Cool third-party cloud security apps miss one big problem
Is there an app to help me get the business units to say 'yes?'
A whole series of startups have cropped up to try to address concerns about the security of the cloud. Most of them don't really address the core issue, though.
Most use technology to address the insecurity of the cloud - adding the ability to track IT resources relegated to the cloud (using a cloud-based service that then becomes another IT resource to track), cloud-based backup for cloud-based data , testing of apps or data moved to the cloud.
All perfectly valid and perfectly relevant and entirely peripheral to the core weaknesses of the cloud - many of which have more to do with organizational issues, policies or preparation than they do technology, according to a new study from Janco Associates.
The study, mainly blueprints and templates designed to help IT execs find, hire and structure cloud-service deals, is built on surveys of senior-level IT execs, who talked about more than just their technology issues.
All of them are being pushed to lower costs, make IT more efficient and more effective for business units; most are also being pushed by non-IT execs to use the cloud to do it (the version of the cloud found in airline magazines).
Rather than just being able to shove some big chunk of a company's IT infrastructure into the cloud and reap the immediate savings, most of the execs surveyed said they have to do sometimes-lengthy evaluations of their company's own priorities and policies on security, data integrity and control and application availability.
It makes no sense to hire a cloud provider to provide 24/7, five-nines availability for an application no one uses outside of business hours. It makes no sense to hire a high-security, private-cloud service for data that turns out to be so heavily regulated by European privacy rules, U.S. HIPAA regulations or other strictures that it's illegal to house it outside the company's walls in the first place.
Many companies already have all that information on hand, of course, from their own efforts to put together disaster-recovery plans, overall enterprise data-security requirements and the like.