Security is a term that was waved in my face almost every time I entered into a discussion on Cloud Computing with clients or vendors when reflecting on the passage of this year. Unfinished business to be taken into a new year 2011.
Security sensitivities kindled into a blaze by the persistent percolation of data and privacy breaches and questionable practices that have made it to mainstream press, and even more abound in the IT media channels.
Regrettably the protagonists of such ill will begin with some of the darlings of the online ‘Cloud’ world itself, notably ebay/PayPal, Facebook and Google. The cavalier attitudes of these amongst other online organisations towards individual’s privacy is verging on out of control. To take for example – Facebook striving to drive revenue from social networking, Google with its parasitic business practices endeavouring to expand beyond its search engine branding and PayPal playing at an online bank but is really no more than a glorified shopping card (see my earlier blog on PayPal ).
Just a few of the headlines over the last year or so that prove it is time for these organisations to get a grip and show some maturity and respect to their audiences:
2011 I predict will be a year of awakening for Security and Privacy issues. Driven by the real value that Cloud Computing offers business, and a strong political agenda in the EU and the unavoidable value this has for economic regeneration in the SME sector. Before this is realised it is necessary to warm the cold feet of business by addressing these security concerns that are constraining the adoption of Cloud Computing compounded by the Privacy dimension in the consumer space.
Businesses security concerns based on many discussions with clients and IT companies I have found can be clarified from two core perspectives:
A. Trust – A lack of and re-setting of previous trust relationships as engagements shift.
B. Risk – Rationalisation of what an organisations or individuals risk actually is. Perceived risk is often inflated and irrational, which leads to avoidable anxiety (Inaction) and unnecessary cost (lost opportunity).
By materially classifying an organisations risk I found it is possible to evaporate the distortions of what was formerly just a perception.
By implementing vendor qualification criteria for Cloud Service providers, barriers to entry around the unknown in new vendor relationships became less challenging.
Whilst we lack any maturity in Cloud Computing certification to provide that quality mark business seeks to aid them in their decision making, there are plenty of traditional best practices and badges of excellence that can act as proxy.
The challenge is the lack of guidance for companies, and that is where I believe experienced and qualified Information System Auditors have a new string to add to their bow, and ISV’s (Independent Software Vendors) can help accelerate their Cloud service strategies with solid security foundations.