Clouds 360
  Does The Cloud Put Your Company's Security at Risk?

The challenging economic climate may be relenting, but the pressure to cut costs has not abated. To that end, chatter in boardrooms and break rooms continues to brainstorm how the cloud may be the most promising opportunity to acquire the technology the business wants at a price the company can afford. IT leaders know that there is plenty of opportunity in the cloud, but there can be risk too. So how can you tell if the cloud is right for your business?

The elephant in the room is actually a raging bull that can destroy a company's reputation and customer trust in a single instance, and its name is security breach. Business executives and IT leaders shudder at the thought of a security compromise. And many are concerned that cloud services are a virtual red flag that entices that bull elephant to attack. The problem with this fear is that it is overly broad and requires deeper examination to separate fact from fiction. Consider the facts.

Fact #1: Cloud Vendors Offer Information Security Seldom Matched by Private Enterprises

As a matter of normal practice, cloud providers deliver impressive security postures, to accommodate information security and business continuity. These cloud vendors don't skimp on investment as they know that even a single security compromise would result in a significant loss of customer trust and business.

"Do you really have the right measures in place for security threats and business continuity?" asks Rob Kall, president of Bookt, a web services vendor to the global vacation rental and hotel industry. "For example, what happens if somebody steals all your servers?"

Indeed, what happens when a natural disaster hits such as a tornado, flood or earthquake, or an accident such as a fire, or if a hacker penetrates your network or acquires credentials through a stolen laptop, a forgotten smartphone or an unguarded thumb drive? Do your internal staff, tools and processes offer the same type of preparedness and response as the cloud vendors who do this for a living?

Also consider that on top of external natural and man made risks, the biggest risk of security compromise comes from your own staff. Most security research consistently show internal staff as the top threat to your data. In fact, security breaches are four times more likely to stem from staff than external hackers. Does storing your data on-site increase or decrease the risk of theft by staff?

Is confidential or privileged data any safer or more at risk on your own servers than in the cloud? Data stored in the cloud may be subject to similar threats as if it were stored on the server next door, down the street, in the next city or elsewhere. The difference is that cloud providers operate with much greater preparedness for such events.

If information security concerns are the only thing holding you back from considering a cloud solution, compare your current risk exposure to that if you go with a cloud vendor solution. You will most likely be gaining security advantages by enlisting the expert services of cloud providers.

It's not that individual businesses cannot make the investments and efforts to achieve state of the art information security infrastructures, its just that security is not their core competency and the investment probably wouldn't make business sense for the company.

"Cloud providers can solve these security and business continuity problems on a much greater scale and the savings are passed to the customers of the services," says Kall. "They are also likely to have more expert staff and every cloud provider knows that their reputation lives and dies with their security and uptime performance."

Fact #2: WWW Does Not Mean the Wild Wild West

To the misinformed, the Web is a dangerous place that threatens your security. However, to the properly informed, business executives and IT leaders recognize risk, and the need to mitigate that risk, because they cannot survive or thrive without the Internet.

Even non-cloud businesses incur plenty of time connected to the web—for e-mail, remote presentations, transferring files, downloading presentations and much more. When you purchase traditional, on-premises software, you likely download it from the Web and not actually install it from a DVD or anything that is plugged into your servers. And, you'll probably get your updates and patches off the Internet. So there you are, back on the Web again.

The only way to avoid most threats coming from the Web is to not connect to the Internet at all. But the highest threat of compromise from internal staff continues to exist, and more importantly, abstinence will destroy your business. Companies would be unable to grow their businesses without online interactions.

Fact #3: Cloud Computing Concerns Remain

Security is often the first cited cloud concern yet adopting cloud services can significantly improve information security preparedness, incident response and disaster recovery. However, while generally not receiving the same initial attention, other concerns to the cloud remain relevant—such as total cost of ownership, cloud contracts, cloud tools and portability.

With the utility or subscription pricing model there's little argument that up-front cloud costs are materially cheaper than on-premises counterparts. Also, with near real-time provisioning of new systems and no hardware or platform software (e.g. operating systems, relational databases, security programs, management tools) to install, cloud implementations go faster and cost less. And, with less hardware to maintain and less need for application system administrators, database administrators and overall support, IT staffing costs are clearly reduced. However, subscription pricing is recurring billing so whether cloud services deliver reduced total cost of ownership (TCO) over the life of the service compared to licensed counterparts becomes a TCO calculation that will vary for each business.

Unfortunately, cloud contracts lack standardization and if not understood by buyers may come with unforeseen risk. Most cloud vendors offer Service Level Agreements (SLAs), some do not. Some cloud vendors offer SLAs to some customers but not other customers. Some SLAs guarantee financially-backed credits or penalties for SLA non-conformance, while others do not. Some SLAs exclude scheduled maintenance periods from uptime guarantees while others do not. The lack of continuity among cloud services imposes increased diligence upon cloud buyers and their legal advisors.

Despite powerful Platform as a Service (PaaS) and custom development tools from cloud providers, many IT departments lack cloud tools to help them support their infrastructures, policies and user communities. Simple tools such as real-time monitoring of cloud services, may be unavailable, blocked by cloud vendors or contractually prohibited in cloud vendor contracts. This prevents IT staff from viewing performance metrics and impairs their ability to deliver real-time support to their user communities. Other tools such as simple integrated identity management solutions are in short supply. Companies that subscribe to multiple cloud products without a common easy to install and easy to use single sign on (SSO) or other identity management method will require users to manage multiple logon credentials.

Cloud portability is becoming a casualty of proprietary cloud tools. For example, businesses can use the Salesforce.com Force.com development environment to build custom business applications and add-on solutions, however, such solutions only work on Salesforce.com's cloud. Similarly, don't expect custom solutions built with NetSuite's NS-BOS platform or SAP's (Business By Design) NetWeaver platform to work outside of their proprietary clouds. Salesforce.com's announcement of database.com, and its slightly more open and agnostic approach, is a welcome sign to IT leaders and application teams, and will hopefully begin a slow trend of making clouds solutions more inter-operable and portable.

According to Gartner VP and Fellow, Daryl Plummer, many of the remaining cloud issues will be addressed over the next few years. He advises that by 2015 cloud vendors will understand that customers need audit tools for cloud services and contractual guarantees about the vendors' liability should their services fail. Plummer also predicts "cloud brokerages" or intermediaries will emerge to help customers get what they want from the cloud.

The Cloud is Coming, Ready or Not

No technology is perfect and the cloud will grow despite any efforts to keep it at a distance.

"While the on-premises model is the use of internal services with a few forays into the cloud, in the future it will certainly be just the opposite," says Ed Lyons, Chief Engineer at Keane. "Business services will increasingly be in the cloud, and there will be rare exceptions when something must be brought in-house."

"We do not have to imagine this model, startups with millions of users already operate this way," he added.

There are far more clouds developing on the horizon—private clouds, public clouds and hybrid clouds. "An increasing focus will be on private clouds, and businesses will see significant changes in the cost structures and accounting treatments within their organizations," predicts Amit Sen, Director at Patni Americas' Business Consulting Services.

Next time you're evaluating cloud services in a board room or a break room, recognize the real question isn't whether your business moves to the cloud, but when and under what conditions does the cloud make sense for your company.