Cloud Faces Security Challenges
AlwaysOn OnDemand panel participants ask, "Are private and semi-private clouds the only safe bets for the enterprise?"
PALO ALTO, Calif. -- Is cloud computing adoption hurt by security issues, compliance concerns or just a poorly chosen name? All these issues were raised during a panel on cloud security at the AlwaysOn OnDemand conference here at HP's headquarters Tuesday.
"The worst thing we ever did was coin the term 'cloud,' which takes a business process and makes it sound ... out there," said Thinkstrategies analyst Jeff Kaplan, who moderated the panel.
But John Weinschenk, CEO of security firm Cenzic, said cloud security is far more of a pressing concern. "It's actually impossible to secure the [public] cloud today," he said. "You just don't know if your information is going to be processed in Czechoslovakia or Russia, and what they're going to do with it. And if anything goes wrong, who do you sue?"
John Desantis, CEO of identity management provider Tricipher, agreed. "There is a thin veil that is clearly being penetrated," he said.
But Weinschenk and Desantis made clear they were talking about public, consumer service-style cloud providers. Weinschenk said the future for enterprises lies in private and semi-private clouds that are more closed systems where the security parameters and service guarantees are known.
Nicholas Popp, vice president of product development at domain management and security provider Verisign (NYSE: VRSN), however, disagreed to the extent that he said companies like his have the potential to make cloud services even more secure than traditional datacenter solutions.
"Customers think security is the cloud issue, but it's really a trust issue ... a governance issue," Popp said. "Can I set the policies I want to and impose them? And second, can I verify that the policy works? It's about governance and control issues."
"You never sell security," he added. "You sell compliance to those who need it. When we look at people embracing the cloud, it's really from the big guys who control a private cloud and can scale it to realize the benefits. The other buyers are SMBs who are looking to outsource everything."
Randy Barr, chief security officer at Qualys, said enterprises are demanding their cloud service providers offer greater visibility to make it clear that the systems are secure -- a service his firm provides.
"You can get scans of the cloud system for vulnerabilities," he said. "We're seeing more transparency from providers to meet this demand."
CIO objectionsSecurity isn't the only concern enterprise buyers have about cloud computing systems, which in theory can save an order of magnitude in costs over companies buying and managing their own computing infrastructure.
"From an enterprise perspective, the CIO wants to hold off," said Joe Tobolski, a partner at Accenture Technology Labs. But he warned that cloud services are already popular, if you include social networks like Facebook and Twitter as well as e-mail services like Gmail, in the mix. These services "are ridiculously easy to sign on to. There is going to be a clash of the command and control infrastructure that a lot of CIOs prefer to those people who want to get stuff done."
In a later panel, Charles Carmel, vice president of corporate development at Cisco (NASDAQ: CSCO), said that trends like the cloud, and software-as-a-service (SaaS) in particular, are causing "one of the largest disruptions across the IT landscape."
But Marc Benioff, CEO and founder of one of the best known and most successful SaaS providers, Salesforce.com (NYSE: CRM), conceded that "the vast majority of software is still with companies in their datacenters."
"That's the opportunity," Benioff added. "I try to educate people because companies want to hold [us] back, like the people in this building that want to sell more servers."