For most enterprises, cost savings and increased efficiencies are the primary motivations for making the move to cloud computing. But recent studies from Gartner and other firms have identified concerns over cloud computing risk and data privacy as being the leading barriers to cloud adoption. In this piece, Ron Ross of the National Institute of Standards and Technology (NIST) and Purdue University professor, Eugene Spafford, discussed the question of whether adopting the cloud actually brings more or less risk to an enterprise.
Differing Views on Cloud Computing Risk
Ron Ross’s belief is that a portion of an enterprise’s operational complexities can be mediated by moving certain types of data to the cloud. He specifically believes that when a company is able to classify data as critical versus not as sensitive, it helps organizations identify what data can be moved to the cloud without the same level of concern over security. Moving less sensitive data off premise reduces complexity by decreasing the data the enterprise must manage and secure internally. This shift in data storage essentially puts the security concerns on the public cloud provider and removes it from the organization. But I have found that while this view can be defended conceptually, it has some fundamental problems. First, when left simply to the controls of policies and audits (i.e. employees being asked to follow policies and guidelines on what data can go where and audits being run to check compliance), sensitive data inevitably starts to go where it was not intended to go. Secondly, some applications – such as CRM and Customer Support applications – often need to contain information that is a mix of sensitive and not-sensitive data. To make these applications usable for groups like Customer Support, the end users need access to all of the data. If the data is not there, the application is not usable and the organization cannot accomplish its required functions. So if any of the required data is deemed sensitive, is the organization required to head down an on-premise route? Surely the answer cannot be yes.
It is Eugene Spafford’s view that moving to the cloud actually increases security concerns and complexities to an enterprise and therefore increases risk. He believes that some enterprises focus too much on cost savings of the cloud versus considering important security concerns, which can “lead to new vulnerabilities”. He also points out that some cloud providers are located in different geographic areas than their customers, presenting questions of data residency. So again, is the conclusion here that any applications that touch sensitive data must remain on-premise? Thankfully the answer is no, thanks to an emerging set of technologies that Gartner refers to as Cloud Access Security Brokers.
Areas of Agreement
Mr. Ross and Mr. Spafford do have areas of agreement concerning cloud computing risk, including the need for an organization to fully understand its own data assets, cloud provider agreements and risk tolerance levels. They both also see the need for having contingency plans for any unexpected problems an enterprise may encounter with a cloud provider.
Lastly though, as Spafford states near the end of the interview, “…it’s really up to the customers to protect their own data…” and Ross says this about cloud providers, “There’s going to be some controls that went in and they’re not quite as effective as you thought…”, meaning, for any organization, it is necessary to take extra precautions to protect sensitive data going to any cloud provider.
One way to do this is by deploying a cloud encryption gateway, which leaves data control in the hands of the enterprise by allowing it to secure data that is still on premise and also protecting it while it is in transit or stored on the cloud. This solution enables enterprises to fully adopt the cloud, reduce complexity and control security of business data.
PerspecSys Inc. is a leading provider of cloud protection and cloud encryption solutions that enable mission-critical cloud applications to be adopted throughout the enterprise. Cloud security companies like PerspecSys remove the technical, legal and financial risks of placing sensitive company data in the cloud. PerspecSys accomplishes this for many large, heavily regulated companies across the world by never allowing sensitive data to leave a customer’s network, while maintaining the functionality of cloud applications. For more information please visit / or follow on Twitter @perspecsys.
1750 Tysons Blvd, Suite 1500
McLean, VA 22102
+1 (703) 712-4752
71 Stevenson St, Suite 400
San Francisco, CA 94105
+1 (415) 655-6733
68 Lombard Street
London, EC3V 9LJ
+44 (207) 868-2037
86 Healey Road
Bolton, ON L7E 5A7
+1 (905) 857-0411