Cloud Security, Compliance Concerns Overshadow Enterprise DeploymentsBy Jessica Davis | Posted 2010-03-16 Email Print
While cloud computing may make more immediate sense for small and medium businesses, large enterprises face several obstacles. For instance, can public cloud providers meet their needs for Sarbanes-Oxley requirements and achieve SAS 70?
Large enterprises looking to move some or all of their IT infrastructures to third-party cloud providers have taken pause when it comes time for action due to concerns about moving data that they are responsible for to an infrastructure out of their complete control.
After all, it’s still the Wild West out there when it comes to the cloud, and while analyst firms are forecasting that much more computing will move to the cloud over the next several years, there’s plenty of work to be done to get it there. And not just infrastructure building and technology work. Setting up company policies on procurement of cloud services, establishing security standards and meeting regulatory requirements will become important components of any cloud migration plan.
Executives at outsourcing matchmaker TPI told Channel Insider that another factor comes from regulations such as Sarbanes-Oxley that have changed requirements for how publicly held companies must keep and report certain data. Those requirements add another layer of contractual complexity to the cloud, according to executives at TPI.
"Some of the new providers don’t understand the policies that big enterprises need in place for Sarbanes-Oxley," said Tom Lang, a partner and managing director at TPI. To meet their requirements they are looking for providers who have passed a SAS 70 audit.
Lang and Tom Young, another partner and managing director at TPI, told Channel Insider that CIOs at public companies must ensure that their cloud providers follow specific security and authentication rules and that those must be spelled out in the cloud contract. But newer providers of public cloud services, such as Google and Amazon, are in unfamiliar territory with customer requirements of this nature and haven’t baked that language into contracts yet, according to Lang and Young.
More traditional vendors who understand those concerns, such as HP, don't have the same kind of commitment to making cloud services work because it may be disruptive to their legacy businesses. That could leave enterprises out when it comes to making a big jump to the cloud bandwagon in the near future
And there’s also a question as to whether cloud solutions are actually money-savers at all for big companies.
"Clients are asking us to evaluate cloud solutions," said Young. Those clients want to know if such solutions really will make economic sense in their particular situations.
Plus, there continue to be concerns about security. Plenty has been written about the cloud and the security challenges it presents to IT organizations.
McAfee has introduced a new cloud security program aimed at SAAS providers. And cloud computing was one of the hot topics at RSA’s recent conference.
"When the cloud becomes much more economically viable, you’ll find more people looking to solve its security problems," Young said.
But just because these issues remain doesn’t mean that cloud computing should be totally off limits for all enterprise companies.
"The thing we are trying to caution people on is to understand the absolute risk," Young said. That means looking at the relative risk of a cloud solution when compared to a classic solution. Is it really less secure? A classic solution may present more risk in some areas but less in others, for example.
"If more desktops were in the cloud today, it would be a lot less risky than all of us walking around with our hard drives," Lang said.