As cloud computing matures and becomes more and more the default choice, its security is often criticized. The perceived risk of a data breach is an argument used by many IT managers for not moving from onsite to in-cloud solutions. Industry pundits hammer the message home: “the cloud must be made safer!” Startup companies emerge with new security applications and tools, specially conceived for the cloud. And yet cloud security requirements are very similar to onsite or in-house IT security requirements. What’s going on?
Shades of Stanley Milgram
Milgram conducted some controversial experiments in human psychology in the 1960s. He investigated how one person can transfer his or her personal responsibility to a second person, if that second person is an authority figure. In Milgram’s experiments, the second, authority figure instructed the first to give electric shocks to a human guinea pig. In cloud computing, senior management, consultants or both instruct IT departments to move activities to the cloud, drawn by the apparent savings to be made and the resilience and scalability to be gained. If care is not taken, IT teams can lose their sense of responsibility for key aspects like security that are not explicitly part of their ‘instructions.’
Shiny and New is Another Excuse Too
To complicate matters, clients may also have been too lax in chasing cloud providers about service outages and other problems. While hours of downtime or even customer data loss make good material for articles in the press, cloud provider business keeps on growing. One or two hitches with new technology may be normal, but cloud computing seems to have benefited from a relatively high level of indulgence. And if cloud providers continue to be rewarded with more revenue, why should they make any additional effort in service levels or security?
Private Cloud Solutions Could Help Reset Expectations
Customers can now set up private clouds that offer the same characteristics of resource efficiency and scalability as public clouds. Out-of-the-box solutions are available to let customers unpack and fire up private cloud servers that automatically provision and commission service for their users. While customers are unlikely to be able to tap into total resources quite as vast as those of the public cloud, the rest looks very similar, apart from one thing. Customers running private cloud solutions bring cloud responsibilities back in-house. Security in particular cannot be palmed off to a third party, as it can be with public cloud solutions.
IT – an Enabler, a Means to an End, but not the End Goal
Customers are ultimately responsible for their own business goals and achievements. IT has become an essential part of business because of its potential to accelerate and organize information. However, enterprises for the most part use IT to do business, not vice versa. Cloud technology is attractive because of its financial advantages and the new modes of operation it brings. Cloud providers can be asked to give guarantees of performance and security, just as a company can ask its trucking provider or raw materials supplier to stick to defined service levels. But none of this removes the responsibility that customers have to make sure that everything works well enough and securely enough to yield the required results. Cloud security has to start in customers’ minds, before being confirmed by vendor or provider solutions.