While some companies struggle with the question of whether to put their trust in public cloud solutions, others are flourishing in the environment. Not because they take cloud security risks lightly, but because they have found that the benefits of moving to the cloud outweigh the risks.
What separates these IT leaders from those sitting on the cloud sidelines is a strong, realistic working knowledge of the strengths and weaknesses of their IT teams, as well as the needs of their organizations. In some cases, a public cloud solution may actually provide more security and help build a disaster recovery practice.
There's never a 100% guarantee, but you have to be reasonable. Sometimes a little bit of a risk is OK.
That was the case for the United States Golf Association (USGA). Despite being a national organization, its headquarters are far from what would be considered a bustling metropolis. In fact, its home -- the tiny town of Far Hills, N.J. -- is what USGA managing director of IT Jessica Carroll affectionately calls "the middle of nowhere." From an IT perspective, this could mean disaster when it comes to disaster recovery. But Carroll was satisfied with her solution provider's security.
"In this case, I've seen their [IBM] environment, I've seen the secured hallowed room. They really impress you when you look at the logistics of what they do with your data," she said. "I know because I've seen it, I know the kind of measures IBM has taken ... I marry that with their reputation, and for me it's an easy decision."
Carroll’s move into the public cloud wasn’t her first foray with cloud security and privacy. At the USGA in 2006, she signed up for Microsoft's Live Meeting. She pays a subscription fee and the USGA can use it as much or as little as needed. "I don't need to ensure it's kept private, I don't need to ensure there's good disaster recovery for it, I don't need to worry if they go offline," Carroll said. "That, for me, is a great example of where we're able to leverage pricing structure that works really well for us, without any infrastructure investment on my part, and I'm comfortable that the data we're putting out there is OK to put out there."
Not all cloud security risks are the same
Gartner Inc. analyst Jay Heiser warns against rushing into "keeping up with the Joneses" regarding enterprise security decisions.
"No buyer should automatically assume that every offering is adequately secure," Heiser said in an email. "Therein lies the biggest problem -- it is virtually impossible to determine whether any particular external service provider is adequate for security purposes."
"I not only find it inaccurate, but I find it a bit demeaning, if not insulting when service providers pat one of their sales prospects on the shoulder and says, ‘Don’t you worry your little virtual head about anything -- you don’t have the ability to secure yourself, you should put all your eggs in my basket, and I’ll take care of you,'" Heiser said.
Cloud concerns linger
Larry Bolick, CIO of Aquent LLC in Boston, Mass., has had success with cloud solutions for collaboration, including Google Gmail and telephony. But security remains on his mind even after doing due diligence conducting careful contract negotiations.
"This is the first question that always comes up related to cloud computing and rightfully so -- everyone should be concerned with cloud security," Bolick said.
However, it’s also important to keep history in mind, he said. Less than 15 years ago, colocation was the public cloud of its time. The idea of sharing space was desirable, but the lack of security would be appalling by today’s standards -- company names and IP addresses were clearly viewable on servers in an open environment. Lessons were learned and security evolved, Bolick said.
More cloud computing resources
Past problems with Google's cloud weren’t a roadblock, but rather an entry point for a fruitful conversation on security, he said. Concerns lingered not out of fear, he said, but because he believes strong cloud security is a complementary relationship between company and vendor. The challenge lies in change management and aligning your team's security practices with what the vendor has to offer.
"It’s not all the vendor’s problem; it’s their customer’s problem as well," he said. "A lot of what we’ve done in our cloud space is around encryption, in a steady state and when it’s moving. In our environment we’ve taken pains to make sure our infrastructure is well-secured. A lot still falls on the customer’s plate in terms of security, but it’s nice to know we have cloud providers keenly interested and aware of our security challenges as well."
Despite any CIO's best efforts toward due diligence, there are still no guarantees. At a certain point, you simply have to be willing to trust your vendor and your decisions. Bolick likens it to getting on a plane: You don't personally know the pilot or the mechanics, but they've been certified by the FAA and you put your trust in them.
"The big fear? It's the rotten apple in the barrel. As soon as there is an incident in security or privacy due to a slip-up, a cloud vendor is going to see the ripple effect for a while," Bolick said. "Service providers need to redouble their efforts. There's no glory for security folks [who work for] cloud providers, but if they do their job, that's the way it's supposed to be. There's never a 100% guarantee, but you have to be reasonable. Sometimes a little bit of a risk is OK."