News Stay informed about the latest enterprise technology news and product updates.

Cloud security: Sorry, what was that?

IT shops attempt to square the benefits of cloud computing with a distinct lack of security benchmarks and transparency.

LAS VEGAS -- IT pros at the Enterprise Cloud Summit confirmed the basic stumbling block for enterprises considering cloud computing: security. Even as evangelists and cloud vendors made attractive pitches on cost and ease of access – the term "business agility" is frequently heard -- attendees made clear that they will need more than enthusiasm to want to participate.

For more on cloud security:
Amazon CTO brushes aside cloud phobias

Savvis homes in on cloud security

For one thing, many enterprise users don't face immediate needs. A network architect at a Canadian telecom company said her firm was in the middle of a data center consolidation effort, and that she was there to learn some of the nuts and bolts of the cloud, but anticipated no move into cloud until her company started its next upgrade cycle, years down the road.

A January 2009 IDC poll bears out this kind of delay, showing that while the economic slowdown pushed 2% of enterprises into greater cloud adoption, 61% of companies said it would have no impact or even reduce the pace that they moved into cloud computing.

Cloud security concerns pose adoption hurdle
But the attraction is real; the pharmaceutical sector is eager to use cloud infrastructure services to alleviate acute IT scaling issues, but concerns over security and compliance have prevented these companies from jumping in.

Almac Clinical Technologies is growing fast - the size of its clinical trials has jumped from hundreds of people to tens of thousands of people in a matter of months. Getting the infrastructure deployed to support these trials in a timely way is almost impossible, according to Jack Kosowsky, the director of systems development at Almac. But he said protecting the company's intellectual property in the cloud is "critical" before he can even consider using a service like Amazon's Elastic Compute Cloud (EC2).

The cloud's promise of easy, elastic computing power is not enough for established IT organizations.

During the event, cloud proponents warned that enterprises might find frustrated developers and users doing an end run around too-cautious IT management by starting up projects in the cloud themselves. One attendee outlined his firm's prescription for early adopters; he said that credit card ordering of cloud services was immediate grounds for termination at his company.

Concerns range from simply knowing where data is physically located to possible legal and regulatory ramifications for sensitive information. Transparency and well-prepared service-level agreements (SLAs) were key to moving into clouds, said Hezi Moore, CTO of Reflex systems at a panel on secure virtualization in a data center. He said larger customers could use their buying power to force cloud providers and data centers to provide isolated clusters of servers and guarantee strong protections. Catbird CTO Michael Berman added that Amazon's EC2 was one of the largest virtualized environments to date and provided no "control visibility" at all, making it a poor choice for secure virtualization.

Liability is another unknown in the cloud computing world: businesses considering using cloud services will need to protect themselves against "information malpractice," according to Drew Bartkiewicz, the VP of cyber-risk and new-media markets at the Hartford insurance company. He said that companies should stay away from cloud providers that are not open to discussing contractual, legal, privacy and compliance concerns.

Michelle Munson, co-founder and developer of Aspera thinks that reliabilty "is a much bigger issue than people are letting on." She went on to say that liability and security aside, if cloud computing consolidates into too few providers, it would represent a global security concern of the highest order. Munson points to natural disasters as a primary consideration, like the Middle Eastern undersea outage in 2008 and to Google's 2-hour May 14th outage, saying companies may not realize their exposure until after the fact. "Wait until the first 12-hour outage from a major [cloud] provider." she said.

Overall, the consensus is clear: The cloud's promise of easy, elastic computing power is not enough for users with established IT organizations. That's not to say the interest isn't there -- it is, but real-world concerns far outweigh lofty ideas at this point.

Carl Brooks is the Technology Writer for Executive Editor Jo Maitland provided additional reporting for this story.

Write to him at And check out our Troposphere blog.

Dig Deeper on Cloud computing security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.