Public cloud computing risks are numerous enough to field a top 10 -- or even more. Professional organizations and CIOs are developing threat lists to help them come to grips with the public cloud, an entity that will continue to seep into the enterprise IT environment whether they like it or not.
Some lists of top public cloud computing risks are sweeping and philosophical, such as the Top Threats to Cloud Computing, v.1.0, developed by the Cloud Security Alliance. Most include some combination of the following items:
1. Security on the network
This remains far and away the No. 1 concern among IT executives, and includes such subcategories as data protection and privacy, physical security and application security from a Software as a Service (SaaS) provider, and cutting through the hype.
For one, don't believe the "Trust me, I'm SaaS-y" marketing, said Steve MacLellan, senior vice president of enterprise architecture for financial services at Boston-based Fidelity Technology Group. Be sure to ask questions about their security policies, and visit the data center to ensure physical security, he added.
Then, do your part to protect data. "We make sure our data is encrypted leaving us -- it happens in the data center before it hits the wire," said Peter Toth, manager of IT operations at Princeton, N.J.-based GfK Custom Research North America, a division of the German research and development company GfK Group.
For others, security is no more a threat in the cloud than it is in one's own backyard. "I like to say the cloud, even the public cloud, isn't inherently more or less secure than your internal environment," said Rich Mogull, CEO and analyst at Phoenix-based consultancy Securosis LLC. "It's all a matter of what controls are available and how you implement them."
2. Identity management
Passwords are problematic, especially because malefactors now have the compute capacity -- ironically, available on public clouds -- to bust through them. The federal government is taking a leadership role in the development of a federated ID ecosystem that would protect against cyberfraud. Earlier this month, the Obama administration announced it would create a Trusted Identities in Cyberspace program, to be led by a newly formed National Program Office within the Department of Commerce.
Speaking of borders, they might in fact be virtual but they might just as well be physical. New regulations for the financial services, health care and insurance industries place restrictions on where data physically can reside and how long it should be kept. "At Fidelity, we hear this [need to comply with new regulations] a lot," MacLellan said. "The regulatory environment is a little hostile," perhaps to overcome a notion that the cloud is a free-trade zone. For example, some information might not be able to cross the boundaries of a country, but it's next to impossible to know where in the public cloud data exists. Furthermore, the onus is on cloud customers to make sure that cloud providers are compliant with the regulations affecting their company's data, according to Drue Reeves, vice president and distinguished analyst at Gartner Inc.
4. Data integration
One danger in using public cloud services is the natural aggregation of data in cloud silos. Integrating data residing in the cloud with an enterprise's back-end systems is no picnic, especially if the enterprise hasn't undertaken the organizational challenge of information integration. Companies that have organized their data sets well enough to use them across multiple platforms will be best positioned to take full advantage of cloud services, according to James Staten, vice president and principal analyst at Forrester Research Inc. in Cambridge, Mass.
It also will be important to get into the habit of encrypting data, tagging fixed data and consolidating storage repositories, according to EMC Corp.'s Leadership Council for Information Advantage, an IT executive group whose members discuss challenges in cloud computing. To stave off a huge integration effort down the line, try to limit the number of cloud platforms that have to be supported, the group advised.
Cloud experts also advise the use of ETL (extract, transform, load) tools to simplify the conversion of data from one format to another. The goal is to convert information into one common format -- most likely into the extensible markup language, or XML -- to make it more portable and searchable.
5. Vendor lock-in
This thorny issue comes down to the evolution of standards for interoperability among different cloud providers. Let's say you don't like a change in policy made by your public cloud provider and want to move your workloads to another cloud provider. In this case, the cloud might as well be the proverbial Tower of Babel, even though many vendors are making interoperability more of a priority. Microsoft's Azure platform, which is tied directly to .NET, now has an open source software development toolkit for developers working with the PHP script language; and Salesforce.com Inc.'s once proprietary Force.com development platform supports Java application development.
6. Vendor viability
The cloud currently has 10,000 providers of one sort or another, according to Tom Bittman, distinguished analyst at Gartner. "Somebody needs to help us arbitrate that," and give enterprises "a single throat to choke," he said. He anticipates the rise of cloud brokers as the new systems integrators, helping with data integration among enterprises' back-end systems and cloud services. Rather than being consumed directly, by 2015, 20% of cloud services will be consumed via cloud service brokers, up from 5% today, he predicted.
That "single throat" might also be the result of consolidation among the cloud service providers. With competition in the extreme, it's not necessarily the smaller providers that will fail. Choosing the right provider is one of the critical decisions IT executives will make this year, according to Bittman. "We've seen providers go out of business, and the data is just gone," he said.
It's not like having your own infrastructure that you can modify. You have no control over what else is running on the cloud that could degrade performance.
Lalitendu Panda, CIO, D&M Holdings Inc.
Cloud services might not provide the same level of manageability that enterprises expect. The ideal would be a single, end-to-end view of on-premises and cloud applications, according to CIOs including Phil West, CIO of Gainsco Inc., a Dallas-based provider of nonstandard automobile insurance. Last fall, several vendors including Vizioncore (now part of Quest Software Inc.), Veeam Software Inc., LogMeIn Inc., Precise Software Solutions Inc., Compuware Corp. and Microsoft announced monitoring tools and plans for providing end-to-end visibility from the enterprise to the cloud.
Enterprises can't put up with interruptions in service, regardless of their cause, from bandwidth constraints to distributed denial-of-service attacks. "It's all about quality, not about low-cost services anymore," said Lalitendu Panda, global CIO of D&M Holdings Inc., based in Japan. "Interruption of service is an issue; we have had a couple of 'situations,'" he said. "It's not like having your own [infrastructure] that you can modify. You have no control over what else is running on the cloud that could degrade performance."
9. Shared resources
Because of its multi-tenant nature, the public cloud hosts numerous companies sharing the same infrastructure. The dependency of tenants sharing a single cloud creates a potential for catastrophic risk, according to Drew Bartkiewicz, CEO of CyberRiskPartners LLC, a New York-based provider of cloud insurance. "Public cloud providers are mitigating risk through contracts and an enormous amount of hope that nothing will happen to them," he said.
The point of the cloud, on the other hand, is that you're sharing space, said Tanya Forsheit, a founding partner of InfoLawGroup LLP in Los Angeles. "If you're going to use [the public] cloud, you have to accept the notion that that's true, or use a private cloud to segment data," she said.
10. Legal ambiguity
The fact is, liability in the cloud is not black and white, and that's due in part to a lack of public cases that could set a precedent. If a public cloud computing provider compromises data that is subject to regulatory issues, the provider should share in the liability, Gartner's Reeves said. "The IT organization should be writing their contracts in such a way that it comprehends regulatory issues and the provider shares the liability. Why would the consumer bear all the liability if he has told the provider what the data requires?" he said. Cloud liability is a work in progress; providers may waive hosting fees when a connection goes down, but there's no remuneration for lost business, he added. Imagine a new ecosystem of cloud insurance brokers before the dust settles.
No going back
This isn't so much a risk as a reality, and yet people in the IT trenches worry about what will be lost when the enterprise adopts public cloud computing. "Once you step out of the private house and go to public processing, your needs and wants of going back are almost impossible," said Danny Jenkins, BlackBerry administrator at J.C. Penney Corporation Inc. in Plano, Texas. The risk is that you "give up your in-house knowledge base."
Let us know what you think about the story; email Laura Smith, Features Writer.