My colleague, George V. Hulme does an excellent job of laying out the trends and what they mean, so I’m not going to retrace his steps. Instead I’m going to focus on one trend in particular around cloud security demands from enterprises:
By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service.
I looked at that figure and was taken aback, not because it’s so bold, but because it seems a bit conservative to me. Any time I’ve attended conferences over the last several years, all I hear is that security is the chief concern about adopting cloud computing.
In fact, I wrote about this very subject in this space last spring after attending a session on the cloud at CeBIT. In my post, Why is The Cloud Still Getting Special Treatment, I expressed some annoyance at hearing about security concerns yet again, feeling perhaps we should be further along after so much time.
And after attending conferences like the ARMA International Conference and Expo in October, the conference for record keepers, I found there was very little taste for storing records in the cloud, at least not without some serious reservations and making very sure that security and governance were up to snuff.
One speaker I saw suggested such a thorough examination of your cloud vendor’s data center, that it seemed to me it would negate any cost advantages associated with the cloud. That’s why there would be such value in having third-party oversight of security testing.
It’s clear that this is a major concern in many organizations and with increasingly stringent data protection laws in the EU, Canada and elsewhere, especially as it relates to the USA Patriot Act, companies are going to be looking for guidance on every cloud vendor’s security features.
And chances are they aren’t going to want to pay to send a contingent of their IT Staff to conduct a security audit of every vendor. It would be much more cost-effective to have some businesses or an industry group devoted to cloud security auditing where they audit once and cloud customers can have access to the independent analysis.
That’s why from a cloud vendor perspective, it would pay to have this type of service in place much sooner than later. If the cloud vendors could provide an accepted certification that would satisfy the concerns of most enterprise IT shops, then the conversation could get past the security issues and start comparing vendors on their merits.
Assuming the cloud industry could come up with a viable third-party certification system, I would be shocked, if by 2016, only 40 percent of enterprises would make independent security certification a precondition of buying a service. If such certification exists, it would likely be at the top of every requirements list in every IT shop in the world.
It seems that 40 percent is a low-ball figure for a requirement that we’ve seen is so important to so many inside large organizations. I would think the number would be closer to 90 percent (and then I would wonder what the other 10 percent were thinking).