Is cloud security the chicken or the egg? Are CSOs playing the ‘it’s not secure’ card to avoid anything that, well, smells like work? Are IT pros rabidly defending their turf because they fear their jobs might also be outsourced, along with their data center?
Surveys continually place concerns about data security as one of the top reasons preventing organizations from moving to the public cloud. Yet, Infrastructure as a Service (IaaS) is the fastest growing segment of the public cloud, with CAGR above 40% through 2016, according to Gartner's Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q12 Update.
How do these seemingly inconsistent statistics come together?
Rather than discussing the negative points at play, let’s think about what factors are at work. I’ve been talking to a lot of organizations lately — both enterprises as well as cloud service providers (CSPs) — about their cloud migration perspectives, and here’s what I’m seeing…
SMBs: These organizations are moving aggressively to the cloud. They have not yet made investments into building out large datacenters, or their IT staff. They are often growing quickly, and need to spin up their IT services in kind. Also, smaller organizations typically have less bureaucracy, and fewer people saying ‘Well, that’s not the way we’ve always done it.’ This makes IaaS an easy choice, and perhaps, even a godsend. Simply spin up servers when they are needed, and pay for services as you go (and grow).
However, these same organizations don’t usually have a CSO and a team of security pros watching out for data protection. So while moving to the cloud may be an easier choice, there are clearly security concerns that may leave these same companies more exposed than their grown up organizational brethren.
Large Enterprises: Large companies are in the exact opposite situation from SMBs. They typically have invested in big datacenters to support their operations, complete with the (hopefully) well-trained staff to run them. There are processes in place for business units to request IT resources. CSOs are (again, hopefully) playing a strategic role in corporate security policy. As such, the CSOs we’ve talked to are advising caution while considering the pros and cons of the cloud.
Most enterprises have already made the leap to SaaS for departmental applications like HR, sales automation, and marketing. But in many cases, platform as a service and IaaS have yet to prove their value to the organization over what the company already provides internally. At the same time, they recognize that moving mission critical applications to the cloud– when they are ready to do so – will require security controls. Savvy CSOs are investigating these options now, so they will be ready for the inevitable.
A year ago, CSPs told me they weren’t seeing much demand for security features in their networks. Now, they are scrambling to figure out the right balance of capabilities to meet demand.
So, if I were a betting man, and you asked me to predict what will happen in the next two years, here’s what I’d say.
Prediction 1: Cloud adoption will continue to grow at or above the rates Gartner estimates. Why? Because enterprises will work out their use cases, and IT organizations will begin to support the successful cloud pilots that are already being launched (with or without organizational consent). Further, security technologies will evolve, offering more options that are optimized for the unique requirements of the cloud.
Prediction 2: CSPs will rapidly incorporate security features, allowing them to address (and upsell) true multi-tenancy, data privacy and compliance.
Prediction 3: Small businesses will come to rely on the security capabilities offered by CSPs, ideally preventing them from becoming greater targets for hackers.
Prediction 4: We will see more cloud breaches, whether they are hackers looking for data, or accidental misconfiguration, which we recently saw with Amazon’s cloud storage where over 126 billion (yes, billion) files were unintentionally exposed. Organizations simply have to take data privacy more seriously.
That’s my take. What’s your forecast for the cloud?