On Sept. 27, 2012, the Cloud Security Alliance (CSA) and ISACA (formerly the Information Systems Audit and Control Association) released their Cloud Computing Market Maturity study. It offers an important review of the state of cloud computing services, and specifically how information security is affecting cloud computing adoption.
Companies go to the cloud for business benefits and cost savings but are concerned about the security trade-offs for those benefits.
Cloud services swept into markets a few years ago promising fast ramp-ups and low prices, but little in the way of security. This isn't uncommon in the cloud industry: Despite security professionals' pleas for organizations to build security in, it's still a reality that excellent business benefits (for example, in the case of wireless networking) trump security -- at least during the heady days of early roll-outs. With maturity comes security, but how mature is the cloud market? And what does that mean for those of us who have to manage our data in the cloud?
The joint CSA/ISACA survey addresses the maturity question. Though fairly small in sample size (a total of 252 responses) the distribution of the sample is impressive. The results include responses from managers and organizations from around the globe, and both large and small size organizations responded. One fact to note: 173 of respondents identified themselves "… as a cloud service provider, integrator or consultant …," indicating that the respondents were already at a fairly high level of maturity because of their involvement as providers of (or consultants on) cloud services.
Software service offerings, like application service providers (ASPs), have been available since before the advent of cloud. Therefore, it is not surprising that this category scored the highest adoption rate -- 62.3%. SaaS (Software as a Service) was followed by IaaS (Infrastructure as a Service) with a 35.7% adoption rate, and PaaS (Platform as a Service) with 22.6%.
Reasons for cloud service adoption were a bit more surprising with business enablement factors (4.08 influencing factor on a scale of 1 to 5), which trumped financial cost savings (3.50). Of the business factors, reliability and availability of services was most important (mean score 4.59), followed by quality of service (mean score 4.29).
Looking at the negative and positive influences on cloud, the No. 1 negative influencer is information security. Security and risk management also exists as a major contributor factor in the rest of the negative influencers, including data ownership, compliance, information assurance and disaster recovery. In other words, the survey affirms the commonly accepted belief that companies go to the cloud for business benefits and cost savings but are concerned about the security trade-offs for those benefits.
Other useful data points exist in the full survey, but a final one of note for this discussion concerns cloud-related risk and how it's handled within organizations. Responses indicate that cloud computing is most often addressed as a technology-related risk, but not as commonly as a business risk or as part of the broader enterprise risk management program; again, not surprising, but incredibly telling and critical for IT risk professionals to address.
From the editors: More on cloud security
Cloud management platforms key to cloud security
Use tools, research to gauge cloud service provider security
Here's why: If company executives and business owners adopt cloud services for business enablement and cost savings (both business and enterprise-focused drivers) while negative adoption influences (often security- and risk-related) are championed by IT, the logical outcome is a fundamental mismatch of expectations that ultimately pits IT against the business. This does not constitute a reality-based risk discussion resulting in actual reality-based decision making.
Instead, executives and business owners must take accountability for some of the risk decisions, or they will not be able to understand the true cost/benefit trade-offs. By displacing the cloud computing risk decision to IT, the burden of saying no is placed squarely on IT's shoulders. Technology risks, including those associated with cloud services, are an inseparable component of business risk. Separating the two puts IT in the position of saying no to a perceived business benefit, but bringing the two together engages the business in the real risk decisions associated with cloud.
The CSA Cloud Computing Market Maturity study is a worthwhile read for security and risk professionals because it quantifies much of the common wisdom about cloud adoption drivers. It is also useful as a learning tool, especially when it comes to understanding where the risk of cloud lies. Cloud is seen as a business enabler with all of the risk pushed down onto IT. But cloud risks impact the business as a whole, not just IT. While the cloud market is maturing technically, this study shows there is also a need for enterprises to develop their risk management programs to include new technologies like cloud.
About the author
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.