Survey after survey shows that the top issue that organizations have when considering the adoption of public cloud-based computing services is “security and privacy”.
Gartner’s own surveys show this:
The survey data above is from December 2009, we’ll be publishing the December 2010 survey data for clients over the next several weeks.
You all have seen similar charts from other survey data sources showing the same thing: security is the top of mind concern.
I believe that cloud-based computing has the potential to be more secure than what most organizations can deliver themselves, so I wanted to dig deeper. Security is such a broad term (encompassing infrastructure security, identity and access management, content security, application security, vulnerability management, etc,) – so, what exactly is it about security of the cloud that is the concern?
I asked this drill-down question in an audience survey last week at Gartner’s 2010 Data Center conference. If security is the number one concern, what is it specifically that is concerning them? The number one security issue identified was: “Lack of confidence in the cloud provider’s security capabilities”.
So how do we address this? We’ll start with diligence in our RFI and RFP processes as we consider and evaluate cloud-based services. We’ve published quite a bit of research to help our clients with these evaluations. Guidance is also available from the Cloud Security Alliance and other initiatives such as FedRAMP.
Of course, the providers can say anything they want in the RFP, so we need confirmation of these capabilities from an independent assessment. Many providers claim a SAS 70 type II certification. However, my colleague Jay Heiser has published research for clients showing SAS 70 Is not proof of security, continuity or privacy compliance. Other providers will take certification further with ISO 27001 certification. Microsoft and Google both claim FISMA certification for their cloud-offerings.
This isn’t a new concern that is unique to cloud. We overcame similar reservations about the security capabilities of outsourcers years ago (consider payroll outsourcing). Overall, I believe the concern is valid but addressable to a level of risk that is manageable – just like we have done with outsourcing – as we mature our RFI/RFP process discipline and as a level of ‘standards’ emerge for the certification of cloud providers.