The cloud is inescapable. Headlines catalog every advance and setback in the as-a-service paradigm with equal fervor. Providers trumpet the model as a panacea for every painful budget cut and desperate business need. And IT professionals scramble to come up with a cloud strategy that will not only help their business slash expenses, but also support the kind of operational agility their enterprise needs to get ahead in the marketplace.
Yet today, most businesses are still only using the cloud to support a small percentage of their IT needs. Current Analysis’ recent survey of North American enterprises, “Enterprise Adoption of Cloud Applications and Services, June 2011” found businesses are using cloud services to support fewer than 10 percent of their IT requirements today.
While adoption is expected to accelerate in the coming years, organizations are still wary of the cloud as the right delivery environment for many business applications. Hands down, the dominant concern is security. Businesses question whether their data is safe in the cloud, and how they can employ an on-demand service while maintaining regulatory and industry compliance.
Organizations are right to balk about going head first into the cloud without some guarantees about protection. The potentially porous nature of the cloud makes for an attractive target and the virtual nature of the model makes safeguarding on-demand environments a complex, multi-dimensional process.
It doesn’t help there is still no universally accepted definition of what constitutes effective cloud security. Today, there are no standards or even widely accepted best practices that outline what safeguards and practices providers and their customers need to have in place to ensure sufficient security. Rather, cloud providers and enterprises generally are left to stumble along, relying on a seemingly endless list of auditing specifications, data center standards, regulatory requirements, and industry mandates to provide some guidance on how to protect their cloud environments.
Not only does this make cloud security even more complicated than it needs to be, but this disjointed approach hardly qualifies as good security. Instead, providers and enterprises alike need to focus on core elements of cloud security, including virtualization security, identity and access management, threat management, content security and data privacy.
The industry also should take note of the work on cloud security by the National Institute of Standards and Technology (NIST) as a good foundation for protecting what in the future may be very critical business workloads running in the cloud. Though the organization’s documentation was put together for the express purpose of helping government agencies make a secure migration to the cloud, the principles are equally relevant for organizations in the private sector.
NIST’s guidelines address the fundamental issues of cloud security and privacy including architecture, identity and access management, trust, software isolation, data protection, compliance, availability and incident response. Additionally, NIST outlines considerations organizations need to keep in mind with regard to public cloud outsourcing. The organization also has a wiki to allow for comment and feedback on the guidelines. The Cloud Security Alliance (CSA) is another resource more providers and end customers are turning to for guidance with respect to best practices for protecting applications running in an on-demand environment. Through frameworks like the Cloud Controls Matrix, which outlines information security control requirements for the cloud, the CSA offers businesses a practical way to judge whether a provider is covering all the necessary bases to adequately safeguard a virtual online service.
Work done through these and other organizations supplies essential direction to providers and their customers as they lay the groundwork for secure and stable cloud environments. What we need to see next is wider adoption of common security principles. This will reassure current customers as well as businesses still sitting on the sidelines that the cloud can be a feasible delivery model for enterprise IT.
Amy Larsen DeCarlo is principal analyst, security and data center services at Current Analysis, a Washington, D.C.-based research and advisory firm. Send comments on this column to [email protected].