Despite that every tech blog, news site, and ‘latest trends’ article is replete with mentions of the cloud, there is an undeniable knowledge deficit between those who engineer cloud architecture and applications and those who use them. And it’s growing. Not since the personal computer delivered the miracle of the internet to the homes of Middle America in the 1990s has there been such a torrent of rhetoric weighing the pros and cons of a technology that its pundits couldn’t begin to define without resorting to contradistinction.
The irony is, the same people arguing against the cloud in favor of on-premise hosting and software never understood how local systems operate in the first place. As a result, the information available to help companies evaluate the potential benefits of using cloud-based services is often nonspecific and inaccurate. In an attempt to remedy this, we’ll be taking a look at a number of studies and interviews from the last year to learn the facts about cloud security’s supposed points of weakness and slow adoption rate.
Contrary to popular belief, cloud services are growing in popularity while being decried for their lack of reliable security. Like so many other American favorites, the lure of a lower price and the freedom from responsibility that the cloud provides seems to be a greater draw than the combination of any potential downsides is a detractor. Consumers, it seems, are perfectly content with taking a ‘wait and hope’ approach to the technology they love. Take it from industry expert Steve Pate:
Surveys continually place concerns about data security as one of the top reasons preventing organizations from moving to the public cloud. Yet, Infrastructure as a Service (IaaS) is the fastest growing segment of the public cloud, with CAGR above 40 percent through 2016, according to Gartner’s Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q12 Update.
As long as somebody is working to fix the cloud’s security problems it should be fine, right? Yes, but as John Howie, COO at the Cloud Security Alliance, told Robert Lemos, “[Early cloud providers] were not really thinking about application security or code-level security…And in some cases, the problems were exacerbated because they were developing the equivalent of intranet applications, but putting them on the public Internet.” This shouldn’t be seen as an indictment of the cloud, but rather the realization that managers were probably pushing developers for faster deadlines in a burgeoning market which led to oversight on less sexy features like security.
There’s definitely someone out there who does know what cloud security means, but in a much more real sense, nobody in your office knows what cloud security means. In an article that beautifully illustrates its own point about how little professionals know when it comes to cloud security, Jason Hart notes that:
Recent independent research revealed that 89 percent of the global information security workforce lacks clarity as to how security applies to the cloud, and 78 percent of information security professionals lack understanding of cloud security guidelines and reference architectures.
Hart goes on to suggest that:
Instead of trying to fight off cloud security threats on multiple fronts, businesses need to accept the inevitability of a breach whilst still maintaining control over data regardless of where it resides. By embracing the concept of a “secure breach”, organizations will be able to ensure that even if the hackers do get to their data, it will be worthless in their hands.
Hart’s prescription is well-meaning and a good piece of advice in general, but a bit of a Catch-22. If IT professionals knew how to encrypt their data such that it would be impervious to hacking if stolen, they would have already implemented systems to prevent the data from being stolen in the first place.
A struggling IT department still doesn’t explain why cloud systems have a reputation for slow adoption either. According to Ellen Messmer who cites a study by the Security for Business Innovation Council, “Middle managers don’t want to use their resources on security…They are incentivized by timeline and budget; adding security doesn’t fit into their objectives.” Just how opposed are they? A PEER 1 survey of IT decision makers found that, “only one in five respondents trusted the cloud enough to make a full transition – with 78 percent preferring to opt for a hybrid cloud solution.”
Messmer later hypothesizes that communication breakdown is to blame:
Security teams should be striving this year to build relationships with these middle managers, the report emphasizes. The practice of regular meetings and information exchange is an approach that has worked well over the past few years with the top corporate executives to bring their attention to the nature of cyber-threats.
Once again, while making a concerted effort to improve communication is always good, it seems that if IT staff were better educated about cloud security themselves they might not have to do so much convincing. Either way, nobody knows what cloud security means in 2013.
The data tragically absent from the heart of the cloud security debate is, surprisingly, the actual security of cloud platforms and applications. In just such an analysis of the relative security of cloud and on-premise systems, Alert Logic, “consistently [found] that the rate of occurrence of incidents is similar in both, and the frequency is actually higher in the on-premises data center.” The same reports also found that, “web application attacks are more common in the cloud, but malware and botnet activity are far less common than they are on-premises.” A bit of a buzzkill for those who’ve been enjoying the heated debate, Alert Logic’s data along with that of Gartner which predicts that, “by 2015, 10 percent of overall IT security enterprise capabilities will be delivered in the cloud,” seem to point to an inevitable cloud future.
What have we learned? First, the cloud is growing and it’s not going to stop anytime soon. Second, adoption is a balancing act between IT professionals who need to learn the technology and management who need to trust their IT staff. Finally, in real terms there is just as much vulnerability inherent in on-premise solutions as there is in cloud-based solutions. 2013 is a year of continued growth for the cloud, and those who demystify it the fastest will stand to benefit in years to come.
Want more on Cloud Computing?
We’ve put together some of the top product reviews, blog posts and premium content on the cloud hosting software research page. Additionally, be sure to explore our Top 10 Cloud Hosting Software report.