Cloud security concerns are overblown, experts say
RSA panel compares enterprise fears of cloud security to early, now eased, concerns about virtualization technology
Computerworld - SAN FRANCISCO -- Security concerns should not deter enterprises from using public cloud technologies when it makes business sense.
A panel of practitioners said at the RSA Security Conference here this week agreed that if cloud providers are vetted properly, most enterprise workloads and data can be safely migrated to cloud environments.
Any lingering questions by IT security pros about data security and privacy of cloud computing will be allayed just as concerns about virtualization were in the past, they said.
"The horse is largely out of the barn," said John Pescatore, director of research at the SANS Institute. "There is no debate about whether we are going to use the cloud," he said.
Today, though, security concerns are still the major inhibitor of cloud adoption at many large companies. The concerns are most significant among those IT executives considering a cloud migration. Those who have already made the leap appear mostly satisfied with cloud security, the panel agreed.
An Intermap survey of 250 decision makers at medium and large companies found that 40% of those who described themselves as "cloud-wary" cited security as their biggest impediment to adoption. In contrast only about 15% of "cloud-wise" respondents felt the same way.
Intermap said its analysis of the findings determined that cloud-wary companies are likely substantially overestimating the security risks substantially. This group is less concerned about the performance and cost challenges cited by companies that have moved to the cloud.
Bruce Schneier, a panelist and CTO at Co3 Systems Inc., a vendor of incident response technologies, suggested that companies first consider the level of security offered by the provider.
Cloud vendors provide different levels of security, he said. "The basic issue is, do I trust that other legal entity that has my data on their hard drive?" Schneier said.
Making that leap of faith shouldn't be too difficult for IT executives, he said. Just like they had to learn to trust hardware, software and outsourcing vendors, enterprise IT executives will one fay have to start trusting cloud vendors.
The popular perception that the cloud is inherently insecure is wrong, said Wade Baker, managing principal of research and intelligence at Verizon. "It seems to imply this relationship with the cloud is untrustworthy or higher risk."
Despite all the fears about cloud security, there are few instances where enterprise data was compromised because it was moved to the cloud, he said. In fact, a vast majority of enterprise breaches involving cloud providers, stemmed from enterprise failures and not cloud provider faults, added Pescatore.
The issue of how to deal with government requests for data in the cloud is still only being worked out, the panelists noted.
Larger cloud providers like Google and Microsoft have already taken steps to foster great transparency. Such firms are well equipped to legally to fight government requests for data access than individual companies, the panelists said.
"The cloud is not an all or nothing strategy," said Eran Feigenbaum, director of security for Google Apps. By properly classifying data and moving public and sensitive data to the cloud, companies can do a better job protecting the really critical information internally, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is email@example.com.
- Cloud security concerns are overblown, experts say
- Cloud computing 2014: Moving to a zero-trust security model
- Amazon hiring 'top secret' IT staff as it fights for CIA work
- Empire state ends IT empire building
- No, your data isn't secure in the cloud
- Snowden revelations may cost U.S. cloud providers billions, says study
- DHS shifting to cloud, agile development to boost homeland security
- Cloud computing's big debt to NASA
- Coke bottler picks SaaS over SAP
- Inmate data paroled from mainframe
Read more about Cloud Security in Computerworld's Cloud Security Topic Center.
- Cloud Computing eGuide In this eGuide, CIO, Computerworld, and InfoWorld offer advice, tips, news, and predictions regarding cloud implementations in the coming year and beyond. Read...
- Enterprise Cloud Deployment Strategies A powerful and highly flexible solution, CrashPlan lets organizations select their preferred cloud deployment strategy, resting assured all strategies meet or exceed rigorous...
- When Disaster Tests Your Business, Cloud Communications Can Save It Find out why the survivors of Hurricane Sandy and other recent calamities say they wish they'd had cloud-based business VoIP communications, rather than...
- Forrester Report: The Rise of the New Cloud Admin There is a new administrator rising from within the business units who doesn't see private clouds as a linear progression from server virtualization...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Cloud Security White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!