Recently the Cloud Industry Forum (CIF) called for new efforts to clarify cloud computing, so that UK businesses would adopt cloud services more readily. The CIF called attention to research indicating that 25% of survey respondents (IT decision makers) believed that cloud computing did not provide adequate security controls.
My first reaction to this response was that cloud computing must be reaching critical mass if 75% of potential users already feel it was secure enough for business use.
The various cloud providers are probably fairly happy with such a statistic, and industry groups promoting better cloud security are probably going to need to find something more scary to put in press releases. However, the CIF's mission, which is to promote a Code of Practice that increases user trust in cloud services, is actually quite valid.
In the past 12 months I have spoken with dozens of large organisations about their security architectures, and I've seen several clear trends. The first trend is that many organisations are considering moving some portion of their IT infrastructure off-premise to “the cloud.” They are doing this to cut costs and improve business agility. That is, they expect cloud computing to decrease the time, cost and effort required to roll out new business services.
The second trend is that most of these organisations are trying to determine what it actually means to move some of the IT environment to the cloud. Does this mean replacing Siebel with Salesforce.com? Does it mean replacing two dozen Windows servers with Amazon EC2 computer instances? Or is it something else?
The third trend is that, once organisations begin considering the first two points – moving to the cloud and what does that actually mean - they then begin asking many questions about security, regulatory compliance, and what happens when key data sets are no longer under corporate control.
Of course that then leads to obvious questions around security: how do I ensure that the wrong people don't see my data? How do I ensure that a terminated employee can't log directly into my cloud services? How do I know that my information isn't being stored on a shared server with a dozen other customers? How can I certify compliance if I am audited? And so forth.
With this in mind, the CIF's mission becomes more valuable. For most organisations, “moving to the cloud” means stitching together services from multiple providers. Sales tracking comes from Salesforce.com, HR services comes from SuccessFactors, developer computing resources might be at Google or Amazon. Information may cross multiple providers as the business processes it. Understanding how users can and cannot access those services, and how the data is protected is therefore very helpful for creating and enforcing internal policies.
The experience that identity management vendors had with federated single sign-on years ago provides a useful lesson: the barriers to widespread adoption of a technology solution are often not the technology itself, but the legal and trust issues surrounding that technology.
In the federated SSO example, the technology worked well and enabled a user to authenticate at site A, then access protected applications at sites B, C, D, etc. without re-authenticating at each of those sites, provided the sites all trusted A's authentication mechanism. In theory, it brought lower costs to the sites and a better experience to the users, with more security for everyone.
In practice, the technology couldn't magically cause all site organisations to trust each other, and so adoption was slow. In fact, only in recent years, as interest in cloud computing has increased, has federated SSO overcome the legal and trust questions that plagued early adopters.
While cloud computing is enjoying top mindshare and rapid growth among early adopters, the primary barrier to mainstream usage may well be legal and trust issues related to data protection.
Anything that can be done to increase transparency and remove these issues will be helpful. If CIF is able to make progress with standard definitions of cloud services, it will smooth the path to the promise of cloud computing.