Partly Sunny Views on Cloud Security
By Eileen Feretic
Ask a panel of experts how secure the cloud is, and you'll get opinions that range from partly sunny to decidedly overcast. The experts at "CIOs and the Cloud Dilemma," a March 1 roundtable sponsored by IntraLinks, a provider of collaboration technologies for the enterprise, were no different.
That's not surprising. Cloud security is a topic that engenders strong feelings. Providers are adamant that their security is as strong as--if not stronger than--their customers'. Some of those same customers don't share that view: IT managers are confident about the level of security their organization provides; line-of-business managers, however, may be less clear when comparing the different security capabilities provided by their company's IT department versus the cloud provider.
Cloud computing provides many benefits, including the potential for business growth, innovation, mobility and customer engagement, said the panel moderator, Ted Schadler, vice president, principal analyst, Forrester Research. But, he added, there are also challenges, such as integration, workload, security and trust issues.
Security is a major concern with public clouds, acknowledged Sultan Khan, global IT strategy & governance practice head at Tata Consultancy Services. That's why providers "need to build the confidence level on the customer's business side as well as the IT side," he said.
"It starts with trust," agreed Fahim Siddiqui, chief product officer at IntraLinks. "The cloud must be a trusted place." He said there needs to be "auditability of transactions and processes."
Though all enterprises need strong security and compliance, companies in industries such as finance and health care, as well as government agencies, need to be especially vigilant, all the panelists agreed.
"Financial firms are obviously very sensitive about their data," said Phillip Jacob, senior director of risk management at Axioma. He pointed out that multinational finance companies must deal with various countries' government and industry regulations and security issues.
That's an issue for all global organizations, said David Goodman, chief technology officer at the humanitarian organization International Rescue Committee. He has global responsibility for all technology activities, including RescueNet, the organization's global intranet. Since IRC operates in some dangerous countries, security is a top priority.
Companies that do business in Europe may find security easier in the future. IntraLinks' Siddiqui said that the European Union is working on developing a set of comprehensive EU security and compliance policies that would replace the country-specific ones now in place.
All the panelists acknowledged that cloud security is a challenge, but they believe it's one that providers can handle. "Cloud security is a solvable problem," said Ari Lightman, director of the CIO Institute at Carnegie Mellon University. He added that two things are key to achieving that goal: the right technology architecture and a good business relationship with the provider.
"It all comes down to people," Axioma's Jacobs added. "You need to know the staff at the cloud provider and get a feel for the company. [Cloud security] is really an HR issue."