Cool third-party cloud security apps miss one big problem

Is there an app to help me get the business units to say 'yes?'

A whole series of startups have cropped up to try to address concerns about the security of the cloud. Most of them don't really address the core issue, though.

Most use technology to address the insecurity of the cloud – adding the ability to track IT resources relegated to the cloud (using a cloud-based service that then becomes another IT resource to track), cloud-based backup for cloud-based data , testing of apps or data moved to the cloud.

All perfectly valid and perfectly relevant and entirely peripheral to the core weaknesses of the cloud – many of which have more to do with organizational issues, policies or preparation than they do technology, according to a new study from Janco Associates.

The study, mainly blueprints and templates designed to help IT execs find, hire and structure cloud-service deals, is built on surveys of senior-level IT execs, who talked about more than just their technology issues.

All of them are being pushed to lower costs, make IT more efficient and more effective for business units; most are also being pushed by non-IT execs to use the cloud to do it (the version of the cloud found in airline magazines).

Rather than just being able to shove some big chunk of a company's IT infrastructure into the cloud and reap the immediate savings, most of the execs surveyed said they have to do sometimes-lengthy evaluations of their company's own priorities and policies on security, data integrity and control and application availability.

It makes no sense to hire a cloud provider to provide 24/7, five-nines availability for an application no one uses outside of business hours. It makes no sense to hire a high-security, private-cloud service for data that turns out to be so heavily regulated by European privacy rules, U.S. HIPAA regulations or other strictures that it's illegal to house it outside the company's walls in the first place.

Many companies already have all that information on hand, of course, from their own efforts to put together disaster-recovery plans, overall enterprise data-security requirements and the like.

Most don't. They may intend to, but the reports are out of data, much of the data is in places other than where the recommendations say they should be, or various business units don't want to cooperate to either supply information or move the data or applications.

And that's just the internal organizational research.

Externally, every new cloud deal requires the same due diligence any outsourcing deal would – including auditing the security, availability and redundancy, performance and availability and cost structures of every new vendor.

For an IT resource designed to let customers plug in and go, without having to worry about the technology at all, cloud computing is a lot more complex when applied to real-world, critical business applications than most airline-magazine descriptions really cover.

Third party tools help to make all those arrangements easier after the fact, of course.

They just don't help when what needs to be done is buttonhole a business-unit manager and get him or her to agree to something he or she doesn't really understand, and possibly pay for it.

If there were an app for that, it would rule corporate IT.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon