The prospect of data security in cloud computing — particularly public-cloud computing — has security professionals taking a cautious approach.
"We are a very conservative risk-adverse company by nature," says Mark Pfefferman, assistant vice president and director of identity and access-management program at Western & Southern Financial Group. "As a life-insurance company, managing risk is part of our DNA." While his company has outsourced some data applications such as payroll to ADP, Pfefferman says there's no interest in turning to a cloud provider to store and process customer-related data.
The main reason springs from the sense that "I don't feel I have good control of the data out in the cloud," Pfefferman says. The company retains its own data center with a staff of IT professionals, and a look at some of the possibilities in cloud computing has left the impression that it not only is not as much of a cost-savings as sometimes claimed, it raises risks substantially.
There are lingering questions about where data might be stored geographically, or what contractual arrangements are required in the event of a data breach, or how back-up is done, Pfefferman says. While Western & Southern Financial Group is making limited use of Google collaboration applications, the intention is to avoid inclusion of any sensitive information.
Gartner Symposium ITxpo preview
These are some of the issues related to cloud computing that will come under focus at the Gartner Symposium ITxpo next week in Orlando, the annual techfest which this year features keynote addresses from Cisco CEO John Chambers, Microsoft CEO Steve Ballmer and Salesforce.com CEO Marc Benioff.
Among numerous Gartner conference sessions related to enterprise use of cloud computing will be "Three Styles of Securing Public and private Cloud Computing," with Gartner analyst John Pescatore.
"Fortune 1000 companies have to worry about compliance and security," notes Pescatore, who says there's a lot of reasonable skepticism in those ranks regarding public-cloud computing and security. But he adds that small businesses and city governments, "which don't have two nickels to rub together" in these troubled financial times, are looking at cloud-computing as a less-expensive option.
The federal government is regarded by cloud providers like Microsoft and Google as among the biggest fish to land. "Microsoft and Google are chasing the federal e-mail business," says Pescatore, adding he doubts Google really cares much about enterprise business. A recent Gartner report showed Google Gmail has less than 1% of the enterprise e-mail market.
The virtualization of the enterprise is leading to a more direct path to private-cloud computing, according to Pescatore. In addition, cloud-based security services, such as Zscaler, are a good indication of where things are headed.
A recent Harris Interactive survey of 210 IT executives in U.S. businesses paints one picture of cloud adoption and attitudes about it. The survey shows that roughly one-third currently use only private-cloud computing, while another third uses both private and public clouds.
Roughly 1 in 10 uses only public cloud computing, and almost one quarter uses no cloud-computing option at all. Some 43% of the IT execs surveyed said they expect increased use of both public and private cloud platforms, while 29% expect more use of just private-cloud platforms, and 5% expect increased use of public clouds. Another 5% had "no plans" regarding use of cloud computing, and 7% said they weren't sure.
When asked about security issues, nine out of 10 of these IT executives said they believed confidential data is more secure in private-cloud systems than in public ones.
Lack of end user control in the cloud In a web cast earlier this week on "the Future of the Perimeter," security experts Nir Zuk and Marcus Ranum didn't mince words in voicing their distrust about cloud computing and security.
"People are turning to application-service providers, like Salesforce.com," said Zuk, co-founder of Palo Alto Networks, adding there are "issues with it."
One issue is the relative lack of control of the enterprise end user with Salesforce, especially when the user is outside the perimeter of the enterprise, perhaps "in an Internet café, such as the ones in Moscow, probably running loads of spyware," Zuk said. He said he didn't have a solution to that security challenge right now, though he's thinking hard on it.
Although Amazon and Rackspace may "significantly cut your cost," said Zuk, it's like taking your head and putting it in the sand because among the major challenges there, "you really don't know what security these companies are running." He added you also are not likely to know "your neighbors on the machine." There are many issues like this that aren’t being addressed right now, he said.
Ranum, chief security officer at Tenable Network Security and a security instructor, predicts that five years from now "we'll see some of the cracks in cloud computing," and "what's hot today" will be "the security problem five years from now." In addition, Ranum predicts that people should consider that once people rush into cloud computing, "prices could go up."
"Once everyone is nicely locked in, prices will go up — then they'll go back to the desktop," Ranum said.
And any explanation given by cloud computing providers that they can't always tell you where your data is should be viewed critically, he suggests. "You should know where your data is at all times," Ranum concluded.
Read more about data center in Network World's Data Center section.