In my previous post, I argued about how public clouds will eventually dominate the enterprise IT scene though better economics. I also pointed out that it is not going to happen anytime sooner because of concerns about security and compliance. Many of the public cloud advocates dismiss such enterprise concerns immediately and some even want us to believe that public clouds have better security than the private clouds. It is more of blind evangelism than any realistic understanding of what is at stake.
To be honest, we have folks with extreme positions on both sides of the debate. On the public cloud side, we hear arguments without any substantiation that public crowd providers have better resources to manage security than what enterprises have in their IT team. On the other side, we have fear mongers who try to convince you that the moment you step out of your datacenter, your business is bound to be doomed. In my opinion, the debate is not black or white. There are many factors that go into the equation including the nature of your data, the size of your company, your current infrastructure, etc..
As an unabashed advocate of public clouds, I feel that we should take the concerns of enterprises seriously and push the public cloud providers to address those concerns effectively. Definitely, one of the biggest concerns is the idea of giving up control. In the past, I have argued against it by saying they need a mental shift. However, I have come to realize that such dismissals of their concerns are rather naive. The loss of control could be a big factor for some. Frankly, today’s public cloud providers are not doing much to build trust with the enterprise customers. Yes, we keep getting press releases about compliance but it is not enough to get the enterprises to trust public cloud providers. Enterprises are still clueless about what is in store if something “bad” happens outside of their control. For many organizations, ceding control may not mean much but for some it means everything.
Today’s Wikileaks saga is a good example to showcase their concerns. Many of us are wondering how an Army analyst could get State Department’s secret cables. Looks like the main culprit is the changes the government made to break down information silos in order to help different agencies collaborate more effectively. In short, State Department lost the control over their data and it was accessible to people outside their department (control). Once out of their control, State Department couldn’t do much to protect the integrity of the data and the result is the current mess.
Large enterprises fear the same kind of situation when they consider public clouds. They worry that once they cede control to the public cloud providers, they can’t do much about the security and privacy of their data. Even though it may not be a concern for non critical workloads, it is definitely very important in the case of mission critical workloads. Right now what is happening is that public cloud vendors are asking the enterprises to blindly trust them with their sensitive data. As we saw in the case of Wikileaks and State Department, enterprises cannot do anything if something “bad” happens inside the public cloud providers. Clearly, their concerns are not overrated and mental shift alone is not a solution for this issue.
I don’t entirely disagree when someone says public cloud providers could afford to put together top notch security team and hence a lesser need to worry about the security. But what I am arguing is that this fact alone is not enough to alleviate the enterprise concerns. It is important for the public cloud providers to go out of the way to build trust. Joining CloudAudit and allowing programatic access to the audit data can be a good first step. Rock solid SLAs can be another important step. I am not a security expert and cannot talk much on what public cloud providers can do to ease enterprise concerns. People like Chris Hoff have a lot to say on it. However, I can definitely say that it is time for public cloud advocates to appreciate and understand the enterprise concerns and, if possible, work with the providers to address such concerns. Only then, we can really move forward towards a world dominated by public cloud services.
Related articles
- Why Public Clouds Will Eventually Win The Game (cloudave.com)
- The Cloud Economics : Emerging Signals (enterpriseirregulars.com)
- CloudAudit Joins CSA (cloudave.com)
- Cloud Consortium Releases Security Compliance Tools (informationweek.com)
- Report: Shift to cloud doesn’t have to be a CIO’s nightmare (zdnet.com)
- Wikileaks evades hackers with shift to Amazon (guardian.co.uk)
- Wikileaks: Collaboration vs Silos & Stovepipes (zdnet.com)

Great post Krish. I certainly agree cloud providers need to do as much as possible to meet exceptional standards for security and compliance. Ultimately however it is the role of the enterprise executive to perform the due diligence in vetting cloud providers as well as understanding the fundamental economic advantages of consuming specialized technology services. Google, Amazon, Workday, Salesforce.com and other modern cloud providers could spend all of their time working to satisfy the concerns of every enterprise executive but eventually the issues at debate are exhausted. The best use of their limited resources is to enable those who are willing to listen and learn about the services available to them and to continue adding customers.
The duty of the executive is to the mission of the firm. If the firm does not specialize in technology services then it should not be delivering technology services. Enterprises are running IT shops of which they’re the only one’s buying – it’s a horribly expensive model but was historically the only option.
Your Wikileaks example clearly illustrates the critical nature of security but it speaks as much, if not more, to issues with the status quo. PFC Manning had a laptop with an optical drive, files on local servers and file shares. The Army was unable to manage security trimming properly because of the complexities of sharing data globally via technology originally designed to be used locally and with individual productivity in mind rather than collaborative work. In this instance there could have been many advantages of data centralization and access only via web thin client devices. By design the legacy tools simply aren’t up to the task.
Executives can continue to invest in the status quo of owning and running software products or they can do their homework and begin the transition to consuming technology services. We buy 3rd party products to generate services and that’s more secure than buying 3rd party services? It’s an opinion that will persist for decades but that doesn’t mean the rest of us have to sit around and wait to move forward.