It's still a long, hard climb to get to a high level of security in cloud computing, according to Gartner research vice president Jay Heiser, who said business and government organizations with sensitive data appear likely to hold back from cloud-based services until things improve.
"Finance tends to be more conservative about cloud computing than small business," said Heiser in his online presentation to Gartner clientele yesterday. In "Prepare for and Minimize the Security Risk of Cloud Computing," Heiser expressed the view that it's somewhat simpler to establish a security baseline when using infrastructure-as-service (IaaS) than it is for software-as-service (SaaS) if only because there's more flexibility and less dependence on the competence of the service provider. But overall, cloud service providers aren't as clear as they should be concerning matters such as their business continuity and disaster-recovery practices, making it hard to win customer confidence.
"Gartner clients are almost universally disappointed" by what they regard as the incompleteness in cloud-computing contracts where they still don't see the level of specificity related to security they expect, said Heiser. "Cloud contracts are incomplete," he emphasized.
The struggle to define both technologies and legal obligations between the cloud and the customer is a topic that has been taken up by both the federal government in its FedRAMP program that seeks to certify cloud-service providers for government use, and the organization Cloud Security Alliance (CSA), which has several working groups pouring enormous effort into defining industry standards.
Heiser also pointed out that the American Institute of Certified Public Accountants (AICPA) has replaced its SAS70 certification with what's service provider certification called with SOC 1, and there's now a SOC 2 and SOC 3 as well to indicate service provider systems trust and security.
But while applauding all of these standardization efforts for security in cloud computing as significant, Heiser said FedRAMP, which is supposed to be operational next year, and the CSA standards are still early projects and their impact may be years away. Heiser had similar sentiments about the ISO/IEC 27017 cloud security standard and the 27018 cloud privacy standard. All of these cloud-computing security efforts are worthwhile but they will take somewhere between a year to five years to be considered mature, he says.
In the meantime, businesses and government have to pin down their requirements and evaluate potential cloud services and their security options as well as they can. The starting point should be looking at the sensitivity of the data going into the service, Heiser says. Companies have to ask questions such as what kind of impact would be the loss of it be, is it of critical competitive value, and is the data subject to regulatory concerns. "It comes down to determining the appropriateness of the service," he says.
Sign up for Computerworld eNewsletters.