Cloud security fears outweigh savings, but perhaps not for long
Security concerns about cloud computing outweigh the potential cost savings by a 2-1 margin in a recent survey of government and industry IT professionals, but economic pressures are slowly driving a move to the cloud.
Only 32 percent of those questioned in the study conducted by automated compliance auditing company nCircle said that cost savings outweigh security issues, but that is an increase of 6 percent from last year. Thirty-five percent said they are already are doing some cloud computing, up from 24 percent last year, and another third are considering the move.
“Cost savings is definitely a big driver here,” said Keren Cummins, director of federal markets for nCircle. “The first persons to be interested in the cloud were those for whom security was not a big concern.”
FISMA's future may lie in State Department security model
In the cloud, security is easy, perfection is impossible
As the adoption becomes more general, however, users are beginning to address practical implications, including maintaining security in a new environment provided by a third party. That is reflected in the finding that 69 percent of respondents would be more likely to use a cloud vendor that complies with requirements of the Federal Information Security Management Act or Payment Card Industry requirements.
“I think we are going to see the government proactively assess the security of cloud providers,” Cummins said.
nCircle surveyed 551 IT professionals for the study on cloud computing in March, 40 percent of whom had some security role in their organizations. About 11 percent of respondents were in federal government and another 5 percent were in state and local government.
Government is readying a program for proactive security assessments for cloud providers. FISMA requires that government IT systems, including those operated by cloud providers, be formally authorized to operate. Federal Risk and Authorization Management Program (FedRAMP) requirements for authorizing the use of cloud services are undergoing final review and are expected to be released soon. A lack of expertise in cloud security, management and administration, particularly in government, could slow the move to the cloud if agencies become overly cautious, officials warned, however.
Cloud computing could benefit from another trend in government, Cummins said: the move toward continuous monitoring of the security status of systems. This is becoming federal policy under new FISMA compliance requirements, but a number of agencies already have made improvements in security by putting it into practice.
The State Department implemented the monitoring of key security controls within its offices more than two years ago and has become a poster child for the approach. With a program of continuous monitoring, distributed responsibility for IT security and focusing on critical controls and vulnerabilities, the department has significantly improved its security posture while lowering the cost, Chief Information Security Officer John Streufert has said.
How effectively current monitoring tools and metrics can be applied in a cloud environment still is not clear, but Cummins said that she expected market forces to push continuous monitoring into the cloud.
“This is something where we’re going to see a lot of competitive pressure,” she said. The ability to monitor and validate security assertions could become a differentiator in the market. “I think there is going to be a place for cloud providers who are willing to do that.”
Economy and security do not have to be competing forces within in the enterprise, Cummins said. “If the cost saving are substantial enough, you can bring more resources to bear on security issues.”