Naysayers, get over yourselves. The cloud is secure.

Analysis
Oct 19, 20103 mins

Security fears remain a top impediment to broad adoption of public cloud services

If you listen to the arguments about security in the cloud they sound compelling, and generally fall into two categories: technical risks, and policy issues.

High on the list of technical risks are those inherent in any multi-tenant environment: if one application is compromised, that application might corrupt another running on the same physical server. Another common concern is about data migrating between the corporate data center and the public cloud provider. And don’t even ask about how risky it is to store data in the public cloud (hint to the fear mongers: encrypt it, and take good care of the key).

Policy issues feature even more highly, for one simple reason: violating policies can get you fired. There are laws and regulations, for example: don’t transmit European customer data to a cloud in the United States. There are concerns about legal processes: if another user of the same public cloud is subpoenaed, would my private data be compromised? But mostly, there is the simple fact that, unlike the cloud, the security risks of traditional data center usage are well accepted (even if not often understood) by corporations, boards of directors, and the regulatory community. Public cloud usage is a new world, one where standardized best practices aren’t established and available as a benchmark for companies (and their lawyers and auditors). Companies who go there risk their data and reputations, and managers risk their jobs, or so says conventional wisdom.

But maybe – just as with every other technology disruption in history – the naysayers are wrong.

Consider one of the most popular public clouds in the world: Salesforce.com’s CRM application. According to its website, more than 77,300 corporations upload and store their most precious data on the Salesforce cloud. Salesforce has clearly gained the trust of companies around the word, including many tens of thousands of organizations who are not risk-taking, bleeding-edge technology adopters. Salesforce.com has pioneered cloud usage, and in many respects, it set standards by which others are judged. (Disclosure: Salesforce.com runs on Red Hat’s Linux distribution.)

Salesforce has put a lot of work into describing what it does, and what its users should do, to achieve better security (see trust.salesforce.com). In there, you see Salesforce.com’s promise: “Nothing is more important to our company than the privacy of our customers’ data.”

Surely most of its 77,300 customers have strict information security policies. Many are probably subject to burdensome Sarbanes-Oxley regulation. How many of these security policies – most written and approved years ago — sanction the placement of customer lists, sales forecasts (imagine the value of this data to a rogue stock speculator), and marketing plans to a cloud?

You have to ask yourself, if the cloud is as risky as conventional wisdom suggests, why do so many corporations trust their data to it?

The answer is pretty simple: the cloud is so compelling, so easy, so viral, and so cheap, that, for many applications and many customers, security concerns just aren’t as important. Security policies get ignored or set aside. And, one hopes, eventually they will be modified to accommodate the new reality which is cloud.

Sure, just as some applications stayed on the mainframe for two decades after client/server became popular, some apps will remain off the cloud. But, if history is any guide, expect exponential growth far faster than conventional wisdom suggests.