SANTA CLARA, Calif. – Cloud computing comes with a slew of data governance challenges. How do you know what the cloud provider does to protect your data? Where does the provider’s responsibility end and yours begin? How do you know if the provider makes changes to its environment that impacts your data security?
However, cloud computing governance challenges aren’t all that different from ones that come with traditional outsourcing, said Kevin Walker, vice president and assistant CISO at Wal-Mart. “We had the same problem when we started outsourcing 15 years ago,” he said during a panel discussion at the Cloud Security Alliance Innovation Conference held here Thursday.
“It’s a matter of do we have our own house in order?” Walker said. If an organization doesn’t have strong internal data governance and simply hands its data center to a service provider, it’s asking for trouble, he said. A better alternative for moving to the cloud is a “greenfield” approach instead of forklifting legacy applications, he added.
But Francoise Gilbert, managing director of the IT Law Group and general counsel of the CSA, said there is a difference between cloud computing and traditional outsourcing: Small organizations can’t negotiate a cloud contract the way they could an outsourcing contract.
Walker said SLAs make attorneys happy, but haven’t helped him with outsourcing issues either: A provider can sign a contract and then make changes, for example, to the security around its infrastructure. “We need to have operational insight” to make sure what’s been agreed upon with the provider is actually in place, he said.
Ultimately, organizations will have to pay more to get the security they want with a cloud provider, Walker said. “That’s the cost index most organizations don’t realize,” he said, explaining that the cost efficiencies of cloud computing quickly dissipate once the necessary security is added on.
The cloud model is the opposition of customization, Gilbert said. “If you want custom, you have to pay for it.”
Tim Mather, advisory director at KPMG LLP, said cloud service providers are starting to wake up to the need for security. “They’re hearing from customers it isn’t good enough. …You’re having an awakening that security is really important,” he said.
He cited Salesforce.com’s acquisition of cloud encryption company Navajo Systems last year as an example of a move by a cloud provider that “ups the security bar.”
When an attendee asked whether cloud providers could boost security for small and midsize businesses that don’t have resources for security, panelists responded that it wasn’t necessarily so.
Harshul Joshi, advisory director at PricewaterhouseCoopers LLP, said if a small business can be happy with “70% security” then that’s the scenario, but if an organization wants key management in a certain way or other security functionality, “it’s a whole different ballgame.”
The security offered by the cloud provider also depends on the cloud model, Anton Chuvakin, research director at Gartner, said. In the IaaS model, a cloud provider is responsible for security at the layers it controls, but the small business is responsible for other layers. Unless the SMB uses only SaaS, then it may run into the same problems in lagging security, he said.
Walker said organizations need to make sure they don’t fall for the hype when considering a move to the cloud. While the cloud offers opportunities, companies need to make sure those benefits don’t come with increased risk. “Everyone has a risk appetite,” he said.
The first-ever CSA Innovation Conference, sponsored by the Silicon Valley CSA chapter, was designed as a forum for IT architects, executives and start-ups to talk about cloud security challenges, best practices and new cloud security technologies.