Various studies back up the point: According to research and consultancy firm Wisegate, more than half of executive-level respondents to a recent survey indicated they would not move protected data to the public cloud because it is "too risky." Another quarter reported they have plans to investigate using a public cloud for critical application needs, but they have not yet made the change. When asked what's holding them back, 73% of respondents indicated security as the top reason for not moving to cloud-based applications for the company's critical programs.
Some cloud services providers believe their technology is getting a bad rep.
Michael Crandell, CEO and co-founder of RightScale, which is a cloud management platform that sits between the cloud users and providers, has a simple response to the question of whether the cloud is ready for mission critical apps: "Absolutely, resoundingly, yes."
"Virtually all of our customers are running production businesses in the cloud," he says, noting Coupa as one example. Security remains the top concern related to the cloud, he admits. "But public clouds have shown themselves to be as secure, if not more secure than private clouds," Crandell says.
In fact, some cloud providers are embracing the concerns around security and using that as a point of differentiation in their offering. FireHost is a Payment Card Industry (PCI) 2.0 compliant multi-tenant public cloud infrastructure offering that has more than 1,000 customers. "Security is our bread and butter," says CEO Chris Drake.
"The key to cloud security is to assume that nothing is secure," he adds. FireHost automatically encrypts customer data and gives customers the keys, meaning that no one but the customer can access the information. FireHost, he says, gleans insights from the threats it stops for each of its customers and uses those to protect the entire infrastructure. FireHost recently claimed that it blocked 19 million cyberattacks for customers during the second quarter of this year.
Still, other cloud providers say security is a "shared responsibility" between the service provider and the customer, as Rackspace CTO John Engates notes. Providers can install top-of-the-line security features, becoming government- and industry-compliant for their infrastructures. But customers have a responsibility to make sure the data they send up into the cloud and the access points to that data are secured on their end.
Engates believes there is an education process that's needed to validate the security features of providers by compliance bodies, which will ease some customers' concerns.