The Many Dangers of Cloud Computing
An industry analyst looks at the security concerns inherent in outsourced computing, and gives advice for businesses seeking to contract a cloud provider.
As an emerging technology that promises great cost savings, cloud computing is gaining fans among a broad array of businesses. But do these firms really know what's inside the opaque, puffy concept of clouding computing?
Cloud computing allows companies to outsource part (and sometimes almost all) of their computer processing. Instead of spending on in-house servers and (in the view of CIOs) the surly IT pros needed to service them, businesses simply pay an external provider. They then access their computing infrastructure over the Internet - "though the cloud," in IT-speak.
Better still, cloud vendors tell us, cloud computing is massively scalable. The big box retailer handles a holiday rush with a quick online request for more computing capacity. The growing small business without a big data center can leverage the heavy-processing muscle of a cloud provider.
Seeing gold in them hills, big players have launched divisions to provide cloud computing. The leaders include Amazon's EC2 and Google App Engine. In the excitement, the acronyms are multiplying. Cloud computing's near cousin is Software as a Service (SaaS) - software delivered over the Net - and Salesforce.com touts a version of cloud computing called Platform-as-a-Service (PaaS).
IT pundit Nick Carr hails cloud computing, in his book The Big Switch, as the inevitable next step in business computing. Just as we now access electricity from huge external plants, he explains, we will access computing power from sprawling external processing facilities. Messy in-house data centers are passé. The future is bright, well ordered and reasonably priced.
But Carr's analogy falters when you look at the difference between electricity and data. There's nothing confidential or sensitive about the wattage that flows into your business. But there's something profoundly sensitive about the data that flows in and out of your business.
Merely whispering the phrase "Sarbanes Oxley," with its labyrinthine compliance requirements, is enough to make some CIOs shudder at giving a cloud-based provider even partial responsibility for their document management.
Making those CIOs even more anxious is this uneasy truth: as it evolves, cloud-based service is increasingly provided by a chain of providers. So you've contracted with an outsourcer, who in turn contracts with a series of outsourcers, and on and on - and this global crowd of unknowns is handling your most precious corporate secrets.
It's like the pretty girl in high school who doesn't want to give out her phone number, except she shares it with her steady sweetheart, the football captain - who keeps his address book posted on his Facebook page.
Cloud Computing or Bust
The many red flags of cloud computing are cataloged in Assessing the Security Risks of Cloud Computing, co-written by Gartner analysts Jay Heiser and Mark Nicolett.
Their thesis isn't that companies shouldn't use cloud computing. Rather, companies must go into the process with their eyes wide open, fully aware of the risks, taking essential precautions to stay safe. Or, as safe as possible, given the "black box" nature of cloud computing.
"Probably 'cloud computing' would be more popular already if people didn't have concerns about the risks," Heiser tells me. Still "I don't think most of the potential users are truly cognizant of the risks. But they have a usefully intuitive sense that this is something new and it shouldn't be undertaken lightly."
(Indeed, a recent Goldman Sachs survey of CIOs' plans for 2009, which indicates that the recession is giving them an upset stomach, doesn't bode well for cloud services. Less than 2 percent of respondents made cloud a priority.)
Cloud computing's myriad security concerns are enough to make one ask: can't we just stay with that golden oldie known as client-server? After all, servers keep getting cheaper and cheaper (and cheaper), and the IT worker who maintain them are, sadly, surely not paid outlandish wages. Why go out of house?
Despite these doubts, cloud computing will indeed realize its potential as the industry-shifting trend it appears to be, Heiser opines. The train has left the station, recession-scared CIOs notwithstanding. Simply put, the cost savings are too great and the business potential too efficient and flexible for the cloud to be ignored.
"It's basically economic, but there are convenience issues," Heiser says.
"There's a control issued. I lump 'cloud computing' in with consumerization with being yet another example of how the end user is taking over the initiative from IT. If they don't like the answer that IT gives them, they'll just go out and buy the thing."
For instance, "How much of SalesForce.com was motivated by sales mangers who just wanted to get away from IT and put in their own CRM?"
Moreover, spending on cloud computing is seen as more desirable than writing checks for servers that start aging the moment they're unwrapped. "When you buy something in the cloud, it's an expense. When you buy something like a computer, it's an investment," Heiser says.
"So it's a different color of money and people like that."
Nine Security Concerns - and How to Address Them
The most practical way to evaluate a cloud provider is to get a third party to do so, Heiser says. There are so many questions and concerns that doing all the work in-house may be prohibitive. Making the process still more difficult is that fact that many cloud-based service companies are far from transparent.
"Call up Google and ask them how transparent they are," he says, indicating that the answer will be, 'not very.' "So why should you trust them?"
"I contrast them with Salesforce.com in terms of their transparency," Heiser says. "We emphasize Salesforce as having some early attempts at transparency; we didn't really flag Google as being the evil twin to Salesforce, but they're awfully opaque."
If you or a third party are kicking the tires of a cloud provider, here are issues to be aware of, and recommendations from Gartner for handling them:
1) Privileged User Access
With cloud computing, your confidential data will be processed by personnel outside the enterprise, so non-employees could conceivably have full access to it.
Advice: "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access."