Safety in numbers

Cloud security can be superior if businesses choose wisely

Ron Miller
11 June 2014

3 min read

Because cloud providers support hundreds of businesses, they should be able to afford better security than any one business can, just as a bank vault provides better security than a home safe. But security varies widely from provider to provider, so due diligence is advised.

The cloud offers a variety of advantages, including elasticity, cost certainty, easier management and fast implementations. But the fact that the cloud is out of their control is more than some IT pros can bear. Security remains a primary concern, and it’s hard to convince them the cloud is safe.

Analyst Alan Pelz-Sharpe of Boston-based 451 Research tried, however. During his keynote address at a recent IT conference he reminded the crowd that someone could hire a hacker for US$50 to break into a private data center, while cloud vendors are investing hundreds of millions of dollars on security.

Yet doubts persist.

While quality varies, all cloud vendors must worry about security if they want to attract and retain customers. “As an [individual] enterprise, it’s very expensive to spend [so] much on security expertise, hardware and software and justify the cost,” said Stephane Maarek, vice president for North America at cloud infrastructure provider Outscale, based in Saint Cloud, France. “As a cloud provider, it’s much easier to justify the cost because we have many customers who will benefit from this investment instead of just one.”

Todd McKinnon, CEO at Okta, a cloud identity management vendor based in San Francisco, agrees that while security should matter to everyone regardless of their business model, cloud vendors have a bigger stake. “Security is a top requirement no matter how you deploy an app or product, either in the cloud or on-premises,” McKinnon said. “I’d argue, though, that cloud service providers often dedicate a higher amount of resources toward securing their service versus what any individual IT organization could achieve on their own.

“With a product that’s used by thousands of customers, it’s essential that successful cloud service providers have a dedicated, highly capable security team in place at all times,” McKinnon added. While he conceded that many private companies have a dedicated security staff, many others don’t; they simply add security to IT’s other duties.

DUE DILIGENCE REQUIRED

All cloud providers are not created equal when it comes to security, however, so Pelz-Sharpe advises companies shopping for a cloud provider to conduct their due diligence. Just like in-house data centers, Pelz-Sharpe said, the cloud requires a well-informed balancing act between security and usability. Finding the right formula for your organization requires frank discussions with the vendor and, in the beginning, a willingness to trust that the vendor will live up to commitments outlined in the Service Level Agreement (SLA).

“Though I don’t think there are many folk in the legitimate vendor world bent on doing a bad job and stealing your Intellectual Property (IP), there are many pretty flaky vendors with questionable long-term funding and business plans,” Pelz-Sharpe said. “Many also have flaky terms of service and little or no substance around planning should they be acquired or go out of business.”

That means doing your homework and checking vendor references, talking to colleagues who have used these services and checking on basics like security certifications.
 

REGULATIONS AND STANDARDS

Beyond concerns about security, highly regulated industries like healthcare and financial services often raise questions about whether cloud vendors can meet privacy, audit and other regulatory requirements.
 
“The economics and the innovation of cloud technology continues to push things forward, allowing IT leaders in more heavily regulated industries who see the opportunity to also challenge the status quo and invest in new services as a business differentiator,” Okta said. In fact, many cloud providers commit in their SLAs to meet the requirements of medical privacy, anti-terrorism and other regulations.

As the industry develops, Pelz-Sharpe said, standards for security, integration, migration and SLAs will improve the confidence of enterprise-level customers. “Standards need to come to the cloud world, too, and that alone will alleviate a lot of enterprise concerns,” he said.

For now, enterprises are advised to do their homework. Cloud services can help control costs and usage, provide flexibility and agility and foster entrepreneurship. To gain these advantages, however, companies may need to ask cloud providers for firmer security guarantees. It’s up to cloud vendors to meet those requirements – or lose out to competitors who do. ◆

Watch Cloud computing and business security: http://www.youtube.com/watch?v=5QEEbPCVeKY

Related resources