In my previous post, I argued about how public clouds will eventually dominate the enterprise IT scene though better economics. I also pointed out that it is not going to happen anytime sooner because of concerns about security and compliance. Many of the public cloud advocates dismiss such enterprise concerns immediately and some even want us to believe that public clouds have better security than the private clouds. It is more of blind evangelism than any realistic understanding of what is at stake.
To be honest, we have folks with extreme positions on both sides of the debate. On the public cloud side, we hear arguments without any substantiation that public crowd providers have better resources to manage security than what enterprises have in their IT team. On the other side, we have fear mongers who try to convince you that the moment you step out of your datacenter, your business is bound to be doomed. In my opinion, the debate is not black or white. There are many factors that go into the equation including the nature of your data, the size of your company, your current infrastructure, etc..
As an unabashed advocate of public clouds, I feel that we should take the concerns of enterprises seriously and push the public cloud providers to address those concerns effectively. Definitely, one of the biggest concerns is the idea of giving up control. In the past, I have argued against it by saying they need a mental shift. However, I have come to realize that such dismissals of their concerns are rather naive. The loss of control could be a big factor for some. Frankly, today’s public cloud providers are not doing much to build trust with the enterprise customers. Yes, we keep getting press releases about compliance but it is not enough to get the enterprises to trust public cloud providers. Enterprises are still clueless about what is in store if something “bad” happens outside of their control. For many organizations, ceding control may not mean much but for some it means everything.
Today’s Wikileaks saga is a good example to showcase their concerns. Many of us are wondering how an Army analyst could get State Department’s secret cables. Looks like the main culprit is the changes the government made to break down information silos in order to help different agencies collaborate more effectively. In short, State Department lost the control over their data and it was accessible to people outside their department (control). Once out of their control, State Department couldn’t do much to protect the integrity of the data and the result is the current mess.
Large enterprises fear the same kind of situation when they consider public clouds. They worry that once they cede control to the public cloud providers, they can’t do much about the security and privacy of their data. Even though it may not be a concern for non critical workloads, it is definitely very important in the case of mission critical workloads. Right now what is happening is that public cloud vendors are asking the enterprises to blindly trust them with their sensitive data. As we saw in the case of Wikileaks and State Department, enterprises cannot do anything if something “bad” happens inside the public cloud providers. Clearly, their concerns are not overrated and mental shift alone is not a solution for this issue.
I don’t entirely disagree when someone says public cloud providers could afford to put together top notch security team and hence a lesser need to worry about the security. But what I am arguing is that this fact alone is not enough to alleviate the enterprise concerns. It is important for the public cloud providers to go out of the way to build trust. Joining CloudAudit and allowing programatic access to the audit data can be a good first step. Rock solid SLAs can be another important step. I am not a security expert and cannot talk much on what public cloud providers can do to ease enterprise concerns. People like Chris Hoff have a lot to say on it. However, I can definitely say that it is time for public cloud advocates to appreciate and understand the enterprise concerns and, if possible, work with the providers to address such concerns. Only then, we can really move forward towards a world dominated by public cloud services.
- Why Public Clouds Will Eventually Win The Game (cloudave.com)
- The Cloud Economics : Emerging Signals (enterpriseirregulars.com)
- CloudAudit Joins CSA (cloudave.com)
- Cloud Consortium Releases Security Compliance Tools (informationweek.com)
- Report: Shift to cloud doesn’t have to be a CIO’s nightmare (zdnet.com)
- Wikileaks evades hackers with shift to Amazon (guardian.co.uk)
- Wikileaks: Collaboration vs Silos & Stovepipes (zdnet.com)