AWS re:Invent: Users hold back from putting sensitive data in the cloud

Despite the benefits of cloud and a "cloud-first" strategy, security concerns are stopping many users putting sensitive data in the cloud

Customers of AWS public cloud are reaping the benefits of cost savings, elasticity and scalability, but many are still wary of putting sensitive applications in the cloud, despite having a “cloud-first” and “cloud-ready” strategy.

At an AWS customer panel session at Amazon’s first user conference, re:Invent, Bharat Shyam, CIO of State of Washington, the public sector organisation providing government information and services, said: “We adopted AWS and have seen benefits such as easy scalability and cost savings.”

“What we are not putting on the cloud are applications with sensitive data on it. This is because, as a public sector organisation, we are risk-averse,” Shyam said.

“It is not that the public cloud is less secure than our internal infrastructure but just that, should there be a breach, there may be allusions that it is because we did something different.”

Troy Otillio, cloud strategist at Intuit and another AWS public cloud customer, said that, despite finding efficiencies in IT with AWS cloud, Intuit still runs sensitive data on apps hosted in-house. Intuit develops financial and tax preparation software services.

Read more about AWS re:Invent

“We have so far put about 12 to 15 applications on AWS but still refrain from putting any private or sensitive data yet on to the cloud,” Otillio said.

Many AWS customers – including publisher Elsevier and financial recruitment consultancy Robert Half International – said they had adopted a cloud-first or cloud-ready strategy.

“We have tried to make our internal datacentre unattractive so that our organisation adopts more cloud-based services," said Sean Perry, CIO of Robert Half International.

“Whenever we hear about hardware or virtualisation announcements such as VMware launching vBlock, we refrain from investing in them because we want to make cloud more attractive to our business,” Perry said.

Low confidence in public cloud

Despite this cloud-first strategy and finding clear benefits of cloud computing, customer confidence in the public cloud to host sensitive services was low.

“We have a couple of physical tenants left in our datacentres for specific reasons but most of our apps are in the cloud,” Perry said.

Document management company Aconex is an AWS customer and has refrained from putting its customer data on AWS. 

“Our IT team is confident of putting sensitive data in the cloud but our customers would not allow us to," said Nock Hobden, an engineer at Aconex.

Anil Shrestha, IT manager of Verisk Health, said: “We are a healthcare service provider but the business agreement clause we have with our customer forces us to keep these apps in-house.”

Government organisations are not good at taking risk but something will tip the scales soon and users will become more confident in the future to use cloud for all types of applications, Shyam said.

Enterprises break the mould

But not all organisations are equally wary. Netflix has posted all its applications on the AWS cloud. 

“AWS shared white papers, which have little tricks and tips on how to manage data on the cloud, which has helped us put some of our apps with critical data on the cloud,” Perry said.

Experts explained that many users are wary of the cloud because of the fear that cloud is beyond their control.

“No matter how secure the cloud is, some data are hosted in-house for various reasons such as government regulations and compliance,” said Darren Person, CTO of Elsevier.

While AWS re-iterated the cloud security certifications it has achieved, it is the certifications and compliance of the apps that matter, Person said.

“AWS can offer all the certification they want, but if the app you put on the cloud is not certified, then there could be data loss,” Person said.

He urged users to follow the best practices of cloud computing such as encrypting data in transit as well as data at rest on the cloud.

Read more on Cloud security