Cloud computing security skeptics abound
- 15 October, 2010 04:06
"We are a very conservative risk-adverse company by nature," says Mark Pfefferman, assistant vice president and director of identity and access-management program at Western & Southern Financial Group. "As a life-insurance company, managing risk is part of our DNA." While his company has outsourced some data applications such as payroll to ADP, Pfefferman says there's no interest in turning to a cloud provider to store and process customer-related data.
The main reason springs from the sense that "I don't feel I have good control of the data out in the cloud," Pfefferman says. The company retains its own data center with a staff of IT professionals, and a look at some of the possibilities in cloud computing has left the impression that it not only is not as much of a cost-savings as sometimes claimed, it raises risks substantially.
There are lingering questions about where data might be stored geographically, or what contractual arrangements are required in the event of a data breach, or how back-up is done, Pfefferman says. While Western & Southern Financial Group is making limited use of Google collaboration applications, the intention is to avoid inclusion of any sensitive information.
Gartner Symposium ITxpo preview
These are some of the issues related to cloud computing that will come under focus at the Gartner Symposium ITxpo next week in Orlando, the annual techfest which this year features keynote addresses from Cisco CEO John Chambers, Microsoft CEO Steve Ballmer and Salesforce.com CEO Marc Benioff.
Among numerous Gartner conference sessions related to enterprise use of cloud computing will be "Three Styles of Securing Public and private Cloud Computing," with Gartner analyst John Pescatore.
"Fortune 1000 companies have to worry about compliance and security," notes Pescatore, who says there's a lot of reasonable skepticism in those ranks regarding public-cloud computing and security. But he adds that small businesses and city governments, "which don't have two nickels to rub together" in these troubled financial times, are looking at cloud-computing as a less-expensive option.
The federal government is regarded by cloud providers like Microsoft and Google as among the biggest fish to land."Microsoft and Google are chasing the federal e-mail business," says Pescatore, adding he doubts Google really cares much about enterprise business. A recent Gartner report showed Google Gmail has less than 1% of the enterprise e-mail market.
The virtualization of the enterprise is leading to a more direct path to private-cloud computing, according to Pescatore. In addition, cloud-based security services, such as Zscaler, are a good indication of where things are headed.
A recent Harris Interactive survey of 210 IT executives in U.S. businesses paints one picture of cloud adoption and attitudes about it. The survey shows that roughly one-third currently use only private-cloud computing, while another third uses both private and public clouds.
Roughly 1 in 10 uses only public cloud computing, and almost one quarter uses no cloud-computing option at all. Some 43 per cent of the IT execs surveyed said they expect increased use of both public and private cloud platforms, while 29% expect more use of just private-cloud platforms, and five per cent expect increased use of public clouds. Another five per cent had "no plans" regarding use of cloud computing, and seven per cent said they weren't sure.
When asked about security issues, nine out of 10 of these IT executives said they believed confidential data is more secure in private-cloud systems than in public ones.
Lack of end user control in the cloud
In a web cast earlier this week on "the Future of the Perimeter," security experts Nir Zuk and Marcus Ranum didn't mince words in voicing their distrust about cloud computing and security.
"People are turning to application-service providers, like Salesforce.com," said Zuk, co-founder of Palo Alto Networks, adding there are "issues with it."
One issue is the relative lack of control of the enterprise end user with Salesforce, especially when the user is outside the perimeter of the enterprise, perhaps "in an Internet café, such as the ones in Moscow, probably running loads of spyware," Zuk said. He said he didn't have a solution to that security challenge right now, though he's thinking hard on it.
Although Amazon and Rackspace may "significantly cut your cost," said Zuk, it's like taking your head and putting it in the sand because among the major challenges there, "you really don't know what security these companies are running." He added you also are not likely to know "your neighbors on the machine." There are many issues like this that aren’t being addressed right now, he said.
Ranum, chief security officer at Tenable Network Security and a security instructor, predicts that five years from now "we'll see some of the cracks in cloud computing," and "what's hot today" will be "the security problem five years from now." In addition, Ranum predicts that people should consider that once people rush into cloud computing, "prices could go up."
"Once everyone is nicely locked in, prices will go up — then they'll go back to the desktop," Ranum said.
And any explanation given by cloud computing providers that they can't always tell you where your data is should be viewed critically, he suggests. "You should know where your data is at all times," Ranum concluded.
Read more about data center in Network World's Data Center section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Cloud Computing Research Center - Network World
- Tech Debate: Cloud: Public or private? : NetworkWorld.com Community
- Top Cloud Computing Security Risk: One Company Gets Burned
- Gartner Symposium ITxpo Orlando 2010: CIO Research, Strategy, Technology Solutions Conference
- Microsoft Subnet: An independent Microsoft community
- Google's Gmail has less than 1% of enterprise e-mail market, Gartner says
- Q&A: Microsoft's Bob Muglia details cloud strategy
- 10 start-ups to watch in '09
- Cloud computing in the U.S. shows momentum
- Experts to debate 'Future of the Perimeter' in webcast
- Secrecy of cloud computing providers raises IT security risks
- Data Center Research Center - Network World
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Maximising productivity without sacrificing security
Advances in mobility and client computing technology combined with the ubiquity of the Internet and social media are creating a culture and desire for constant connectivity and anywhere access to information. As these trends extend from the home into the work place, IT managers should consider seriously the opportunities for increased productivity and communication with customers and constituents, as well as understand the increased security risks posed by online, anytime access to private networks and data. Read more.
Cloud Computing for Midsize Businesses: Delivering Innovation and Efficiency
It’s time for midsize companies to start thinking differently about infrastructure. This white paper provides a brief overview of cloud computing, explains how midsize companies can benefit, and describes the steps they can take to take advantage of what it has to offer. Read now.
Advanced Persistent Threats and Real-Time Threat Management
Businesses face a constantly evolving threat landscape. One of the greatest challenges is presented by advanced persistent threats (APTs), which are sophisticated, multi‐faceted attacks targeting a particular organisation. Mitigating the risk of APTs requires advances beyond traditional layered security to include real‐time threat management. This whitepaper describes the nature of APTs, the risks they pose to businesses, and techniques for blocking, detecting, and containing APTs and other emerging threats. Read now.