A new survey is finding a continued level of angst among IT professionals administering cloud computing projects within their organizations.
From a c-level perspective, cloud is very effective, so it's going to happen whether IT wants it to or not
Vice President ISACA
The survey of more than 1,800 U.S.-based IT professionals found that 48% say the risks of cloud computing and software-as-a-service (SaaS) outweigh the benefits. By contrast, 55% said the risks are either appropriately balanced or are outweighed by the benefits. The survey was conducted by Rolling Meadows, Ill.-based Information Systems Audit and Control Association (ISACA), the IT security governance organization that administers security certifications.
Business leaders at enterprises have been moving the organization to cloud computing to cut costs by outsourcing the management of IT infrastructure. The down economy has driven many firms to consider cloud-based services, including utility-type computing offered by Amazon's EC2 utility service and Microsoft's Azure cloud computing platform. A recent report from the Cloud Security Alliance and Hewlett-Packard identified seven threats to cloud computing. Threats include the ability of hackers to infiltrate cloud computing platforms and use cloud infrastructure to attack other machines as well as insecure application programming interfaces (APIs) that can leave holes that lead to data leakage.
Robert Stroud, vice president of ISACA, said the survey results shouldn't be surprising given that IT professionals, especially members of ISACA, take a cautious approach to new technologies and carefully measure cloud computing risks, he said.
"A good training regime and process automation can go a long way towards making risk a consideration, but also making it be accepted," said Stroud, vice president of IT service management strategy at CA Inc. said. "If you're too risk averse you're never going to grow the business."
Survey respondents were not asked which cloud-based services they feared the most. It found that most mission critical IT services continue to remain within the organization. Only 10% of respondents' organizations plan to use cloud computing for mission-critical IT services and one in four (26%) do not plan to use it for any IT services.
"For mission critical data we're just starting on that journey," Stroud said. "From a c-level perspective, cloud is very effective, so it's going to happen whether IT wants it to or not."
Regulations, standards obstruct cloud adoption
Compliance is a major hindrance causing enterprises to take a slow approach to many cloud-based projects, said Jim Reavis, co-founder and executive director of the Cloud Security Alliance. Nearly 30% of those surveyed said compliance projects are the biggest driver for IT risk related projects. About half of those surveyed said IT risk and compliance related projects will receive roughly the same investment in 2010 as in 2009.
Reavis said there isn't a turn-key way of achieving compliance in any of the public clouds.
"People know there are risks in any sort of computerized connectivity but compliance is anecdotally a front row driver that is inhibiting adoption of more cloud services for regulated types of services," Reavis said. "It's one thing if you get hacked and you have the auditor signed off on IT, but in the cloud if you get hacked and don't have the auditor signed off you can lose your job."
Reavis called the ISACA survey an encouraging sign that IT professionals engaged in measuring risk are finding ways to move forward with cloud-based projects rather than trying to stall them. Many of their concerns will be addressed over time. Currently there continues to be a lack of understanding and documented use cases, he said.
The Cloud Security Alliance's metrics working group is mapping cloud related risks to various standards and regulations. For example, the group has worked with the PCI Security Standards Council to develop a framework-- a cloud controls matrix -- to determine a reasonable set of controls that a cloud-based provider must implement versus the controls that must be implemented by the enterprise.
"It's a shared responsibility," Reavis said. "You can't outsource all your governance responsibilities."