As Cloud Computing Grows, Customer Frustration Mounts

Some users knock the lack of cloud security standards and dubious contract terms.

SANTA CLARA, Calif. -- Users who turned to cloud computing for some of its obvious benefits, such as the ability to rapidly expand and provision systems, are starting to shift their focus to finding ways to fix some early weaknesses.

Cloud computing today has some of the characteristics of a Wild West boom town, but its unchecked growth is leading to frustration, a word that one hears more and more in user discussions about hosted services.

For example, cloud customers -- and some vendors as well -- are increasingly grousing about the lack of data handling and security standards. Some note that there aren't even rules that would require cloud vendors to disclose where their clients' data is stored -- even if it's housed in countries not bound by U.S. data security laws.

Such frustrations are becoming more evident as more enterprises embrace the cloud computing model.

Take Orbitz LLC, the online travel company whose businesses offer an increasingly broad range of services, from scheduling golf tee times to booking tickets for concerts and cruises.

Ed Bellis, chief information security officer at Orbitz, says the company's decision to use cloud-based software-as-a-service (SaaS) offerings enabled it to grow more rapidly and freed managers to concentrate on core competencies.

However, Orbitz, which is both a user and a provider of cloud-based services, sees an urgent need for cloud security standards, Bellis said at the SaaScon 2010 conference here earlier this month. For instance, Orbitz must address a range of due diligence requirements that are "all across the board," ranging from on-site audits to data center inspections.

Standards being developed by the year-old Cloud Security Alliance, a nonprofit group funded by both cloud computing users and providers could provide a solution. The standards would expose data in a common format, which Bellis said would let customers know exactly "what our security posture is."

Such standards "would be heaven," said Bellis, and would "cut out a third of our internal work on due diligence." However, the path to such a standard would be long and agonizing, since it would require the support of large numbers of cloud computing users and providers.

SaaScon attendee Keith Waldorf, vice president of operations at Doctor Dispense LLC, was critical of inflexible contract terms set by some vendors.

He said that one service-level agreement that the e-prescription company had with a cloud provider locked Doctor Dispense into using only the hardware and software available from the provider when the contract was signed, even if the provider upgraded its offerings.

Cloud agreements today "are all over the map, and it's really vendor-driven," said Waldorf, noting that his company has switched to another SaaS provider.

Large organizations should take advantage of their size when negotiating contracts. For example, as part of its contract to use Google Apps hosted office applications, the Los Angeles city government got Google Inc. to agree to pay unlimited damages should it ever violate nondisclosure agreements.

But most users lack such clout, noted Jim Reavis, founder of the Cloud Security Alliance. In fact, in some cases, cloud providers may not even have to provide the logging information needed to prove that there was a breach, he added.

None of those interviewed were willing to try to predict when users could expect to see contracts that require set levels of transparency about data handling procedures and security.

This story was originally published in Computerworld's print edition. It was adapted from an earlier version that first ran on Computerworld.com.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Fix Windows 10 problems with these free Microsoft tools
Shop Tech Products at Amazon