Information security issues are still holding back the adoption of cloud computing by business. Warwick Ashford reports.
Despite economic pressure for business to cut costs and fervent assurances from cloud computing technology suppliers, security remains a top barrier to cloud adoption, research by the UK's National Computing Centre (NCC) has revealed.
Interest in cloud computing is high and many organisations say they are planning to moving in that direction. But the reality is that only 20% of UK organisations are using infrastructure-as-a-service and only 36% are using software-as-a-service, according to the NCC research.
The advantages of the cloud computing model of a reduced cost of ownership, no capital investment, scalability, self-service, location independence and rapid deployment are widely extolled, so what will it take to get businesses to adopt cloud computing en masse?
The short answer is that it all boils down to trust.
Trust is not easily defined, but most people agree that when it comes to cloud computing, transparency is essential to creating trust.
Businesses must be able to see cloud service providers are complying with agreed data security standards and practices.
These must include controls around who has access to data, staff security vetting practices, and the technologies and processes to segregate, backup and delete data.
Suppliers of cloud technologies and services are quick to claim that cloud computing is well equipped to provide the necessary controls. Virtualisation, they argue, underlies cloud computing, and therein lies the potential to achieve hitherto impossible levels of security.
While virtualisation is viewed with suspicion and fear by many IT directors, suppliers like RSA, IBM and other say that the technology enables organisations to build security into the infrastructure and automate security processes, to surpass traditional data protection levels.
Aside from all the positive spin around cloud computing technologies, a trusted, standard model of cloud computing that will enable faster rates and higher levels of adoption is still a long way off, with relatively little progress being made in that regard in the past year, says William Beer, director of OneSecurity at PricewaterhouseCoopers (PwC).
Despite some isolated progress on the technology front, many organisations already using cloud-based services are motivated mainly by the cost savings they can achieve, and consequently pay little, if any, attention to security, says Beer.
"We are still being surprised by the weaknesses and lack of maturity in security models used by many of the cloud-based services on offer," he says.
It will take a significant data breach by a cloud services provider, he believes, before consumers of cloud services will realise the inadequacy of current models and demand better safeguards around their corporate data.
During 2010, unexpectedly, the cloud went from a place for development and quality assurance, to a place for real production applications and data to live, says Gary Palgon, vice-president of product management as security consultancy firm nuBridges.
"This was primarily due to the cost savings to businesses and the tougher economy forced them there. The result is that the timeframe for acceptance of production applications in the cloud has accelerated," he says.
However, Palgon recognises there is still some way to go before CISOs will readily accept putting sensitive company data in the cloud.
2010 was a year of experimentation and piloting for cloud computing, rather than one of full-scale implementations in the mid-market, says Bob Walder, research director at Gartner.
But, he says, dismissing cloud computing in 2011, because there is no high market penetration today, will lose IT providers a bigger opportunity two years from now.
In the short term, he says, IT providers should create cloud solutions that are viewed as extensions of existing IT environments.
On the other side of the equation, says Beer, all organisations should be looking at the benefits cloud computing can bring to their business.
"They should be looking at cloud, they should be looking at it today, but they should be looking at it cautiously," he says.
While the initial positive uptake, which varies from sector according to risk appetite, is mainly driven by cost, PwC believes that to move things on, cloud computing service providers will have to begin adapting to the specific security requirements of highly regulated sectors, such as financial services.
Service providers will also have to recognise that all UK organisations are obliged to comply with data protection legislation, policed by the Information Commissioner's Office, which has steadily increasing powers of enforcement.
Initiatives will have to come from the service providers themselves, because progress on standards that depend on industry consensus is traditionally slow, says Beer.
RSA, the security division of EMC, has a vested interest in fostering cloud computing, and to this end, is planning to take a leadership position in planning to introduce a set of cloud-based services to be known collectively as RSA's Cloud Trust Authority.
Lack of trust in cloud computing is slowing broader adoption of cloud services, RSA executive chairman Art Coviello told attendees of RSA Conference 2011 in San Francisco.
The aim of RSA's initiative is to provide the tools organisations need to give them the necessary oversight of operations at cloud service providers, to assure customers that security service level agreements are being met and build the trust necessary of organisations to adopt cloud computing for mission critical applications and storage.
Best practices derived from initiatives such as these, says Beer, may give rise to cloud-specific standards, but again he points out that reaching agreements on standards, interoperability and third party certification programmes always takes time.
In the real world, some cloud computing service providers are turning to existing security standards such as ISO 27001, even though there is still much debate about whether its suitability to the cloud environment.
This approach is typically at the insistence of customers, says Beer, but is having the positive effect of making service providers see the commercial benefit of security standards, which may help build momentum in the industry.
A lack of common security standards and the ease of retrieving data if a change of supplier is required, were among the top security concerns among IT decision makers in the UK, research by the NCC revealed.
Using existing standards is a start, but Beer believes that ultimately the cloud computing industry will have to establish its own standards because the business model is fundamentally different as is the way users will engage with services.
But some progress is being made in this direction, says Gerry O'Neill, vice-president of the Cloud Security Alliance (CSA), UK & Ireland Chapter.
A great deal of effort has been dedicated over the past year to bring greater clarity and definition to questions of security and assurance in cloud services, he says.
