Public cloud is more secure than any private cloud is likely to be, according to Richard Sykes, chair of the Cloud Industry Forum. Speaking at the recent G-Cloud in Practice conference, Sykes explained that suppliers of public cloud services are experts in security and if security is a real issue for your organisation then you should move to the public cloud as soon as you can.
This advice seems to run counter to the often held view that public cloud is the least secure offering and that, for anything sensitive or important, organisations should either go private or stay away from the cloud altogether.
Chris Taylor, COO and CIO of News UK, a company that has moved to Google Apps, uses Salesforce for customer subscription management and has other cloud based solutions in development would seem to agree with Syke’s view about the cloud. Speaking at the launch of the 2013 Harvey Nash CIO Survey in June he stated that providers such as Amazon, Google and Salesforce are “far more secure than any one IT department.” To back this up he revealed that over the next two years the company aims to get 75% of its infrastructure into the cloud (from 25% today). So security is clearly not an issue in this instance.
Yet security is still often cited as being the main obstacle to using the cloud. But is this a genuine reason or is it just an excuse for IT departments that are frightened of ‘losing control’ or organisations that are afraid of change, lack knowledge or just do not trust service providers? It was interesting to note that Taylor’s comment about Amazon et al being more secure than internal IT was prompted by a question from the audience about the security risks of using the cloud.
Who to believe? Those that are actually using cloud services extensively throughout their organisations with no (additional) security issues or those that use security as a reason for not moving to the cloud?
There certainly seems to be some logic to the argument that cloud providers are going to be more secure than an internal IT department or an in-house developed/managed but externally hosted service. It is after all what they do, part of their core business and hence has to be a core competency. This is arguably more than can be said for a lot of internal departments that are unlikely to have skills, resources or funding to match an external provider.
But that’s not to say that IT departments shouldn’t do due-diligence on potential vendors and ask them to demonstrate their competency. This is part of the new role of IT in the cloud-enabled enterprise – the role of a broker or facilitator of IT services; rather than building and maintaining services themselves, IT functions should focus on providing the right architecture to ensure different services can be integrated, selecting the right the vendor(s), ensuring that appropriate SLAs are agreed and that safeguards around access to data and the ability to switch provider at the end of the contract are in place.
And using cloud services may well change the risk profile. But any potential new risks need to be balanced against the additional value that using cloud services will realise, together with the reduction or elimination of the risks associated with in-house provided/managed services.
Cloud services are here to stay. Their use within business is going to increase with or without the help and involvement of IT. It is time for IT departments to be proactive, to embrace and promote the cloud as a potential alternative and take a balanced view to value and risk. It’s time for IT departments to trust the cloud.