Blogger: Dan Blum
During the Catalyst conference, some of us Burton Group analysts covering cloud computing risks got the pushback that our positions are overly cautious. One has to be careful these days not to get caught up in the hype, or the fear. Because “cloud computing” is such a general term, any statement or position one takes gets applied to every type of service and vendor. Yet while many vendors and customers use or provide cloud computing, not all of them agree on what it means.
Burton Group categorizes clouds as internal, private (community), or public. When it comes to internal cloud, the organization runs its own virtualized and/or web-facing IT environment. The primary difference between internal cloud and dedicated IT facilities is architectural. Information protection can be accomplished through familiar internal processes, though details of the technologies change.
The strongest security concerns arise with public, multi-tenant cloud service providers that might process and store the organization’s sensitive data. We’ve expressed concerns about public cloud service providers in the posts Cloud Computing: Who is in Control? and To cloud computing vendors: Stop practicing security by obscurity!
Private (community) clouds fall in between internal cloud services and public cloud services. Some actually deliver software, hardware infrastructure, or both as a service but design and operate the service for customers in a particular vertical industry, such as aerospace, automotive, financial, or health. Some have been around for years and only recently jumped on the cloud computing bandwagon; others are still wondering whether to associate themselves with it. Covisint, Exostar, IntraLinks, SecuritiesHub, and Sentillion are just a few examples of service providers that seem to fit the private (community) mold.
The real question is not whether these and other service providers call themselves cloud, but what value do they deliver and how well do they protect customer interests? Some of them tailor their security measures, audit reports, and contracts to the needs of their vertical industry. A customer in their target industry may be better off with them than with public cloud vendors from a security perspective.
One must also attune security and compliance expectations for service providers to what you’re relying on them for. You have to get past the description of a service and analyze it based on the technical capabilities it’s actually providing. For example, multiple providers may claim to offer “secure collaboration,” but one may be an identity broker that sidesteps liability by not storing any customer data while another actually provides secure document storage. The technical security requirements for these two providers should be different.
The industry is clearly evolving toward a hybrid cloud environment where many different types of cloud offerings (both internal and external) will interact to provide different layers of service. As a customer, you can choose to keep some data and some layers of service under the wing of internal IT facilities; move commodity functions into low cost, public cloud services; or subscribe to vertical industry oriented community services. How you mix and max services and what you rely on them for in the hybrid cloud environment determines your risk and requirements. It’s not one cloud fits all.
And in that light, our guidance to “Be very cautious about putting sensitive data into the cloud” is still good. One needs to be very careful with sensitive data - wherever one puts it!
Comments