Good post by Kevin Fogarty (thank you) around Security in the Cloud and why it doesn’t work.
One in five don’t secure servers in the cloud? That’s not ignorance or neglect; it’s denial
Cloud computing is such an attractive, all-encompassing integrated enterprise, data-center-quality, dynamic computing paradigm that every company seems to want to jump on board.
They’re doing it, to be sure, but not nearly as quickly or enthusiastically as most analysts expected even a year ago (when adoption rates were, similarly, a disappointment from the previous year).
The issue isn’t how big or complicated the company or its IT is. In a report comparing spending on software by SMBs vs. enterprise (big) companies, Gartner estimated SMBs are adopting cloud at a higher rate than enterprises. About 34 percent of SMB software budgets go for cloud-based apps or services; only 27 percent of enterprise budgets swing that way.
According to an October Symantec report on cloud preparedness, 82 percent of IT people involved in cloud called security was one of the biggest challenges – higher by four percentage points than performance – the second-most-frequently mentioned challenge.
- 58 percent worry about mass malware outbreaks at a cloud provider’s facility;
- 57 percent worry the provider will be hacked;
- 57 percent worry insiders will share data that’s (technically) already outside the company, in a cloud;
- 56 percent worry rogue cloud systems hired by business-unit managers will cause a breach in the primary corporate apps;
- 56 percent worry using an external provider will allow data leaks between different customers inhabiting the same cloud;
- 55 percent worry about DDOS attacks on the provider;
- 54 percent worry about a complete loss of data for a court case;
- 52 percent worry about not being able to recover data for a court case (IT is now officially too worried about lawsuits and e-discovery; see accompanying post for a little appropriate whining about that)
- 52 percent worry cloud systems won’t meet the requirements for regulatory compliance audits.
- Concerns over security are so high they break down into sub-concerns, each of which carries enough worry to make it a primary obstacle all by itself:
That’s a lot of very specific worry about something that’s supposed to resolve IT concerns about data and security, not add to them.
Why is security still such a mystery and such a concern?
Security has been the No. 1 concern about the cloud since the term first migrated from the oversimplified-presentation palate of telcos to the artificially overcomplicating presentation palates of tech consultancies.
Security is the reason cited most often for a migration speed so slow that three years after the idea of external, public-cloud computing took over the computing world (or at least its hype cycle) only a third of companies have made significant progress on their goals to adopt it.
- According to Symantec’s data:
- between 11 percent and 19 percent of companies polled may be thinking about cloud, but haven’t done anything about it;
- 19 percent to 25 percent aren’t even considering doing anything;
- 19 percent to 20 percent are in discussion or planning phases;
- only 34 percent are either in trials or actively implementing cloud.
That’s not a big percentage for something that takes up so much of the hype-consumption capacity among end-user companies. Vendors still seem puzzled about why adoption is so slow and methodical, aside from how fundamental the change is from concepts of computing based on the physical location of servers compared to virtualized-everything-computing.
Security is credited as the main reason big companies tend to go more for internal private clouds rather than external clouds; not just in Symantec’s surveys. In others from Forrester, Gartner and The451 group as well.
Security is also cited most often as the reason both small and large companies have been putting mainly marketing apps, marketing people and application test/development staffs on cloud systems rather than departments they consider “critical” to the rest of the company. (Not often cited but true nevertheless, that ranking is responsible for double-digit increases in depression among marketers and test/dev managers who realize they’ve been ostracized. Depression is only noticeable among smile-all-the-time marketers, however. In test/dev the hands-on crew are all too busy breaking things to not have fun and the managers are already so beaten up one more shot at the ego has little incremental effect.)
Read on here