One of the biggest barriers to adopting a cloud-based approach to IT services has been security – or a perceived lack of security. The good news though is that some analysts believe we are getting past this. For cloud service providers though, it means adding value on top of their cloud services by being an expert in this space.
The case for cloud has been hindered by a number of high profile reports of hacking leading to what industry analysts have termed ‘FUD’: fear, uncertainty and doubt.
These perceptions have affected the business community too, with many organizations believing the cloud to be less secure than an on-premise alternative.
However, research from the Cloud Industry Forum (CIF) shows there’s a discrepancy between perceptions of data security in the cloud and the reality experienced by users. The UK research confirmed the number one issue in the minds of end users still relates to data security; 75 percent of those questioned said security ranks as the number one reason for organizations not wishing to move specific applications to the cloud.
Applications considered to be the highest risk by organizations are data backup/disaster recovery (36 percent); data storage (30 percent) and personnel and payroll (33 percent).
While the research states that only two percent of organizations said that they had actually experienced a cloud service-related security breach, two percent is arguably a high number, given this only covers known security breaches.
A report last month by the Cloud Security Alliance (CSA) made for more optimistic reading for cloud service providers.
It indicates that while data security of cloud continues to be a top barrier to cloud adoption, organizations are still moving forward in their journey to the cloud, with 74 percent of respondents indicating they are either moving full steam ahead, or with caution, in the adoption of cloud services.
At the same time, 34 percent of respondents indicated that a lack of knowledge and experience on the part of IT and business managers was a main reason for slow or lack of adoption.
The Challenge for Cloud Service Providers to Overcome
The issue is obviously as much about perception as actual viable risks to data, a challenge for cloud service providers to overcome. Cloud does not have industry standards for security implementations. PCI-DSS is a security standard enforced by the credit card companies and backed up by regular independent audits and potential fines for non-compliance, which at least gives the perception of security. Whether or not (given recent examples of credit card data going astray) it is in practice an effective standard for maintaining security is another question.
In practice, most security problems are not down to technical failings, but are instead due to poor organizational practice. For example, compare the number of security breaches originating in software bugs to those originating from configuration errors. The configuration management and templating that cloud provides, encouraging homogenous deployment of tested units, can reduce such configuration errors by removing human error from the deployment chain. Moreover, a persistent security threat is poorly maintained and patched servers, often as a result of internal server sprawl. By making it easier to track, deploy and patch servers across an organization, cloud can in fact improve security.
Public cloud (as opposed to private cloud) often comes in for a special degree of criticism. Whilst it is true that cloud does present security challenges, many of these are also common to private clouds. Based on large-scale studies such as the highly respected Data Breach Investigations Report, cloud is no more vulnerable than on-premise – the real risk comes from a lack of education and poor implementation of basic security procedures. Indeed service providers have in-house cloud-focused security expertise, whereas enterprises in general do not. The successful service provider should thus aim to become a trusted source of such security expertise.