CW Security Think Tank: Are security concerns and a lack of adequate risk assessment tools the reason SMEs are not adopting cloud computing, or is the real reason something else that security professionals are also in a good position to address?
Bob Walder, research director, Gartner
Small or midsize enterprizes (SMEs) present a significant opportunity for cloud service suppliers. SMEs have always been a natural segment for managed and hosted services; however, during the past 24 months the depressed economy has moved more SMEs towards cloud-based services. The primary drivers are reductions in capital expenditure, the need to overcome IT resource constraints and the desire to improve continuity. The inhibitors are data security concerns, compliance requirements, service levels and trust.
SMEs have historically used several tiers of hosting services, including shared and dedicated hosting of virtual private servers. However, the future for service providers is to offer hybrid services, where SMEs can use dedicated servers, as well as virtualised or elastic-based cloud offerings. These hybrid offerings must be easy to install and manage, and provide intuitive toolsets for SMEs to monitor use, turn-up-an-down compute and storage capacity, and provide application programming interfaces (APIs) for developer access.
The success of server virtualisation initiatives in the SME market has made organisations more comfortable with the prospect of cloud computing. Interactions with SMEs show that they have become confident in the agility and flexibility of the virtualisation architecture and reliability. Now that they have become comfortable with the idea of multiple, virtual applications residing on a single physical server, it matters less to them where the physical servers reside. This comfort level and acceptance of the decoupling of the application services from the hardware will drive cloud adoption.
SMEs' interest in cloud computing is growing. 2010 was a year of experimentation and piloting for cloud computing, rather than full-scale implementations in the mid-market. Dismissing cloud computing in 2011, because there isn't high market penetration today, will lose IT providers a bigger opportunity two years from now. The road to selling cloud services is not uniform across product and customer segments.
In the short term IT providers should create cloud solutions that are viewed as extensions of existing IT environments. In the longer term providers need to develop a portfolio with a spectrum of choices for SMEs to choose from, depending on their business requirements, IT functionality requirements and their budgets.
John Walker, London chapter, ISACA Security Advisory Group and director of communications Common Assurance Maturity Model
It has been suggested that the reason SMEs, are not adopting cloud computing (cloud sourcing) is that shortfalls exist in the area of risk assessment around this set of infrastructures and associated components.
On numerous occasions I have encountered flaws in the approach to risk assessment, and this can be a matter of putting the cart before the horse. It may not necessarily be the lack of risk assessment that is holding back adoption of cloud by the SMEs, but more a case of a lack of understanding about what cloud is, associated with over-attention being paid to the circulating "fear, uncertainty, and doubt (FUD).
I have found that an approach based on validating security through the risk assessment process can tend to look at the requirement from the wrong end of the stick - in other words, rushing in, and then making some rational, or even at times irrational judgments based on a bespoke security assessment, applicable only to a specific operational requirements. While on occasions this may work, it can be an imperfect science, and can be missing in a robust proactive structure to manage security. With the risk assessment approach, on occasions, there can be an over-eagerness to manage risk in the operational sense, which does not, in my experience, necessarily compensate the identified real-time exposures. It can be a case of managing security, over 'managing' security.
As for FUD, of course there are valid concerns about cloud sourcing, but remember that what is in-house, especially in the case of the SME, may be less than perfect when it comes to security and maintenance of operational environments - and correct engaged and contracted obligated cloud just may furnish the SME with a level of operability, economies of scale, technology, and security that could never have been achieved in-house.
Adrian Davis, ISF principal research analyst
SMEs (especially the 'S' ones) often do not have the luxury of information security departments, so security and risk concerns are difficult to address - and can stop cloud adoption. However, SMEs often face similar risks compared to their larger brethren. Recent ISF work has revealed "seven deadly sins" of cloud computing that are committed by larger organisations and, to a broad extent, these also apply to SMEs.
For an SME, the ISF believes that the sins of ambiguity, doubt, disorder and complacency weigh heavier than other sins. Ambiguity about information security and contractual arrangements; doubt about the on-going security provided by the cloud provider; disorder of information - information classification is not widely practised, which complicates the creation, storage, processing, transmission and destruction of information; and complacency because the cloud is "always on" and data is always recoverable - both are enough to keep a global-level CISO awake at night, let alone an IT manager in an SME.
All of these sins can be overcome - but it will require effort from both sides. Cloud service providers should commit to meet an industry baseline and publish their performance against it, thus clearing away ambiguity and doubt; SMEs should understand what they want from the cloud, how they are going to use it and what their risks may be - but driven from the business perspective.
