Cloud Security Still Not 'Major Priority'

Cloud computing has broken into the mainstream of enterprise IT, but adoption remains fragmented by industry, and acceptance among administrators is far from unanimous.No matter how you define the cloud -- software delivered on a per user/per month basis, or infrastructure leased on a pay-as-you-go basis -- the major stumbling block to mass adoption is, and will for the foreseeable future remain, security.

Vendors of cloud computing services, for their part, have done little to alleviate the situation, other than to assure customers that security is a major concern. The Cloud Security Alliance has only now gotten around to refining initial guidelines it issued earlier this year.

For the time being, companies who use cloud computing believe it's secure, and those who don't, well, they're not quite so sure. For those who do take this leap of faith, their willingness to overlook little things like the lack of a service level agreement has more to do with the business they're in or the expense involved with rolling their own management systems and security apparatus.

To see what I mean, just look at the sorts of data that companies are pushing to the cloud, and the sorts of companies most willing to go that route. Archie Reed, a cloud security expert who holds the rank of distinguished technologist at HP, told me that cloud adoption is very high in certain verticals, including real estate companies, retailers and government agencies. In other words, exactly the type of entities you'd expect; entities that wouldn't mind if their listings, inventory or statistics were accidentally exposed or leaked.

Financial services companies, however -- not so much. Processing data in the cloud, sure. Storing data there -- not on your life. Small and medium sized enterprises aside (where the cost-benefit analysis comes down strongly on the side of relying on cloud services), large companies with a lot to lose from a security breach are still reluctant to store their data in the cloud.

Their reticence is more than the residue of hidebound attitudes about Internet-based services; many cloud vendors don't include security provisions in their enterprise service level agreements (when they offer SLAs at all) -- they simply point to their so-far spotless records.

For many corporate officers, that's not only too big a risk, it's a violation of their fiduciary responsibilities to shareholders, not to mention regulatory mandates in certain cases.

Why isn't security a bigger issue for those vendors? It may well be that cloud computing is a victim of its heretofore exemplary record. Maybe it's going to take a cataclysmic event -- a huge data loss suffered by a large cloud computing company -- to upend the complacency around cloud security. "If and when we see a major breach," Reed told me, "perhaps the focus will move from being 'it's a major concern' to 'it's a major priority.'"