In terms of security, cloud providers and MSPs still have a long way to go when it comes to inspiring confidence in their customers. Seventy-one percent of corporate IT managers consider cloud security issues to be the biggest barrier to adoption, according to a recent ZK Research survey. Though depending on how skillfully a cloud provider or MSP can talk prospective customers through their cloud security concerns, this can be an opportunity or an obstacle.
From the customer's perspective, cloud services seem risky due to the inherent loss of control. Transferring corporate data between private and public borders is something that many network managers have never had to deal with before. This presents a tremendous opportunity for cloud providers and MSPs to add value to their cloud services that is above and beyond the service itself. If cloud security issues are the chief barrier to adoption, then they also have the potential to be the biggest differentiator among cloud providers.
Talking points: Five cloud security issues to cover
Helping prospective customers make sense of cloud security issues isn't simple, though, as it is a multifaceted problem. It's critical that cloud providers and MSPs ensure enterprises understand that securing the cloud requires new tools and processes tailored for the cloud's key challenges. When discussing cloud security issues with an enterprise or SMB, cloud providers and MSPs should walk each customer through how it’s addressing these five core areas of concern:
- Protection of corporate data: Cloud providers and MSPs must articulate their strategy for securing data that exists in a multi-tenant environment, especially if that data must be commingled. At minimum, providers must also show customers how data is encrypted based on sensitivity and threat.
- Network-related cloud security issues: This should be a significant point of differentiation for cloud providers that also sell network services. Any kind of denial of service (DoS) attack designed to flood network devices may make a cloud-based application unusable, so cloud providers and MSPs must ensure that network security policies are consistent in every location where a customer's cloud-based resource resides. Service providers may fortify their cloud services by attaching them to managed distributed denial of service (DDoS) protection services, managed virtual private networks (VPNs) and managed intrusion prevention system (IPS) services. Additionally, cloud providers and MSPs that use network behavior anomaly detection (NBAD) tools should demonstrate for customers how that technology is used to get a baseline understanding of user behavior and then trigger an alert on anything that creates a significant deviation from that norm.
- Infrastructure isolation: The key concern for the corporate IT manager is securing infrastructure that is not owned by the IT department. Cloud providers and MSPs must educate customers on how they're shielding each virtual machine (VM) from other resources; creating a unique identity for corporate cloud resources, or fingerprinting; and tracking the movement of cloud resources. Cloud providers may offer isolated infrastructure as well, but this can be prohibitively expensive for a provider to implement unless the customer is willing to pay a significant premium on top of the basic service charge.
- Corporate audit and compliance concerns: Prospective customers will want to ensure that the cloud provider’s or MSP's audit and compliance standards are at least as strong as their own companies' -- preferably better -- requiring providers to open up their compliance playbook for customers. Although cloud providers aren't obligated to conduct third-party audits or obtain cloud security certifications, not doing so may be a deal- breaker for customers with strict compliance requirements.
- Authentication and access to consumer devices: As enterprises and SMBs continue to struggle with IT consumerization trends, cloud providers and MSPs must be ready to articulate how they're addressing cloud security issues related to mobile devices. The cloud-based delivery model can potentially open the floodgates for consumer devices, as it makes accessing any IT resource as easy as launching a Web browser or mobile app. Cloud providers should demonstrate for prospective customers how they're using network access control tools and 802.1x authentication to control access from the network, as opposed to from the endpoint. Desktop virtualization or SSL VPNs may also enhance endpoint security and enable more consumer devices to be used without increasing corporate risk.
Although this isn't an all-encompassing look at cloud security issues, it should provide a solid starting point for cloud providers to discuss the complexities of cloud security with IT decision makers. Despite the security concerns, the value proposition of the cloud is strong enough that the majority of companies, large and small, want to be educated. Alleviate your current and prospective customers' cloud security concerns by articulating how your tools and processes prevent or mitigate the risks.
About the author: Zeus Kerravala is the founder and principal analyst of ZK Research. Kerravala provides a mix of tactical and long-term strategic advice to clients, which include service providers, IT and network managers, hardware and software vendors, and the IT investment community.
This was first published in December 2011