Information security and IT professionals can assist by addressing the seven deadly sins; using a consistent approach to measure external supplier security; and by understanding industry initiatives such as CTA and what they mean for the SME and its information.
Numerous articles in the media about the security risks of operating in the cloud contribute to the perception that working in the cloud is a risky business and dampen the enthusiasm of potential adopters. However, recent surveys, including one from Microsoft, reveal that there is growing acceptance of the cloud computing model among SMEs, with 39% of SMEs expecting to be paying for cloud services within three years - one-third more than in 2010.
There are, of course, risks associated with operating in the cloud and some of these risks become more pronounced when you are operating in a virtualised environment with little assurance about the location of your data. However, these risks can be managed and must be viewed in the overall context of the business; this is particularly true when you are talking about SMEs who may not have the same resources to dedicate to IT and security as larger enterprises. In this case, the cloud model is likely to offer better, more secure, services as the providers are able to recruit, train and retain dedicated security resources that can be too expensive for SMEs to employ.
What can we do to improve the ability of SMEs to tap into the benefits? We need to recognise the undoubted benefits that the cloud model offers to organisations with little in the way of IT resources or expertise and educate the client-base on these benefits. At the same time, we also need to consider the risks to the business at hand (working in the cloud can have its complications, for instance with compliance) and adopt pragmatic mechanisms for quantifying risks to enable business-driven decision-making.
The three key things that security professionals can do to help our clients are the things that we should always be doing (cloud or not). It's about educating our clients on the real (rather than perceived) threats, vulnerabilities, attack vectors and associated impacts to their data or business processes. We must be accepting of change and, we must deliver pragmatic advice to SMEs so that they do not succumb to scare-mongering.
Benedict Olaoya, director of security awareness, Cloud Security Alliance, UK and Ireland Chapter; independent compliance, assurance, risk and governance consultant, CARG Consulting
Amazon releases online music cloud player; IBM introduces cloud-based social analytics; Playstation Plus offers game saves in the cloud; Google Cloud Connect gets official launch; New Apple cloud service to launch in spring; Virtual Internet unleashes cheap Microsoft Exchange cloud computing email service. All these were news in one week. Is moving to the cloud avoidable or is it a phobia that time will heal?
Are SMEs afraid of something they are already engaging in? There are numerous questions to ask as the "cloud" phenomenon has existed long before now. One way or the other, every SME would have engaged in cloud service provision at some point .
The two major concerns associated with cloud computing are security of data and data privacy, according to Forester Research. SMEs are unsure about how secure their data is with shared back-end infrastructure at the cloud provider. Right-to-audit and access control review are assurance concerns that companies need.
Making someone responsible for your data while still being accountable is a great challenge, especially in an age where you may not exactly know where your data resides. Outsourcers outsourcing outsourced services seems to be the trend of the day. Regardless of the contractual agreements in place, in reality how much more control of the data does the data owner have over the data custodian?
The flexibility of the cloud and the cost benefits and efficiency it provides make cloud computing an option for SMEs. However, these same benefits come with their challenges. The question remains, should SMEs be afraid of services they have already engaged in one way or the other or should they take a more pragmatic and risk-based approach?
Awareness of cloud computing as a whole is key to ensure that risks associated with cloud-based service provision (or shall I say outsourcing) are managed properly. The different service options available and provided by cloud suppliers should be fully understood. Relevant clauses in contracts, identifying what elements to outsource based on proper risk assessments, are all key areas that need to be looked at.
Cloud services are inevitable and are already part of our daily lives. As risk professionals we need to educate and raise awareness for an area that has not only been existent for a long time but here to stay.
Dani Briscoe, research services manager, The Corporate IT Forum
There are clear potential benefits for a SME in the cloud. Smaller, and probably quicker to adapt than a large enterprise, the cloud offers the SME access to software that may be cost-prohibitive on a traditional delivery model. It provides an opportunity to use software that doesn't have to be run internally, access to skills that ordinarily would have to have been held in house and levels of support at an affordable price.
In contrast to this agility large enterprises are often constrained by their very size. Contracts with incumbent suppliers may have years left to run, with substantial exit costs. The investment always has to be offset by the business change required: in a large organisation this can involve many hundreds of users and multiple processes; in a SME it could involve a single person or service.
