CIOs Dismiss Cloud Security Concerns

Today I read an article on the web about “CIOs dismissing Cloud Security Concerns”. I found the article quite irritating. Firstly because this has not been my experience in the field, where CIOs are very concerned about security even if simply from a compliance perspective and second because this is only one of a lot of articles I have seen in the latest months trying to downplay security concerns in cloud computing.
Clearly you can start to feel the frustration of many cloud computing providers/vendors about the slow adoption of their new vision of IT by most corporations. And is it really new? I remember, as an ex IBMer the ON DEMAND campaign almost 10 years ago, wasn’t that basically cloud computing? Well, wake up cloud computing providers and start knocking on the doors of IBM/EDS and all other providers of outsourcing services. They have been there before from a security and legal standpoint. They will tell you how painful it will be to convince large corporations to move their crown jewels to the cloud.
Instead of downplaying security concerns, why don’t you map a roadmap to your clients about how you will solve all of their concerns about cloud computing? Large corporations will always test you. You will get a little piece of action (The sandbox environments for example) and will have to prove yourself worthy. Then, if you were successful, you will get a larger part of the pie. What are therefore the security and compliance requirements of corporations that cloud computing providers will have to address in the next years? Here a short list:

  • Robust Access Control Capabilities: (Above all for providers like Google App Engine and Windows Azure)
  • Logging & monitoring
  • Audit trails
  • Long-term Archiving
  • Legal support for cross-national compliance issues (Ever wondered why big outsourcers like IBM/EDS have at least one outsourcing center in every country?)
  • SAS70 certifications and Security SLAs
  • Assurance that the BIG4 Audit companies are going to support this move: If you do not convince Deloitte/E&Y/PwC and KPMG you will be facing an uphill battle

So, dear cloud computing providers, get back to the drawing table and spend some money on these fundamental questions, instead of ridicolous surveys.


One Response to “CIOs Dismiss Cloud Security Concerns”

  1. Tobias Staude Says:

    Gregory, I fully agree.
    There are many examples where the staff is not fully understanding the issue with saving sensitive data in the Cloud. Next thing is that they forget to protect one of their clients (smartphones, netbooks etc.), for comfort. And all in a sudden a phone or laptop is lost, and the sensitive data in the Cloud can be easily accessed. Same scenario applies for weak password etc.
    Clearly, in the beginning of Cloud computing people should analyze which interfaces to the Cloud they will use. Furthermore they need to check which clients will access/display/update the data in the Cloud and how all those components will be protected. Having security policies and encryption for single applications (like an ERP system) in place is then not enough, you need to have it for all components and applications that will access Cloud data.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: