IEEE's CIO suggests that FDIC-style insurance may be one way to allay fears among enterprises about the security risks involved with cloud computing.
Slideshow: Cloud Security Pros And Cons
(click image for larger view and for full slideshow)
Cloud computing has compelling benefits, but enterprise adoption hasn't been as great as it should have be thanks to interoperability issues, IT fiefdoms, and fears over security. That's the message from the IEEE, which is suggesting that cloud providers offer FDIC-style insurance as a way to allay security concerns. Fears that software as a service is a threat to existing IT departments may be harder to dispel, but IT can ultimately find a new role as system integrator helping different cloud services work together.
According to Alexander Pasik, chief information officer at the IEEE, security fears around cloud computing are misplaced. He compares cloud service providers to banks. "If you're worried about security, I would ask: Do you keep your money under your mattress?" he said in an interview. "We keep our money in banks because it's safer, and not just physically. A lot of the safety comes from the idea that the bank deposits are insured."
Even when a bank does gamble away all its deposits on subprime bonds, depositors can still get their money back thanks to FDIC insurance. Pasik suggested that cloud service providers need something similar to offer similar insurance against a security breach. "Security can't be guaranteed, but it can be insured," he said.
Of course, money in a bank isn't exactly like data in the cloud. Money is fungible so can easily be replaced, whereas a security breach or data loss can't be undone. However, the damage done by a security breach usually can be quantified financially so enterprises that suffer one could still be compensated. Pasik likened the concept to a security service-level agreement, though unlike standard SLAs it would need to go through a third-party insurer because the cloud providers are often fairly small startups and the damage done to them by a security breach can be fatal. Like FDIC insurance, it would pay out in the event that a cloud provider itself disappears.
The IEEE isn't planning to enter the insurance business, but it is working to overcome what it sees as an even greater threat to cloud computing: interoperability. "The problem with software as a service is that it's mostly point solutions," said Pasik, highlighting ADP Payroll, Salesforce.com, and Gmail as services that are great on their own but don't work well together. "The question is how do you integrate them and get all your systems talking to each other?"
Part of the answer is standardization, so the IEEE is working on ways to help cloud providers and their customers share data. In April, its Standards Association announced that it was developing new standards to improve interoperability and data portability. Next month, it's holding a cloud computing conference at which these standards will begin to take shape. As well as improving competition, portability should help reassure customers that their service can continue even if cloud insurance did need to pay out.
But getting applications working together is about more than just standards. It also needs integration work, and Pasik said that just isn't done in a lot of organizations. It requires IT expertise, but IT organizations see themselves as empires under threat from cloud computing, he said. "The push may ultimately come from line-of-business instead, but if the push doesn't come from IT it's going to be substandard," he said. Too many organizations implement cloud services piecemeal, with individual employees or departments choosing to route around the IT department and use services that they're familiar with from their lives outside work. That lets IT avoid dealing with services in the short term, but sets it up for a diminished role in the long term.
Despite these risks, the IEEE is extremely enthusiastic about cloud computing. Its press releases compare the new standards it's developing to the telephone network's signaling system SS7, the TCP/IP stack, and the domain name system, all critical pieces of today's communications infrastructure. "I have been frustrated to see how slow cloud adoption has been considering the huge economic benefits that it can achieve," said Pasik, who believes that cost savings of 90% are realistic when moving applications such as email from in-house servers to the cloud. "As you go from infrastructure-as-a-service to platform-as-a-service to software-as-a-service, the economies of scale go up. Similarly, as you go from private network to hybrid to community to public cloud, the economies get larger. So you want to be running software-as-a-service on a public cloud."
Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.