Monday, February 09, 2015

Insecurity about Cloud Security and Value versus Return

I was at this conference of small and mid-sized Cloud service providers who were discussing the current state of the market and evolution with everyone talking digital. They were hoping to collectively brainstorm and learn from each other’s experience. They discussed the evaluation criteria they were subjected to, problem statements they had to answer, and the two biggest stumbling blocks that would not go away even with the maturity of the cloud solutions and growing customer base; they are ROI and Security.

Some large enterprises have adopted a cloud first approach to their new initiatives while they seriously evaluate movement to the cloud whenever faced with any upgrade or refresh decision. These early adopters and fast followers now are more or less convinced that it does not make sense to continue investing in conventional hardware solutions. Data centers and servers are best left to the experts to manage while application management was outsourced a decade back. DevOps is the way to go and Cloud is where everything should reside.

Off course there are industries which have seen exceptions for some types of solutions which are still not amenable to be on the cloud. Even the providers acknowledge this and keep away from pitching for such use cases. Big monolithic solutions are facing the agility challenge and the paradigm has shifted to accommodate multiple for purpose apps on the cloud that are making some parts of the big solutions redundant or enhancing productivity by reducing the effort to complete a workflow or task in the conventional solutions.

Consumer and personal apps reside on the same devices that are used at work; this transgression managed or otherwise is here to stay. CIOs and CISOs have learnt that pushbacks are no longer accepted and they have to find a way to make peace and find solutions that allow coexistence. MDM has evolved to provide some level of containerization to separate the official from personal and the ability to brick a device should it be lost or fail to return on exit. So where is the unfulfilled promise of security and ROI or is it just a favorite flogging horse ?

How secure is your cloud solution ? Have you had any security certification done for your software ? When was the last time penetration test was conducted ? What is the uptime offered on your cloud ? Clouds are expected to save money; what is the ROI of your solution ? The service providers’ reality was that they had to field these questions every day with every customer with every opportunity with everyone they met. It was as if repeating the message would strengthen its value and make it work for the customer and stakeholders.

After all the due diligence and certifications, customers then go on and deploy the solution with limited security governance and vulnerable practices that expose the data. Eventually if and when data leakage does occur, the cloud and/or the solution is deemed immature and not upto the mark. Attempting to create idiot proof solutions with all the checks and balances to protect against human stupidity is the final and ultimate step in ensuring that the solution is secure; and this has remained the goal of every enterprise and the challenge for every provider.

Return on Investment is a different ballgame; value is a function of the frame of reference of the perceiver and nothing to do with reality. For someone a dollar a month per user may be value and for another $10 is not expensive. Can service providers do justice to the wide spectrum of expectations ? I am not sure that kind of elasticity exists; volume driven discounts or market entry strategies may offer initially low pricing which is rarely sustainable in the long-term unless the end game is market valuation and not profitability.

At the end of the discussions collective wisdom indicated that alleviating the fear factor will take its time with evolution not being consistent and everyone wanting to reassure themselves of the risk factors. It does not matter how many have taken the leap of faith or how long the solution has been around. Even today there are buyers apprehensive of every decision lest it not work in their unique environment or their inability to leverage the value. I think that the discussion will keep popping up and we will have to reassure a zillion times over.

1 comment: