February 16, 2011, 12:51 PM — A whole series of startups have cropped up to try to address concerns about the security of the cloud. Most of them don't really address the core issue, though.
Most use technology to address the insecurity of the cloud – adding the ability to track IT resources relegated to the cloud (using a cloud-based service that then becomes another IT resource to track), cloud-based backup for cloud-based data , testing of apps or data moved to the cloud.
All perfectly valid and perfectly relevant and entirely peripheral to the core weaknesses of the cloud – many of which have more to do with organizational issues, policies or preparation than they do technology, according to a new study from Janco Associates.
The study, mainly blueprints and templates designed to help IT execs find, hire and structure cloud-service deals, is built on surveys of senior-level IT execs, who talked about more than just their technology issues.
All of them are being pushed to lower costs, make IT more efficient and more effective for business units; most are also being pushed by non-IT execs to use the cloud to do it (the version of the cloud found in airline magazines).
Rather than just being able to shove some big chunk of a company's IT infrastructure into the cloud and reap the immediate savings, most of the execs surveyed said they have to do sometimes-lengthy evaluations of their company's own priorities and policies on security, data integrity and control and application availability.
It makes no sense to hire a cloud provider to provide 24/7, five-nines availability for an application no one uses outside of business hours. It makes no sense to hire a high-security, private-cloud service for data that turns out to be so heavily regulated by European privacy rules, U.S. HIPAA regulations or other strictures that it's illegal to house it outside the company's walls in the first place.
Many companies already have all that information on hand, of course, from their own efforts to put together disaster-recovery plans, overall enterprise data-security requirements and the like.
Most don't. They may intend to, but the reports are out of data, much of the data is in places other than where the recommendations say they should be, or various business units don't want to cooperate to either supply information or move the data or applications.
And that's just the internal organizational research.