartner report showed Google Gmail has less than 1% of the enterprise e-mail market

The virtualization of the enterprise is leading to a more direct path to private-cloud computing, according to Pescatore. In addition, cloud-based security services, such as Zscaler, are a good indication of where things are headed.

A recent Harris Interactive survey of 210 IT executives in U.S. businesses paints one picture of cloud adoption and attitudes about it. The survey shows that roughly one-third currently use only private-cloud computing, while another third uses both private and public clouds.

Roughly 1 in 10 uses only public cloud computing, and almost one quarter uses no cloud-computing option at all. Some 43 per cent of the IT execs surveyed said they expect increased use of both public and private cloud platforms, while 29% expect more use of just private-cloud platforms, and five per cent expect increased use of public clouds. Another five per cent had "no plans" regarding use of cloud computing, and seven per cent said they weren't sure.

When asked about security issues, nine out of 10 of these IT executives said they believed confidential data is more secure in private-cloud systems than in public ones.

Lack of end user control in the cloud

In a web cast earlier this week on "the Future of the Perimeter," security experts Nir Zuk and Marcus Ranum didn't mince words in voicing their distrust about cloud computing and security.

"People are turning to application-service providers, like Salesforce.com," said Zuk, co-founder of Palo Alto Networks, adding there are "issues with it."

One issue is the relative lack of control of the enterprise end user with Salesforce, especially when the user is outside the perimeter of the enterprise, perhaps "in an Internet café, such as the ones in Moscow, probably running loads of spyware," Zuk said. He said he didn't have a solution to that security challenge right now, though he's thinking hard on it.

Although Amazon and Rackspace may "significantly cut your cost," said Zuk, it's like taking your head and putting it in the sand because among the major challenges there, "you really don't know what security these companies are running." He added you also are not likely to know "your neighbors on the machine." There are many issues like this that aren’t being addressed right now, he said.

Ranum, chief security officer at Tenable Network Security and a security instructor, predicts that five years from now "we'll see some of the cracks in cloud computing," and "what's hot today" will be "the security problem five years from now." In addition, Ranum predicts that people should consider that once people rush into cloud computing, "prices could go up."

"Once everyone is nicely locked in, prices will go up — then they'll go back to the desktop," Ranum said.

And any explanation given by cloud computing providers that they can't always tell you where your data is should be viewed critically, he suggests. "You should know where your data is at all times," Ranum concluded.

Read more about data center in Network World's Data Center section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Amazon, Cisco, Gartner, Google, Harris Interactive, Microsoft, Palo Alto Networks, Salesforce.com, Technology Solutions
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: cloud computing, cloud computing companies, Data Center, hardware systems, internet, security
Latest Blog Posts
Whitepapers
  • Automating Your Processes to Outperform Your Competition
    Welcome to Volume Three of the “Intelligent Guide to Enterprise BPM.” Get ready for an education in automation—Process Automation, that is. This white paper goes into detail about the Process Automation entry point into an Enterprise Business Process Management (BPM) program. Read on to learn how Process Automation opens up new ways to help your business do things faster—like open up a new sales channel or deliver customer orders. Discover how Process Automation enables your business to run smoother and consistently in an orchestrated way. With a true Enterprise BPM solution, you can automate newly designed processes far easier than starting from scratch.
    Learn more »
  • Managing Trust - Data protection and compliance for financial services
    If it’s becoming something of a cliché that the financial services industry is one of the world’s most heavily regulated, that’s largely because it’s true. Data retention and archiving, authentication and authorisation, data loss prevention and privacy regulations compete with demands for transparency and accountability, while market imperatives calling for multiple service channels delivered over a broad spread of technologies add to the pressure. Read on.
    Learn more »
  • Best Practices for Oracle License Management: Optimise Usage and Minimise Audit Liability
    With Oracle audits on the rise, organisations that can best align license agreements with actual database and option usage can reduce their financial risk and maximise the value of their Oracle investments. The goal is to “right-size” Oracle across the enterprise and gain control over the entire license management process – from accurate needs projections and licensing negotiations, to deployments and audit preparation. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments