Someday, cloud security vendors and cloud services providers will convince enterprise IT that it's safe to move sensitive data and mission critical apps from the private cloud to the public cloud.
Unfortunately, that day has not yet arrived.
Security practitioners, consultants and analysts interviewed for this story say cloud security vendors and cloud services providers have a long way to go before enterprise customers will be able to find a comfort zone in the public cloud, or even in a public/private hybrid deployment.
When asked for predictions as to when enterprise IT will be willing to elevate their level of play in the public cloud from dabbling in non-sensitive data storage and consuming a little bit of SaaS from trusted entities like Salesforce.com, to running business critical applications, the answers ranged from six months to two years.
So, what's hindering public cloud adoption? The hesitation over security in the public cloud centres on:
- Concerns about securing the communications channels within multi-tenant virtual networks.
- Uncertainty about how the exploding number of heterogeneous mobile devices will be securely supported in the cloud.
- An inconsistent path for extending existing identity and access control mechanisms used in the enterprise up into the cloud.
- Questions on how trusted encryption and tokenisation models need to be changed to adequately protect sensitive data stored in the public cloud.
These potential technical issues are compounded by the fact that public cloud providers are notoriously unwilling to provide good levels of visibility into their underlying security practices. For an enterprise, not having a proper window into the security posture of its cloud provider will stall necessary auditing processes and compliance checks.
But all of the sources interviewed are confident that eventually public cloud security will reach the level that enterprises currently expect in their privately controlled networks.
The public cloud is well past the infancy stage, says Jacob Braun, president and COO of Waka Digital Media, a managed security service provider and consultancy.
"It's more like a gifted adolescent who's recently moved to a new community. She looks at things a little differently than others. She handles things differently. People are intrigued because she's kind of cool, but at the same time they hold back a bit because she's still a bit unpredictable," Braun says.
But give her just a bit more time and most people are going to want to glom onto her popularity.
Analysts, consultants and customers say they are encouraged by product announcements from established security vendors as well as from start-ups that address many of these perceived problem spots in cloud security.
Customers are acutely aware that this extensive conversation about security in the public cloud is taking place before they've been forced to actually jump in, which is a luxurious switch from how security was handled during past corporate computing shifts, such as moving to the LAN, setting up client/server operations and opening up the enterprise to the Internet.
"Security administrators simply dealt with the post-deployment security issues as they cropped up," says Gary Loveland, a principal in PricewaterhouseCoopers' Advisory Practice and a lead in the company's Global Security Practice.
With those experiences under their belts, enterprise IT shops are working out the public cloud security issues pro-actively. "Before they go and add public cloud to the mix, they are asking the right questions that will push their prospective vendors to provide a cloud... that is locked down with most, if not all, the controls they need in place," Loveland says.
According to a study published by the Aberdeen Group's Derek Brink called "Security and Cloud Best practices", nearly half of the 110 enterprise IT shops surveyed said they are taking an approach that involves putting pressure on cloud service providers to implement strong security practices and augmenting those with technology that remains under enterprise control when the cloud providers' measures seem to come up short.
"Enterprise trust of the public cloud is pretty limited at the moment," says Jon Oltsik, principal analyst at Enterprise Strategy Group. But that mistrust doesn't necessarily reflect any hard evidence that security in the public cloud is bad, he adds.