Data security and loss of control killing cloud?
A recent poll shows that, despite booming cloud adoption rates, concerns over data security and privacy persist.
Hang on, that’s the same as every other poll I’ve read over the last 5 years.
What’s different about this is that attitudes seem to have hardened. The Cloud Industry Forum (disclosure – I chair their code of practice board) asked 250 senior IT managers and business decision-makers from both the public and private sectors in the UK. 70% were concerned about data security and 61% were concerned about data privacy compared to 61% and 54% respectively in last year’s poll. The exact numbers fluctuate but concerns over data remain consistent.
It’s hardly surprising when you have a constant stream of stories about the latest organisation to fall victim of a security breach / hack. And there is the ever present backdrop of the Snowden revelations and the US and UK government reviewing their approach to surveillance, while not forgoing any of their powers. Not forgetting the EU Commission’s push to get the new General Data Protection Regulation finalised later this year.
The notion that cloud is inherently insecure is absurd
But the notion that cloud is inherently insecure is as absurd as the one that on-premise is inherently secure. Data is only as secure as the measures adopted to ensure it is secure. If you have taken steps to protect your data on-premise then you would expect at least that in a cloud environment. If you haven't, then your data might be more secure in cloud.
Loss of control
From my perspective, what is more interesting is that there has been a marked increase in those worried about losing control/manageability of their IT, up from 24% last year to 40% now. It’s true that public cloud is often sold on the Henry Ford model — any customer can have our public cloud as long as it is exactly what we already sell with all the SLA and liability exclusions. I have advised clients privately and written and presented publicly on this topic. Summary: public cloud is great, but you need to go into it with your eyes open and be aware of the risks.
Equally, that suggests that some people believe the only cloud on offer is public cloud. Of course, no one really uses the NIST definitions (did they ever?) and consequently the term “cloud” doesn’t mean the same to everyone. If public cloud doesn’t do it for you, then you should consider private or hybrid cloud. These are customisable for the customer allowing them to build in the controls they need. And, of course I should point out that the Cloud Industry Forum (see earlier disclosure) code of practice advocates transparency, capability and accountability.
Are customers lazy?
In my experience, data security and, specifically, data protection laws are used as a lazy way of not making a decision that will lead to change. Sometimes this is to protect a large established on-premise IT team and the kudos and budget that goes with it. Sometimes it is a specious understanding of what the law says: yes it says be careful how and where you store your data but, no, as a general rule it doesn’t say you can’t move data outside the UK / Germany / EU / EEA / into a cloud.
If you want something you need to identify clearly what it is you want and your budget for it. Everyone knows that a Smart car and a Rolls Royce perform the same basic function of getting you from A to B but they have wildly different specifications. No one paying for a Smart car truly believes they are actually getting a Rolls Royce and vice versa. In cloud, as in life, you get what you pay for: if you want more, you generally have to pay more.
Managing Director @ Business IT Solutions
8yGood article Frank. CIFs Code of Practise does a good job in addressing data security concerns. As in any vertical, there are good guys and the not so good guys. We're in the good camp with CIF.
CEO at Omnis Cloud
8yEncrypting your data will show the judge you've done your best to protect it but as you know is not as simple as that. There are various elements to take in consideration including: 1) Many use "Cloud" collaboration/Email apps & think that everything is sorted by the provider including encryption. Then you read the fine print and you realise they scan your email, documents and contacts to "provide you a better user experience". If you sign up with some Cloud services you'll also realise that they recommend you to connect to people the system shouldn't be able to relate to you. So the encryption may be there for data in transit but then somehow somebody is still able to access it at rest. 2) If you rent somebody else computer to run your apps under your control and add encryption for data in transit and at rest your CPU usage bill will go up quite a lot making it economically less efficient than simple co-location. To me it looks like too many org push Cloud as a panacea without being transparent about costs and risks. You need to run short term workloads then use the Cloud but for your day to day operation look at infrastructure alternatives and you'll discover they may save you a lot more money than Cloud. My 2 cents ;-)
CEO at Omnis Cloud
8yMaybe some are rightly waiting to see what happens with the new EU DPA (even if I expect lobbyist to do their job and convince some MEPs to protect corporate interests more than citizen privacy) but then how many orgs will really find technical/economical benefits from a thing called Cloud. As 95% of UK businesses are SMEs with a small local infrastructure and some hosted services like web site and emails what else do they need? They could save money by moving to a hosted platform (or Cloud if you prefer) the rest of the infrastructure and that will save them some money the first year (excluding migration costs) but what about the following years? Is elasticity important? Most SMEs have predictable workloads. So I think waiting some more to see prices dropping and privacy issues solved is quite a good plan. In the meantime, if necessary, using UK hosting providers may be a good choice.
Open for new adventures within Digital Transformation & Change + IT & Project Management
8yGreat post Frank. I Like the "But the notion that cloud is inherently insecure is as absurd as the one that on-premise is inherently secure." Though: "No one paying for a Smart car truly believes they are actually getting a Rolls Royce and vice versa. In cloud, as in life, you get what you pay for: if you want more, you generally have to pay more." Quite often when it comes to IT, ITO and cloud, companies: - Expect to get a RR for a (non-)Smart amount of money. - Do think they can customize/kit the Smart to become RR... and/or - Especially will have problem to do the math for T&M when leveling up the Smart. The truly-believe-sense too often cease to exist...
Commercially driven Corporate Partner
8yReally nice post Frank, but (and I'll understand if you don't want to answer this question) is your firm in the cloud?