Securing the host remains the responsibility of cloud service customers
Securing the host remains the responsibility of cloud service customers

Cloud computing is the coming thing, but what are the security issues – especially for large enterprises?

It's an understatement to say that 2008 did not close on a happy note. Economic problems abounded, but that is not the end of the story for information security.

Let's start with the obvious. Economic difficulties have already led to cuts in IT spending growth for 2009. In October 2008, Gartner reduced its projection for the growth in global IT spending from 5.8 per cent to just 2.3 per cent. In November, IDC also slashed its projections. While both forecasts were for global IT, UK-specific spend on IT has fallen, particularly in the financial services sector. That will not be offset by the £50 billion liquidity injection provided by the Government to banks at the end of 2008.

This means cuts for our IS programmes as well – perhaps not as deeply as other aspects of IT, but still cuts. Doing more with less is everyone's mantra now. But that is the obvious part.

What about the less obvious part? How are other business units going to react to cuts in the growth of IT spending? It's unlikely that historically increasing demand for IT services has just evaporated because of the economic situation. I believe demand is merely pent up, looking for some way for it to be satisfied.

Another element is how the CIO and IT will look at reducing operating costs through technology. The arrival of VoIP and server virtualisation into enterprises was spurred in large part by the promise of cost savings. Data centre consolidation, fewer/smaller purchases of server hardware and more efficient use of servers all equate to cost savings.

With the current economic situation, we are likely to see a convergence of “solutions” to address other units' demand for projects with a low cost and faster implementation – along with the CIO's desire to cut costs.

What is this convergence? It is cloud computing.

IT professionals need to be honest with themselves, and acknowledge that part of the reason other business units have embraced Web 2.0 – and part of the rationale for cloud computing – is a repudiation of IT's “traditional” (in)ability to deliver projects on time and on cost. In the last few years, as IT projects grew more complex and costly, the failure rate ballooned – with some spectacular examples. Everyone can name multiple IT-led projects that were seven-figure (monetarily) flops: large sums of money just having to be written off. That's shameful. As a result, other business units have lost confidence in IT.

At the same time, the CIO is looking to improve IT performance. And both may have found the same answer – or, at least are investigating the same potential answer: cloud computing.

You don't think that cloud computing has reached the UK? I would challenge that. For example, insurance firm Kennedys and pension firm Rowanmoor Pensions are already using it. And the construction of very large data centres in Scotland is to support cloud computing, as well as enabling customers to comply with the Data Protection Act.

Many UK firms are looking into cloud computing, I would guess. What are the security implications of using a public cloud versus a private one? How do you audit a cloud, against which framework, for compliance to what? There are lots of questions; it's time to start finding some answers.

Infrastructure security (network-, host-, application-level) is weaker in public cloud than that already found in many large enterprises. But for SMBs and SOHOs (small office/home office), cloud computing offers improved infrastructure security. For a large enterprise, relying on strong data security to provide controls for weaker cloud infrastructure security is likely to be a disappointment. For enterprises, there are privacy implications, and audit and compliance considerations too, suggesting that large enterprises should use cloud computing for non-sensitive or non-regulated data only.

That said, cloud computing is on the horizon, and probably in the forecast for your IT department.

So IS professionals had better get started on understanding the security available for – and attendant risks of – cloud computing.