As IT departments investigate cloud solutions and initiate pilot deployments, security questions remain open. To some extent these determine what kinds of data companies are willing to entrust to the cloud.
CompTIA, the IT industry association, does an annual survey of security attitudes among IT executives. Their ninth annual report is out, and it sheds some light on questions of cloud security and the trust IT executives bestow on cloud suppliers. While 85 percent of the respondents in CompTIA's survey said they trust the security of the cloud suppliers they have investigated, their actions paint a more cautious picture.
50 percent of the executives questioned say that increased reliance on cloud-based resources and services is a defining factor in their security concerns. Yet in some ways the cloud is more secure than in-house provisioning, especially for smaller businesses that may not have the resources or the staff to ensure the level of security they would like.
The cloud will actually be the more secure environment for small and mid-sized businesses within three to five years, according to a Symantec executive quoted in CIO.com. For larger organizations the timeline runs more like 10 years.
This relative lack of security maturity was reflected in the unwillingness of IT executives to entrust certain types of data to the cloud: confidential company financial data, credit-card data, employee HR files, customer contact information, and others.
Among the cloud concerns cited by the IT executives, the one that topped the list wasn't security-related; it was about downtime and the interruption of business (43 percent of respondents). Following that were risks to data in motion (40 percent), encryption of data at rest (39 percent), physical security of the cloud provider (39 percent), and vulnerabilities stemming from resource sharing in a multi-tenant environment (36 percent). 31 percent mentioned the difficulty in assessing and comparing the security of cloud-service providers.
Other concerns related to the loss of control that moving to the cloud inevitably entails. You can't simply pop a terminal window and see what's going on; you don't have access to log files; you have to file a trouble ticket and wait in line. The executives questioned by CompTIA cited the inability to conduct audits, vendor lock-in, and the lack of transparency as to where data is geographically located.
Brought up short
Late last year the City of Los Angeles had to recalibrate its plans to move 30,000 city employees to Google Apps for Government when it was discovered that the cloud service could not meet stringent FBI security requirements for communicating and storing law-enforcement data. 13,000 LAPD employees will be sticking with their existing in-house GroupWise email system -- with Google footing the bill -- while 17,000 other LA staffers move to Gmail.
LA's experience was a bit of a wakeup call for security-conscious organizations considering how cloud computing would fit into the mix. Granted, the FBI's Criminal Justice Information Systems requirements are exceedingly detailed and tough. Still, the impression that cloud security isn't quite there yet got a little more firmly entrenched.
We'll be writing about cloud security in more detail in future blog posts. Please share your security experiences in the comments below as you have investigated or rolled out cloud initiatives.