The amorphous nature of cloud computing can make IT pros charged with protecting their organizations' data feel as if they're trying to rope the wind.
While privacy and security top the list of governance woes cited by the business technology professionals we spoke with, availability, performance management, accessibility, auditing, and monitoring are far from nonissues, especially for those subject to restrictive regulations such as Payment Card Industry standards or the Health Insurance Portability and Accountability Act.
"Cloud computing, in my opinion, would cause too great a reliance on having Internet connections, plus expose company information to compromise or theft," says one respondent to our September InformationWeek Analytics cloud computing survey. "From a PCI compliance point of view, it would be a nightmare."
Still, the pluses – scaling applications quickly and seamlessly while shedding capital and operating expenses associated with maintaining servers – are attractive enough that this model will continue to gain popularity with business leaders. And cloud computing proponents, including the big vendors vying for shares of this lucrative market, are masters of accentuating the positives while downplaying potential negatives, like outages and governance challenges.
So how can information security pros reconcile their need for governance with business leaders' directives to bring capital and ongoing costs under control? Our advice: CIOs must sit security groups down at a table with legal counsel and data owners to hash out issues. Having these hard discussions up front is the only way to counter skepticism, like that expressed in our poll, where just 18 percent of the 456 business technology professionals surveyed said they were using cloud services, compared with 34 percent who have no interest. More than half said they are very concerned about security, with performance, control, and concerns over vendor lock-in and support rounding out the top five worries.
We've heard this refrain before for software as a service (SaaS). If you don't control your data – or, in some cases, even know where in the world it's residing – you can't govern it, and you surely can't promise an auditor that it's protected from unauthorized access. But even more than SaaS, cloud computing, by its distributed nature, raises issues regarding privacy rights and regulatory compliance. This is true whether you subscribe to the infrastructure model of cloud computing, where you lease resources on a metered basis, as with Amazon.com Inc. (Nasdaq: AMZN)’s Elastic Cloud Compute (EC2) and Microsoft Corp. (Nasdaq: MSFT)'s Azure, or an application platform model, where application services in the cloud are populated with your data, as with Salesforce.com Inc. or PeopleSoft Inc. (Nasdaq: PSFT). Governance issues, such as data management and regulatory compliance, are still very much in limbo. The courts and industry groups will eventually help develop guidelines, but for now, we're on our own.
Why aren't enterprises falling all over themselves to buy and use cloud services? Is it risk aversion? Is it a lack of confidence in the service providers? Is it just another version of the insource/outsource debate? Or is it something else more fundamental?
I know that as we discussed building applications that are to be used in conjunction with securities trading, we had many concerns about overall system performance that we had to work through. Although the service was to be provided in a SaaS model, the datacenters would continue to be owned by the service provider, and the new infrastructure and applications would be added into the existing datacenters leveraging the physical infrastructure already in place. While the application was being architected to run in a grid/virt/cloud agnostic way, controlling the underlying infrastructure and it’s performance was too near and dear to the basic application for any consideration of a cloud deployment early on, at the very least.
That’s not an indictment of the cloud providers. That is more of the parochial view of a traditional IT department “controlling” the infrastructure.
Remember way back in the ‘90s, when service providers were going to build storage in the net? How successful were those ventures? I know the carrier that we were working with had big plans and hopes for that service that never materialized. ASPs for applications other than infrastructure seemed doomed to the same fate. I know of services being established to take snap-shotted data off of the enterprise SAN and ship it to a service provider for safe-keeping. These services at least had more of a fighting chance—for the raw asset they stored was only the “backup” in case of a serious event in the primary data center.
I think that strikes more at the core. For some enterprises, losing control of the primary data is the issue. We were okay moving our apps outside the firewall through a browser.It took awhile to get comfortable with, but it is now acceptable. We were comfortable with moving our entire data center out of our control, as long as the in/outsourcer could demonstrate that our stuff was being managed safely, securely, and in many cases better, than we were capable of. We could touch our data when we needed, and could build protections into the agreements. After all, we could send someone over to touch “our” hardware; we could test the security and service levels easily enough. In some cases, after all, the data center was still in our buildings.
As virtualization became real, for the traditionalists it was little mainframes all over again, right? I partition off this part of the machine for this app, and this part to that one—and we’ll use a SAN so our data is easily available should we have to reconfigure our virts. Inside the firewall, this was good news; we can drive up the utilization of our platforms and lower our overall costs.
Putting it into someone else’s data center—even one that may likely have better physical security, network bandwidth, and raw power than we can dream of—means that we are now trusting the whole kit and caboodle out to an outsider—and on top of everything else, we are going to be sharing hardware with our competitors/customers/suppliers on an infrastructure that really isn’t all that trustworthy in the first place, I mean, my gawd, what are we doing here!
And besides, they have the only copy of our data. Not just our email, or our sales funnel, or our customer list. But the whole dang thing. Everything!
That is what we have to convince them is the right and safe thing to do.
I know that cloud services/SaaS are very a la mode right now, and on paper, they can be made to make perfect sense. Especially if it's a pay-as-you-go model, what could be smarter in an era of economic uncertainty and reduced budgets, right?
So why aren't enterprises falling all over themselves to buy and use cloud services?
i think it's more than risk aversion where new models or service providers are concerned. I think it's more than the latest iteration of the insourcing/outsourcing debate. But the more indifference customers show toward cloud, the louder the vendors seem to have to crow about it. What am I missing here?
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
A little taste of an apocalyptic scenario occurred last Friday when a large chunk of the Internet was unreachable for up to an hour. Similar to the plot of a Hollywood horror movie, this was an experiment that went wrong -- on one of the most important protocols of the Internet system.
The Internet in all its forms has become a core part of how we communicate, socialize, and handle very personal business every day. But protection of individual privacy is spotty at best, and it seems to be getting worse every day. As we become an increasingly digital nation, do access to, and privacy on, the Internet become civil rights?
At Apple’s announcement fest Wednesday, among the launch of the new iPods and the $99 Apple TV box, was the announcement about Ping, a music-based social network that out-of-the-gate has more than 160 million users, all with credit cards. Of course, it’s only about music today, but there’s nothing to stop Apple Inc. (Nasdaq: AAPL) from expanding it if it suits its purposes down the road.
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things' Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Nielsen’s recent numbers on the increasing use of texting bode well for enterprise networks. Shunning the phone in favor of text messaging could mean reducing bandwidth.
RIM is giving in to demands by India to snoop on encrypted BlackBerry data. It's time to develop cheap or free encryption software for BlackBerrys and other cellular phones.
Two studios have filed suit against an ad broker for placing ads to help monetize P2P sites suspected of copyright infringement. That's taking a dangerous step toward what might be a worthy goal.
By 2014, mobile devices will overtake laptops as the appliance of choice for consumers. But device makers still have some wishes to fulfill, including mobile app simplification and the ability to better perform word processing/spreadsheet functions.
Google's foray into pay-for-view movies may be an indicator that the days of free ad-sponsored content are numbered, or at least that ad sponsorship won't fund nearly enough content.
Online education, improving to better replicate the interactions that occur between teachers and students face-to-face, grew in double digits during the recession. Still, there’s more work to be done.
Google's decision to link VoIP calling of PSTN numbers with Gmail, and to let Google Voice "call" Gmail VoIP clients, will devalue the PSTN and force telcos to fund unprofitable services or create their own VoIP transitions.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
