Many IT departments have put off public cloud deployments in favor of private cloud virtualization projects under the guise of security concerns — but new findings show that these private cloud deployments may be no more secure than their public counterparts. That’s good news for managed service providers with the right security chops and infrastructure to support cloud deployments, some managed services experts say.
Conducted by Unisphere Research on behalf of security vendor AppSec, the survey asked 430 members of the Oracle Application Users Group about their database security and risk management practices. Among these respondents, 45 percent said they think there is still risk in private cloud computing and had reservations about sharing data and application services outside of their business units.
"One of the major show-stoppers so far with public cloud is fears about putting your data and your business out with an outside third-party provider," says Joe McKendrick, lead analyst for Unisphere and author of the survey report.
"There’s a lot of discussion about private cloud where companies basically assemble their own clouds and provide their own online services across the enterprise as a remedy for this. They believe that because the data and applications stay within the bounds of the enterprise, there’s a little bit more control. But the problem is then that there aren’t enough controls within the enterprise to guard this data."
According to the survey, three out of four organizations did not have a defined strategy for cloud security. One of the biggest problems McKendrick believes hampers private cloud security is the rampant replication and scattering of database information with few controls that occurs when many businesses implement cloud solutions within the firewall.
"The foundation of private cloud is essentially having the enterprise make data and applications accessible to anybody across the enterprise who needs it and there are a lot of questions that raises," he explains. "What happens is a lot of data is replicated or taken out of the production environment, where it may be secure, to other environments where controls may not be as stringent."
These findings could be just the statistical foundation some managed service providers are looking for to strengthen their cloud and virtualization service pitches. For example, Miami, Fla.-based Terremark woos customers to use its cloud services with security, compliance and monitoring all leveraged as competitive differentiators.
"We have that same argument (about public versus private clouds) continuously," says Pete Nicoletti, vice president of Secure Information Services for Terremark. "We have the security skill sets and a lot of companies don’t have skill sets, or 24 by seven security operation centers."
Not only do service providers have more resources, but they also have the advantage of handling cloud security daily for hundreds or even thousands of customers, operational experience that can offer definite security advantages over the in-house experience of a staff gung-ho on building out private clouds.
"We have what we refer to as collective intelligence, where we’re doing it for a lot of other people. So what we learn here, we apply there," Nicoletti says. "I like to say that we’re audited millions of times per year, because not only are we audited by the people showing up that do physical audits and PCI audits and NIST audits and HIPAA audits, but we’re also hit by Qualys a gazillion times a day and hit by all these other scanning companies to make sure we’re doing the right thing. Whereas a single company may only be audited once."