The results from the Cloud Computing Reality Checker for February 2011 indicate that some of the Corporate IT Forum's smaller members (less than 1,000 desktops) appeared most likely to use third-party infrastructure and applications in the cloud. This is in contrast to the majority of respondents, who saw a mix of public and private clouds in use. So the forum can conclude that there is a higher adoption rate amongst SMEs.
The benefits that these smaller members anticipate the cloud will bring include standardisation, a reduction in costs, increased capacity/capability and an extension of the corporate network. This mirrored the choices made by respondents with larger estates, who also added an element of disaster-recovery to their list.
An interesting difference occurs when the challenges or barriers to cloud adoption are discussed. The two main barriers seen by smaller members are the immaturity of technologies currently in the marketplace, coupled with a lack of expertise or familiarity in-house of specific implementations. In direct contrast to this the majority of respondents saw barriers to adoption in the area of data security, hosting and location. Are larger enterprises simply more nervous about a move to the cloud where data appears to be more difficult to control and a leak or breach of a household name instantly makes headline news?
Initial results from the forum's Sourcing Reality Checker show a distinct lack of confidence in outsourcing areas of the business like security. With this point of view it is unlikely that members would be comfortable adding an extra layer between themselves and their providers, seeing it as something out of their control and unnecessarily complex.
The introduction of platforms and alliances like the Cloud Trust Authority (CTA) and the Cloud Industry Forum (CIF) are a well-intentioned first step. Users and potential users will want to be able to assess and differentiate between the services on offer from different service providers. They will need to assess service providers in terms of their portfolio fit, supplier and procurement requirements, their organisational approach to risk management and the business-criticality of the service being procured or tendered for. Recognised standards and quality marks are always helpful in meeting these needs. Obviously it is easier to have objectivity in an independent certification; and a universally agreed standard carries far more weight, authority and reassurance.
From Vladimir Jirasek, director of communications, CSA UK & Ireland
Cloud computing is all around us. Many organisations use it to support their everyday activities, sometimes even without realising. Services such as web hosting, Google Apps for e-mails, Dropbox for file sharing, backup services and others attract the attention of SMEs as these are easy to use and just work, without complicated setup. It can be as simple as filling an order form and giving cloud provider your credit card details and you are then in the cloud.
The questions SMEs should ask themselves, however, are where is the data stored, how is it protected and what happens if the cloud service stops working, for whatever reason?
Protection of the data in the cloud is a shared responsibility between the client and the cloud service provider. Responsible providers implement security controls to protect both their systems and your data. However, they cannot protect against unauthorised access performed if a username and password are leaked.
Do you use the same passwords across your company cloud applications as you do on Facebook, for example? If so, it is likely that your company website may display something very different than originally posted, or that clients' files will be leaked to competitors.
Common sense should still be applied by SMEs when trusting cloud service providers with your data. Ask questions such as:
- Do I have a data backup elsewhere?
- Am I using same password as everywhere else?
- Do I know what to do if something happens?
- How to take out data from the cloud service provider and go elsewhere.
Typically, the compensation that a SME organisation can claim against the provider is limited. If the e-mails do not get to your clients in time, the cloud provider's compensation, if you get any, may be a very small portion of the actual loss.
However, cloud services do offer a quick-to-market, easy-to-use and cheap way of addressing SME business requirements. My advice: embrace cloud services, be mindful which cloud service you select and always have a backup plan. They say "no profit without a risk" and cloud services are an excellent example. The good news is that we, security professionals, can work for you with the cloud providers to limit the risks of going to the cloud.
Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management
I have to admit I view "the cloud" with some suspicion as I've seen the hype before and the technologies of earlier times are not that different from "the cloud" (remember application service suppliers - ASP's - from the early 2000s).
One could postulate that "hype-fatigue" is one possible reason why the take-up of cloud computing by the SME community has been slow. Another, and perhaps better, reason could be that existing services such as e-mail are so well entrenched that there is little incentive to move to a new "cloud" supplier particularly when the service offerings are more or less identical.
New PC's are very cheap with £400 to £500 buying a reasonable laptop with perfectly usable software included, so why move word-processing to the cloud when your PC will do it and you need to buy a PC in order to access the internet anyway.
While there are security reasons to be wary of the cloud, as a security professional I do not believe that is the issue behind the slow take up of the cloud by SMEs as I doubt that many SMEs understand the issues, such as where data is held and Data Protection Act compliance, loss of intellectual property rights, data leakage, loss of internet connectivity and so on.
Improving the SME communities' understanding of the security issues will not improve "cloud" take-up, and might do the opposite.
This was first published in April 2011