Cloud security fears 'are overblown'

Concerns about the security of cloud computing services may be overstated, panelists at IDC's Cloud Computing Forum said.

Share

Businesses worry too much about security in cloud computing environments, speakers at IDC's Cloud Computing Forum said yesterday.

Security is the number-one concern cited by IT managers when they think about cloud deployments, followed by performance, availability, and the ability to integrate cloud services with in-house IT, according to IDC's research.

Keeping data secure is critical, of course, but companies need to be realistic about the level of security they achieve inside their own business, and how that might compare to a cloud provider such as Amazon Web Services or Salesforce.com, speakers here said.

"I think a lot of security objections to the cloud are emotional in nature, it's reflexive," said Joseph Tobolski, director for cloud computing at Accenture. "Some people create a list of requirements for security in the cloud that they don't even have for their own datacentre."

That was the experience of Doug Menefee, CIO at Schumacher Group, which provides emergency room management services to hospitals. The company is in the midst of a project to migrate most of its applications to hosted, cloud-based services.

"My IT department came to me with a list of 100 security requirements and I thought, Wait a minute, we don't even have most of that in our own datacentre," he said in an interview here.

Schumacher Group takes security seriously, Menefee said, but as a mid-sized company with only three IT staff working full time on security, he trusts large cloud providers to do it better.

"We get the same level of security with Salesforce.com as any large company using that service," he said. "I'm using the economies of scale."

Schumacher Group stores sensitive data only with providers that comply with the US Health Insurance Portability and Accountability Act (HIPPA), Menefee said. He recently started a project to deploy Google's online productivity tools, but Google is not HIPPA-certified, "so no patient data gets stored there," he said.

Schumacher Group is not a publicly traded company, he noted, and its legal requirements for security are less complex than for public entities. Some large enterprises, especially in areas like finance, will have greater concerns about security, noted Jean Bozman, an IDC research VP.

Promoted