"Consolidation equals a concentration of risk, which the banking industry is already acutely aware of these days after the financial meltdown," said Brian Koval, an information security engineer at Jack Henry Associates, an IT integrator and consulting firm in the banking industry. His firm advises banks to steer clear of public cloud services altogether and instead build cloud-like capabilities internally, he said.
During a Q&A session, one IT practitioner said cloud providers need regulation.
"No one provider should be too big to fail," Koval said, echoing the grim reality of the financial industry collapse that featured the government saving big banks from a downfall that would have a disasterous affect on the entire economy.
A matter of trust
Christopher Squires, IT specialist at the U.S. Treasury Department, said trust is the biggest issue with cloud computing.
"We own all our servers, there's a comfort level; we don't have to worry about being compromised by things beyond our control."
This sentiment was echoed by other cautious IT pros. Stan Szwalbenest, risk director at JPMorgan Chase & Co., said most systems the bank deals with must be "behind our bricks and mortar where we control it."
He and others are worrying about whether cloud service providers will be around a year or more from now, along with the notion of a single point of failure. "How do I ensure against this in the cloud?"
Vendors offered little relief. Vishal Kumar, senior manager of cloud security at VMware, suggested the industry needs an identity and access service to move users to the cloud securely "without IT having to reprovision them." The audit and compliance element around cloud services was also missing and would have to fall into place before enterprise IT shops are able to really embrace the cloud, he said.
Brian Snow, technical director for the National Security Agency's information assurance department, said "dynamism" was the advantage of cloud services, which is at odds with what most enterprise IT security departments require: namely, "absolute control of infrastructure" and the ability to respond to regulators.
The importance of cloud SLAs
Snow advised IT shops considering cloud services to check their SLAs very carefully.
"There's going to be a whole new slew of lawyers to write these contracts," he said.
An IT operations director with a large retail site said his company is eager to crank up machines on Amazon Web Services, but "they don't provide much of an SLA at all."
Ron LaPedis, founder and principal of Seacliff Partners, ironically, a business continuity and security consulting firm, did not read the small print of his SLA with WebHost and suffered a major outage. He suggested that companies putting their businesses in the cloud think about backing up data to different service provider.
Dealing with cloud hype
A chief engineer at Mitre Corp., a Department of Defense contractor, said everyone is following the cloud hype, and the DoD IT folks are no exception.
"They are sucked into the hype, but there is a large swath of folks who do not have operations experience in the field. There may be places where cloud makes sense, but when we're talking about people's lives in a war zone, that's the driving factor, not the fact that you can save costs," he said.
"Two years ago, everyone was saying 'SOA, SOA, SOA,' and it didn't save us money."
Jo Maitland is the Executive Editor at SearchCloudComputing.com. Contact her at firstname.lastname@example.org.