In the public sector there are several examples of guidance and processes being developed for secure and appropriate use of Cloud services, says O'Neill. These include the UK Government G-Cloud project, ENISA Cloud Security Report, and the US Government's FedRAMP Guidelines.
There have also been a number of industry-wide initiatives aimed at giving the necessary assurance to CISOs, CIOs and business managers to enable them to use cloud services with a degree of assurance which matches their organisation's appetite on risk and compliance.
These initiatives include the Cloud Security Alliance, A6 (known as Cloud Audit), and the Common Assurance Maturity Model (CAMM).
For its part, says O'Neill, the CSA - formed 18 months ago to promote the use of best practices for providing security assurance within cloud computing - has been bringing together stakeholders around the world with the aim of progressing the definition of cloud security frameworks and guidance. The CSA has also developed the first recognised personal certification in the cloud security space, namely the Certificate in Cloud Security Knowledge (CCSK).
"By the end of 2011, PwC would like to see more consensus around standards, as well as an escalation of the security considerations of cloud implementations so they are considered as important by organisations as scalability, cost and technology," says Beer.
Until organisations consider how security is built into the cloud computing models they are considering, they will always face significant data protection challenges, he says.
Organisations should expect service providers to be able to answer basic questions around their security model and provide indicators of what they are doing to keep information safe in the same way they can answer questions about technology, scalability and cost.
Consumers of cloud services also have a role to play in improving security in the cloud by applying all they have learned from outsourcing models and mistakes of the past and ensuring security requirements are built into contracts in the form of service level agreements.
Also, as with traditional outsourcing, organisations moving to the cloud should never lose sight of the fact they remain responsible for their data and cannot shift blame to their cloud service provider if things go wrong.
The NCC research found almost a quarter of organisations polled had experienced security incidents involving the service provider's staff. Corrupt data affected 20% of respondents, 17% suffered data loss and 7% had data stolen.
Steve Fox, managing director for the NCC, says that as it takes time to modernise legislation and standards are voluntary, if cloud suppliers are to tap the latent demand for cloud computing services, they must not only address security concerns, but they must also improve existing service levels.
The natural progression, says Palgon, is from keeping applications and data on-premise; to running applications in the cloud while still keeping the sensitive data locally; and finally to running applications and storing sensitive data in the cloud.
Some organisations are currently in the second phase, with some security suppliers enabling this hybrid approach by putting tokens in the cloud so the data vault can still be on-premise.
Commentators generally agree most organisations will eventually arrive at the third stage where all applications and data are in the cloud. But Palgon says this will happen only when the third-party data security companies have the credibility to store the data safely.
"We will first have to arrive at the situation that we can store data in the cloud with the same confidence that we store money and other valuables in banks today," he says.
Moving into this third phase will mean the full vision for cloud will have been achieved, with cloud service providers able to store information more securely than individual organisations can themselves in the same way as banks can store money and other valuables more securely than its customers at a reasonable cost.
In other words, CISOs will accept putting sensitive data in the cloud only when service providers can guarantee better security than their own organisation can, or the same level of security at a lower cost.
The beauty of cloud computing, says Beer, is that service providers will be able to attract, retain and train to the right level much larger security teams than most business organisations would have internally.
In the absence of fully trusted cloud-based service providers that enable complete visibility of operations in compliance with established standards, the status quo of hybrid operations that pull together on-premise, private and public cloud systems is likely to continue.
Businesses will continue to use cloud computing services according to a risk-based model, putting as much as they can into the cloud to cut costs, but keeping high-risk data on premises to maintain the highest level of control and visibility over this data.
In the year ahead, the CSA's Gerry O'Neill predicts a marked and steady increase in the uptake of assured cloud services as stakeholders engage to hammer out certifications.
A high degree of co-operation and partnering will help prevent the unwanted proliferation of a myriad of unrelated initiatives or compliance frameworks, which has got to be good news for the over-audited and compliance-weary CIO, he says.
Cloud computing areas identified by the CSA requiring further R&D
Cloud computing and small to medium businesses
Small or mid-size businesses (SMBs) present a significant opportunity for cloud service providers, says Bob Walder, research director at Gartner.
SMBs have always been a natural segment for managed and hosted services, but he says the economic crisis has pushed more SMBs towards cloud-based services because of the need to reduce capital expenditure and overcome IT resource constraints.
The inhibitors are data security concerns, compliance requirements, service levels and trust, says Walder.
But, the success of server virtualisation initiatives in the SMB market has made organisations more comfortable with the prospect of cloud computing, and consequently, SMBs have become confident in the agility and flexibility of the virtualisation architecture and reliability.
"Now that they have become comfortable with the idea of multiple, virtual applications residing on a single physical server, it matters less to them where the physical servers reside. This comfort level and acceptance of the decoupling of the application services from the hardware will drive cloud adoption," says Walder.
SMBs should never consider moving into the cloud without first ensuring they have the correct security in place for doing so, says Paul Judd, UK and Ireland regional director for Fortinet.
"If you are an SME with up to 10 seats, committed to securing your information in the cloud, and you've assessed which applications you are happy for that to happen to, then cloud computing for some applications may indeed be a good option," he says.