Public cloud has grown enormously as an enterprise solution in the past five years. But if there is one thing that has held it back, it’s a lack of trust.
Businesses are essentially giving away their data to another company to look after. And in certain industries that requires a major shift in mindset.
In a recent study by Intel Security, only 13% of global participants completely trusted public cloud providers to secure sensitive data.
And while cloud adoption goes from strength to strength, the UK is currently lagging behind. Across the globe, organisations are now using an average of 43 cloud services, but the UK is ranked the slowest in terms of cloud adoption with an average of just 29 services per organisation.
The research revealed that while globally 34% of IT decision-makers feel that their senior management team fully understands the implications of storing data in public cloud services, there is a pronounced gap in the UK.
Just 15% of UK respondents said their senior management totally understands the risks of storing data in the public cloud – the lowest awareness level of any country Intel studied.
During the second half of the 1990s, companies began to gain a better understanding of cloud computing and its usefulness in providing solutions and services while improving internal efficiencies.
In 1999, Salesforce pioneered the concept of delivering enterprise-level applications to end users via the internet, called software-as-a-service (SaaS). The application could be accessed by any customer with internet access, and companies were able to consume the service on an on-demand basis.
Hot on the heels of Salesforce, Amazon launched its web-based retail services in 2002, and soon realised that its data centres were utilising only about 10% of their capacity at any given time.
Amazon modernised its data centres and began to market a new cloud computing infrastructure model. Google and other providers soon followed suit.
‘It is important to note that B2C services were the predominant early adopters of public cloud services,’ says Rob Lamb, cloud business director for the UK and Ireland at EMC, pointing to personal photo and document storage and web hosting. ‘Enterprise usage of public cloud is only now gaining traction.’
In using the cloud, many IT professionals fear that a loss of control will result in a security breach. But service providers claim that placing data in the cloud can actually make it more secure, as effective security is the lifeblood of such companies.
Cloud-based businesses can’t afford to put customers’ data at risk, and as a result they implement stringent security measures to protect their services and the data they hold from outside attacks, and obtain security certifications to validate the effectiveness of these security measures.
Some businesses also fear that employees of the cloud storage company could access their data and steal or leak sensitive information, but encryption can ease such concerns.
‘Encryption, with only the customer owning the key, is a simple way around this problem,’ says Matt Davies, director at Splunk. ‘Many cloud providers now make the log data from their service available to customers, so you can monitor this to see who is accessing your data.’
Lack of transparency
Meanwhile, the lack of visible controls – or transparency – can be another cause for concern. Businesses, as the data controllers, are legally obliged to ensure the appropriate data security policies are in place but, perhaps understandably, they may still view the cloud with a certain amount of distrust.
Yet concerns around visibility into the cloud exist across all industries and all countries. Data protection regulations are usually classified according to the type of data instead of the industry sector and, as a result, cloud data protection concerns occur across all verticals.
These are, however, amplified in sectors that deal with highly sensitive information, such as credit card details or high-value intellectual property. Each industry has to consider the probability that threats will be realised against their own assets.
‘The finance and retail industries in particular are seeing high levels of cyber attacks from criminals hoping to access their customers’ personal financial data, so security concerns are significant,’ says Raj Samani, CTO EMEA at Intel Security. ‘Of course, this is understandable since the ability to monetise the stolen data is now considerably easier than before.’
Providers should be transparent about the technologies in place that keep their cloud platform secure, from multi-factor authentication to transport and storage encryption.
It’s also important that cloud service providers or enterprises remain open to third-party verification. Crucially, providers should make the log data from their cloud platform available to customers, as AWS does with CloudTrail.
‘This visibility is the key to confidence in the cloud,’ says Davies. ‘Customers should monitor the data generated by cloud services to get a real-time view of security posture, as well as who is accessing their data and when.’
But while public cloud providers employ some of the best security practices, the concerns of the enterprise are not alleviated with the current set of security measures offered by them.
The concerns around data residency and blind subpoena are not mitigated with the existing security measures unless augmented with data-centric security solutions, says Farshad Ghazi, global product manager at HPE Security. And the ultimate responsibility for the security of the data still lies with the enterprise, as per the public cloud licence agreements.
For businesses that hold a lot of data – or for those that have consistent, recurring workloads – economies of scale may mean that in the long term it is more cost effective to build an on-premise solution.
For those that hold only a small amount of data, or who see their data storage needs fluctuating a lot, a public cloud solution may be a better fit.
Ultimately, the decision as to which way to go varies from one business to another, but the most important thing is maintaining the control and choice of where to store data should the business’s situation change.
‘While there is indeed a “peace of mind” element to storing data on-premise, in reality cloud providers are now at a stage of maturity where pure security concerns have been minimised for their customers,’ says Martin Warren, cloud solutions marketing manager, EMEA at NetApp.
‘That said, businesses should always do their due diligence and ask all of the necessary and relevant questions relating to data security and the increasingly topical issue of data privacy when choosing a cloud provider.’
A new era for cloud providers
We are entering a new era for cloud providers, according to Samani. Investment and adoption is expanding rapidly, making the question of trust within the cloud even more imperative.
Trust will be integral to realising the true benefits of cloud computing. Some business-critical data and applications can be placed in the public cloud, but businesses have to carefully choose which data makes this transition.
By identifying their information assets and recognising the true value of their data, companies can guarantee that only suitable data is moved to the cloud.
In addition, organisations must undertake their due diligence and ensure that they choose a secure cloud provider that suits their needs. They also need to recognise that traditional security models no longer apply.
‘Just as shops barcode each individual product instead of relying on a perimeter security guard to prevent theft,’ says Samani, ‘cloud security must focus on protecting the data itself, not the data location.’
Public cloud is multi-tenant in character and providers realise that bringing multiple better security mechanisms to the table to secure the data on public cloud is key in winning customer confidence.
On-premise technologies generally do not change often, while cloud providers continue to upgrade infrastructure and there is pay-as-you-go security that businesses can implement.
‘Any information security that is implemented on-premise is replicable to the cloud,’ says Sarvesh Goel, architect, IMTS at Mindtree, ‘thus it makes the default choice for organisations to move to cloud.’
Last year, EMC, VCE and VMware researched public cloud adoption across different industries. The study revealed that 89% of British businesses are using some form of public cloud services to improve cost savings, agility and competitiveness.
Highlighting the main reasons for adoption, the study found that four in ten businesses use public cloud to host internal digital apps and services, such as HR, meeting scheduling and purchase management applications.
More than a third (35%) of companies are using it to host external digital applications and services, and 32% are relying on it for data backup and recovery services.
‘Line of businesses say they are choosing to use public cloud services because it’s more cost-effective, easy to use and allows them to meet client needs,’ says EMC’s Rob Lamb.
With trust in the public cloud growing, the big question is whether, in the long term, enterprises will reach a point where they store all applications and data in a public cloud. The reality is unlikely. The future of cloud computing will be closely defined by a rapid development of SaaS-based services across both public and private cloud. Over the next five years, IT companies will probably spend at least a quarter of all application budgets on SaaS.
This will make it possible to give organisations options within the cloud – in a way that allows them to change their mind about how they want to deploy applications – as well as whether those applications should be managed internally or by an external provider.
Ultimately, within the next decade IT leaders are likely to become more like a broker, with great flexibility as to where applications are deployed and managed.
‘Data, application logic and presentation will become separated,’ says Robert Coleman, presales director for enterprise management and application delivery teams at CA Technologies. ‘This will make it much easier for enterprises to dynamically shift applications across different classes of cloud environments, without significant costs to businesses or disruption of operations.’