"Security", often cited in a very broad and vague way, still represents a consistent and major roadblock to moving applications to the Cloud.
In all of its forms, security is still a very valid consideration when discussing deployments to the Cloud. However, it is unfortunately often used as a tool by skeptics acting out of self-preservation, as well as perpetuated by some vendors whose entrenched software businesses would be at risk with increased Cloud adoption. So even if "playing the security card" is an unnecessary challenge for innovators in a given scenario, the perception of security risks still need to be overcome to transform an organization into a Cloud shop.
Of course, not all applications are suited for the Cloud, and hybrid scenarios are likely the long-term approach and solution for most organizations, as many applications are indeed well-suited for taking advantage of the benefits of the Cloud. A tremendous cost-savings can be obtained, easy scalability achieved, simplicity realized, and the ongoing innovation of domain experts can be leveraged effortlessly.
Lately in the news, there have been many high-profile "data security" breaches, such as RSA's incident, Sony's PlayStation Network, and even the hacking of the US Senate's Website, as well as countless others. Yet very few of these, if any, are "Cloud applications" in a pure sense of the definition.
In the case of RSA(a unit of EMC), security "tokens" were compromised that enabled hackers to get into internal networks, most notably Lockheed Martin. Sony's PlayStation Network compromise was also an intrusion of internal networks via remote connections. Case after case that we hear about these days seem to predominantly be a break-in of internal systems rather than an infiltration into Cloud environments.
What does this teach us? That except in extreme or unique cases, it's hardly possible for applications and systems to exist without some kind of connection to the outside world, and therefore they each have some level of security exposure, Cloud or not. Even if applications are thought to be "fully secure" from a wired standpoint, someone could still break a window out of an office and steal machines (and hard drives). Or, there could be an "inside job" at an otherwise secure data center. In other words, there is no such thing as complete 100% security of data.
Not surprisingly, security can often be much tighter and more sophisticated for Cloud applications. This is because of the the in-depth architectural designs that fully consider multi-tenancy and the otherwise necessary security measures for mature Cloud providers. With mature providers, there is also a built-in domain expertise focused on security continuously as any potential risk is often in the hands of dedicated teams and monitored closely. As security represents the lifeblood of the Cloud vendor and where a breach could be catastrophic, there tends to be maximum investment assigned to the issue.
So it's fair to say that integration into the Cloud can actually strengthen a company's data security dossier. For example, Cloud-based storage systems can encrypt data that makes it useless for anyone who happens to see or obtain access to Cloud-stored data assets and who doesn't have the de-encryption key. This encryption is often available out of the box.
As another case in point, I often hear about the risk of "disgruntled employees" obtaining data prior to departure from a Company as a bullet point example of the risk associated to security in the Cloud. Yet, this is counter-intuitive because data might be far safer locked up in the Cloud and out of reach from the prospective disgruntled employee, rather than available behind the firewall from within an organization for the departing employee to get a hold of when no one is looking.
So, if security is the primary inhibitor to at least partial adoption of the Cloud within an organization, what can one do?
Rather than fall into "Cloud Security Paralysis", one simple and easy way to get into the Cloud would be to integrate external, Web-based APIs into applications, business processes, or Websites, especially if those applications are not currently leveraging the Cloud (but even better if they are). This can help introduce the concept of being in the Cloud and get the company's proverbial feet wet. Over time, perhaps the entire organization can then see how abstraction from complexity can benefit the organization in terms of time, cost, and focus, which in turn will help build an ROI case for future projects. Simple, component-oriented Cloud services also represent very little risk. Additionally, this can often build both an understanding and a track record behind any security-related questions that might arise from Cloud Computing, and without the risk of betting the farm.
For example, many of StrikeIron's customers start with a straight-forward integration of North American Address Verification, where scalability of usage, database maintenance and updates, and underlying hardware and software are entirely abstracted away from the user. The improved address quality is obvious (such as calling out to the verification service to ensure accuracy each time an address is collected via the Web), the integration effort is practically non-existent (simply plug-in to the API), and the ability to demonstrate ROI is clear. This usually leads to the addition of other services being put to use such as Email Verification, Telephone Validation, and other Cloud-based business services. Better yet, it enables the organization to state that the Cloud is now being successfully leveraged. With some success under one's belt (and more importantly some quantitative measures to back it up), it can then be time to start looking at full-scale application deployment in the Cloud.
This stepped, API-bridge-to-the-Cloud approach will help in meetings with the CFO, business units, and the I.T. organization (if you are not the I.T. organization, or the leader of it, already) who make the "security" objections when cost-savings and increased innovation via a leveraging of the Cloud is discussed. Slowly but surely, the Cloud will undoubtedly be embraced, where appropriate, enterprise-wide.
StrikeIron has teamed up with Catalog Choice (Berkeley, CA) to improve the quality and accuracy of Catalog Choice's more than 2.3 million mailing addresses.
StrikeIron, the market and technology leader for cloud-based contact data verification solutions, has teamed up with Catalog Choice, the industry pioneer in mail efficiency and privacy control, to streamline its services.
Catalog Choice has integrated StrikeIron’s data quality solution to improve the quality and accuracy of Catalog Choice’s more than 2.3 million mailing addresses. As Catalog Choice members select their mail preferences, the StrikeIron Address Verification cloud service will cleanse existing data and verify incoming entries in the Cloud, eliminating the need for ongoing data updates. The vetted and incorrect data will be presented to users in real time for verification. The cleansed address data is then sent to specified marketers when opt-out requests are made through the Catalog Choice Mail Preference Service.
For the full release, click here: http://www.prweb.com/releases/2011/6/prweb8587747.htm
I will be moderating a session at The Business of Cloud Computing event next week in San Diego, California. The event is scheduled for June 13th-15th. The name of the session is "Losing Control: Can you trust the Cloud with your core business?" and is at 2pm on Tuesday, June 14th.
Also on the panel will be Brian Boettcher, Vice President of IT and Chief Investment Officer of the Altra Federal Credit Union, as well as Chet Loveland, Chief Information Security Officer at MeadWestvaco Corporation. The full conference agenda is here.
As part of the interactive session, we will discuss how both companies came to the conclusion that a Cloud solution made sense for their organization, what platforms they decided to choose for these solutions and how they arrived at their choices, what risks were involved and how those risks have been mitigated, and also general best practices that they are employing for long-term success in the Cloud.
We will also discuss what this move means to their respective IT organizations, both short-term and long-term, and what their experiences in the Cloud to date might mean for the industry as a whole.
If you will be at the event, please come and take part in the discussion. If not, please post any questions for the panel below. A summary will be posted after the panel discussion.
