This is one in a collection of seven pieces on Burning Security Questions. Read the rest here.
"Yes, security is one of the concerns about cloud computing that is delaying its adoption," says Eric Mandel, CEO of managed hosting services provider BlackMesh in Herndon, Va. "One of the biggest security concerns about cloud computing is that when you move your information into the cloud, you lose control of it. The cloud gives you access to the data, but you have no way of ensuring no one else has access to the data. How can you protect yourself from a security breach somewhere else in the cloud?"
Security concerns will continue to keep some companies out of the cloud, Mandel acknowledges.
Symplified, a start-up providing a cloud-based security service that extends enterprise access-management controls to cloud computing, agrees there's a strong sense of heightened risk.
"We find the focus is on the credentials. It's the key to the kingdom and we find there's a reluctance to have the keys in the cloud," says Eric Olden, CEO at Symplified. He says the providers of cloud computing would further their own cause if they offered more "transparency" in what occurs in the cloud-computing environment.
Burton Group analyst Eric Maiwald, who also contends cloud vendors could be more forthcoming about their security practices, cautions there's a long list of security issues that should be resolved before businesses jump into cloud computing, even if they see cost-savings as a primary driver.
These include how data may be encrypted and stored, how e-discovery can be done if need be, what controls there are and whether the cloud provider has passed a SAS-70 audit.
Dick Mackey, analyst at consultancy SystemExperts, says cloud computing is "a difficult choice for any company considering the platform for protecting sensitive information" because of "the inability or unwillingness of cloud providers to give assurances of the controls surrounding computing resources."
He also argues "it would be difficult to impossible to achieve Payment Card Industry (PCI) compliance in a cloud provided by a service provider given the requirements for understanding precise system and network configurations and controlling access to the systems and the credit-card data."
Vendors aren't standing idly by. They recently formed a Cloud Security Alliance to address just the sort of concerns IT security pros say they have.