In his previous career as global chief information security officer (CISO) for a Fortune 500 global conglomerate between 2007 and 2012, Richard Dorough would fight going to the cloud "tooth and nail." He wasn't alone then and wouldn't be today. Studies and surveys routinely indicate cloud security risks are the biggest barrier to adoption for IT leaders. The CompTIA 3rd Annual Cloud Trends study, published July 2012, showed nearly half (49%) of responding IT executives were cloud-averse because of security.
Today Dorough is a managing director in the PricewaterhouseCoopers (PwC) U.S. advisory practice focused on cybersecurity, and his outlook on cloud security risks has changed. Speaking at the recent MIT Sloan CIO Symposium in Cambridge, Mass., Dorough said that based on some of the enterprise company breaches he's seen in his current job, he's come to believe the data might actually have been safer in the cloud. He doesn't suggest everyone rush to the cloud, but the option merits serious evaluation.
"You have to ask is there a cost savings around it, is there security around it, is it going to be easy to maintain over time and is that cost savings going to be maintained over time?" Dorough told SearchCIO in an interview after the panel.
Tripart "mental checklist" for breaking down cloud security
As CIOs increase their use of cloud, they have a better grasp of the nuances that play into opting for a cloud solution, agreed John Roese, part of the MIT panel and chief technology officer at EMC. In his view, many cloud security risks are imminently solvable, but CIOs need to think about security by the workload.
Richard Doroughmanaging director of cybercrime incident and response for PricewaterhouseCoopers
"If you're going to take your mission-critical regulative applications and move them into the cloud, the security barrier is probably a reason to keep you out. If you're talking about the coldest of the cold storage … you can probably move that fairly easily," Roese said. "It's a degree of what type of workload you're talking about, and each has a different security threshold."
Scott Blanchette, senior vice president of information and technology services for Vanguard Health Systems agreed the "cloud is not homogenous." Even in a highly regulated industry like health care, there are cases in which cloud makes sense.
"In our case, Web, mobile, social are almost entirely in the cloud, and we put the appropriate barriers around regulated information," Blanchette said.
PwC's Dorough said that during his time as CISO he crafted a three-part mental checklist that proved a simple but effective evaluation tool to decide whether an application, product or service belonged in the cloud. He would look at the type of data involved, the service-level agreement (SLA) contract and the security environment. His stamp of approval would depend on the sensitivity of the data, the contractual owner of the risk attached to that data and the level of security the cloud provider offers. He followed that analysis with one more question.
"You still want to ask, does this make sense? Does the business value offset any risk associated with the data or any potential loss?" he said.
Auditing security controls of your CSPs
Back in 2009, when cloud as we know it today was in its infancy, CIOs had good reason to worry about cloud security risks, according to Edward Ferrara, principal analyst with Cambridge, Mass.-based Forrester Research. The focus then of cloud service providers (CSPs) was on functionality -- wowing customers with initial cost savings, scalability and speed. Security concerns were an afterthought, or dismissed by vendors who assumed they could do security better than their customers, Ferrara said.
"What CSPs used to say about security was 'just trust us,'" Ferrara said. It's only been in the past year or two that the general vendor mentality toward cloud security risk has started to change, he added.
The turnaround has not been lost on potential enterprise cloud customers. Recent Forrester research shows a marked increase in the number of cloud deployments that companies are willing to consider, Ferrara said. The research also shows that companies believe the cloud security controls already or soon to be in place are at least sufficient to begin a dialogue about deployment.
For the vendors' part, there are two major steps cloud service providers are taking to win customers' trust, according to Ferrara. The first, and perhaps most telling, is the willingness of CSPs to allow potential customers to conduct assessments of their infrastructure. Just don't expect to see it highlighted in their marketing materials.
"They're not openly publicizing this, but if a big enough or important enough client comes to them and says 'the ability to audit your security controls is pivotal in to us signing an agreement,' the CSP will allow that to occur," Ferrara said.
The second big vendor nod to a company's need to verify a CSP's ability to manage cloud security risks is the increased adoption by vendors of the Service Organization Control process (SOC). Published by the American Institute of Certified Public Accountants, SOC replaces SAS 70 as the organization's certification of security controls with attestation for cloud environments. Some of the larger cloud service providers like Amazon and Apple now publish SOC reports on their security controls.
"Security is still an issue but these are steps in the right direction," Ferrara said. "CSPs now realize … that security is an impediment to adoption, it's a significant one and the concerns of their customers in this area are important."
Solid preparation needed to offset cloud security risks
CIOs pursue cloud despite potential risks
CIOs need to know ins and outs of vendor management