Cloud security fears are overblown, some say
It may sound like heresy to say it, but it's possible to worry a little too much about security in cloud computing environments, speakers at IDC's Cloud Computing Forum said on Wednesday.
Security is the number-one concern cited by IT managers when they think about cloud deployments, followed by performance, availability, and the ability to integrate cloud services with in-house IT, according to IDC's research.
Keeping data secure is critical, of course, but companies need to be realistic about the level of security they achieve inside their own business, and how that might compare to a cloud provider such as Amazon Web Services or Salesforce.com, speakers here said.
"I think a lot of security objections to the cloud are emotional in nature, it's reflexive," said Joseph Tobolski, director for cloud computing at Accenture. "Some people create a list of requirements for security in the cloud that they don't even have for their own data center."
That was the experience of Doug Menefee, CIO at Schumacher Group, which provides emergency room management services to hospitals. The company is in the midst of a project to migrate most of its applications to hosted, cloud-based services.
"My IT department came to me with a list of 100 security requirements and I thought, Wait a minute, we don't even have most of that in our own data center," he said in an interview here.
Schumacher Group takes security seriously, Menefee said, but as a mid-sized company with only three IT staff working full time on security, he trusts large cloud providers to do it better. "We get the same level of security with Salesforce.com as any large company using that service," he said. "I'm using the economies of scale."
Schumacher Group stores sensitive data only with providers that comply with the U.S. Health Insurance Portability and Accountability Act (HIPPA), Menefee said. He recently started a project to deploy Google's online productivity tools, but Google is not HIPPA-certified, "so no patient data gets stored there," he said.
Schumacher Group is not a publicly traded company, he noted, and its legal requirements for security are less complex than for public entities. Some large enterprises, especially in areas like finance, will have greater concerns about security, noted Jean Bozman, an IDC research vice president.
Still, one audience member here, admitting that the idea was "counterintuititive," said security concerns may actually drive companies into the cloud.
"It is becoming almost impossible today to secure the enterprise, the cost and complexity are moving so fast," he said. "If you go to the RSA [security] conference, the major vendors will tell you every year that their next release will solve all these security problems that you have today. But they never do."
Frank Gens, IDC's chief analyst, offered a Twitter-sized definition of cloud computing: "Shared services, under virtual management, accessible over the Internet by people and other services via Internet standards." Some, but not all, are offered on a self-service basis, he said.
IDC revisited its growth projections for all areas of IT after the recession set in, and cloud computing was almost the only one for which its projection increased, Gens said. It expects spending on cloud services to almost triple by 2012, to reach $42 billion, or 9 percent of IT revenue.
The benefits of cloud computing cited most often here were the speed and lower cost of deploying new applications; the ability to pay only for capacity used; the ability to scale services up and down quickly; the need for less in-house IT staff; and access to the latest technologies.
Cloud computing has moved past early adopters and is entering the "early majority" stage, Gens said. It is still an emerging area, however, and customers have several areas of concern, he said.
Besides those listed above, panelists here said interoperability is a worry, in particular the inability to move application instances easily between different cloud providers. Another concern is choosing a provider that goes out of business by the end of the year, given the recession.
"We've taken an aggressive approach to monitoring our providers and vendors because everybody is at risk right now," Schumacher's Menefee said. "With smaller vendors who we work with, we're putting code in escrow accounts, and at a minimum copying all our data to on-premise. It may not be functional inside an application, but at least we have access to that data if we need it."
"The number one concern I'll have in 2009," he said, "is whether the software-as-a-service and cloud companies are going to make such drastic cuts in their research and development that their technology will stagnate -- that I'll be left with the same platform in 2010 as I had in 2009."
(IDC is a part of International Data Group, the parent company of IDG News Service.)