Fear Factor: Why Security Is Still The Cloud's Biggest Hurdle


SOLUTION PROVIDER OPPORTUNITIES

AWS' Wise said channel partners play a big role helping enterprises transition to the cloud. Specifically, the company's big system integrator partners provide IT consulting services around architecture, governance and operations to enterprise customers wanting to use AWS for production workloads such as SAP and big data analysis.

"SI partners play an important role in providing the technical services required to migrate from an on-premises enterprise environment to AWS," Wise said.

For security consulting firms such as SystemExperts, growing interest in cloud services has generated requests for security reviews. One customer sent a team of SystemExperts consultants and internal staff to evaluate a cloud service provider, Hill said. "We looked at the architecture and a wide number of controls. We interviewed them on exactly how they implement some encryption technologies," he said.

One of the first steps an organization should take before moving data to a cloud environment is classifying the data, Hill said. "Once you have that, it's easier to talk about what the risks are," he said. It's going to take additional education and know-how to walk organizations through a thorough evaluation, said Sean Bruton, senior product manager at Hosting.com. The right questions need to be asked and businesses need to make sure their questions are clearly answered. They need to make sure a provider isn't treating security as a reactive part of its job, he said. Smaller providers may have less skilled staffers, such as system administrators, handling security as issues come up. Get customer referrals and understand the background of the people maintaining the systems, he said.

"You want to make sure there are people in charge capable of managing risk and are knowledgeable about the types of controls that need to be deployed and maintained and the threats that your organization faces," Bruton said. "Take the time to talk to the people in the organization."

Bruton, who oversees security and compliance for the company's managed hosting services, said incident response, vulnerability management and activity monitoring should be part of the discussion with the cloud provider before signing a contract.

Allen Falcon, CEO of Westborough, Mass.-based Cumulus Global, a cloud provider and premier Google Apps SMB partner, said his firm prefers working with cloud vendors that target markets with high security needs. "We pick products and services that start at the high end ... as opposed to looking for a vendor and waiting for it to become secure," he said.

In fact, the security provided by a cloud service such as Google Apps -- which has multiple security certifications -- is more than most small and midsize companies can provide on their own, Falcon said. "When we implement Google Apps, we enforce high levels of encryption so that everything is encrypted, not just at rest in the data center but in transit to the end device as well," he said.

If a customer believes it needs even more security, there are third-party products that can meet their requirements, he said. Cumulus Global works with a variety of third-party cloud security providers, such as Symplified, a supplier of identity management services.

NEXT: Making Headway