Earlier this month at our videocast on cloud security, panelists discussed the issue from both the customer and the service provider perspective. Many questions were raised about who is responsible for cloud security and how useful Service Level Agreements (SLAs) are in contract negotiations.

Both Liz Mann, CISO of Mycroft Inc., and Lina Liberti, VP of the CA Technologies Security Business Unit, said that customers must partner with vendors to protect their data in the cloud.

Liberti noted that “it’s critical to work with your vendor very closely; SLAs give you control and help you define what you want.” With specific language in place, you should “understand what’s shared or not, what options and technologies are used, and define the comfort level you need,” she said. An audience poll during the videocast showed that 79 percent of respondents believe that cloud security is a shared responsibility between providers and users.

Mycroft’s Mann said that as a service provider, “We have to deliver against those SLAs, and we take them very seriously. Quality-of-service (QoS) delivery and commitment to SLAs are what we live by.”

These assurances are just what concerned users — who are considering whether to trust service providers with their sensitive data — want to hear. Why, then, is there so much anxiety among CIOs when it comes to signing away their applications, storage, infrastructure and platforms to cloud service providers?

One answer, as Liberti also noted, is that customers: “Can’t give up control,” when entering into cloud arrangements. And Mann told CIOs that having service providers host applications doesn’t absolve them from their basic security practices.

Revealing Results from Ponemon Study

To delve even deeper, I turned to a newly released study, Security of Cloud Computing Providers, conducted by CA Technologies and Ponemon Institute. The paper, the second in a two-part series about the state of security in the cloud, was eye-opening to me. Clearly, I realized, most vendor-user relationships are not 50-50 partnerships, and not all vendors are offering the type of assurances our panelists described.

After surveying a total of 127 service providers in the U.S. and Europe earlier this year, the Ponemon researchers concluded: “The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.”

As noted in the chart, there is a large disconnect between the perceptions of users and those of vendors about who is responsible for security cloud data.

It’s Still the ‘Wild West’
During the Smart Enterprise Exchange videocast, Joseph Puglisi, a member of the executive council of the Cloud Computing Consortium at Stevens Institute and former CIO at Emcor Group, also advised customers to be cautious when they enter into cloud relationships and to weigh the benefits and risks carefully. Industry standards will evolve, he says, but right now “it’s the Wild West, and we need to establish law and order.”

Liberti, at CA Technologies, said that for all of their efforts to collaborate, ultimately IT will be held responsible by the CEO if problems arise. Therefore, she recommends getting CISOs involved in cloud contract negotiations from the start.

Here are additional highlights of the Ponemon survey:

• The majority of cloud providers believe it is their customer’s responsibility to secure the cloud, not theirs. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.
• Buyer beware: On average, providers of cloud computing technologies allocate 10 percent or less of their operational resources to security, and most do not have confidence that customers’ security requirements are being met.
• Cloud providers say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications; improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.
• The majority of cloud providers admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.
• Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions do.
• While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the providers are considering such solutions as a new source of revenue sometime in the next two years.

The good news from all of this is that shared responsibility will move both sides to better services and better security. Otherwise, as the report notes: “If the risk of breach outweighs potential cost savings and agility, we may reach a point of “cloud stall, where cloud adoption slows or stops” until organizations believe cloud security is as good as or better than enterprise security.

What are your security expectations when you enter into cloud computing contracts? Have you had success with SLAs? Share your experiences and advice for your peers here. And you can also view highlights from our recent live event here.

I approach cloud computing from two perspectives: First, as a longtime CIO and IT executive, and second, as a co-founder of The Cloud Computing Consortium (C3) based at Steven's Institute of Technology. Both give me unique insight into the history as well as the current challenges and future impact of the cloud.

Those of you who have been IT professionals for quite a while like I have, may not realize that you remember the introduction of infrastructure as a service (IaaS) and software as a service (SaaS). How truly remarkable it seemed to simply request a virtual machine and have one in a matter of minutes. Need more memory or additional storage space? You merely asked and almost immediately the additional resources materialized.

Remember the first time you sat at the keyboard, entered your credentials and began to use a multi-tenant application running somewhere in the ether? There you were sharing an application along with hundreds, perhaps thousands of other people, literally all over the world, yet none of you were hosting or managing the system.

No, I am not talking about VMWare or Salesforce.com: In the late 70s, it was possible to obtain a complete virtual machine including processor, memory, disk, card reader, printer and console from a mainframe running the IBM VM monitor. The virtual machine had a conversational operating system (CMS) which allowed you to create programs and data files through a command line interface.

For recreation, one could visit the Courant Institute of Mathematics at New York University and sign into Plato--an online simulation of fighter planes in a virtual sky flown by the participants. It was Microsoft Flight Simulator meets the Xbox on the precursor to the Internet.  But it was over 30 years ago!

My point is this: the basis of cloud computing is not really new. What is new is the breadth and scale of the offerings combined with the speed and the level of adoption in the commercial and government sectors. With Dell and Verizon beginning to restructure their businesses around this new phenomenon, you know it is headed for wide-scale adoption by businesses globally.

Still lacking, however, are business understanding, experience and the tools to maximize the benefits of this utility platform while mitigating the considerable risks inherent in cloud-based business models. The challenge is how a business can quickly move to cloud computing for front and/or back-office operations, while the technology and capabilities are morphing at a record pace.

The C3, was founded last year to grapple with key leadership and management aspects of computing in the cloud. A variety of topics, including the value proposition, business economics, risk mitigation, governance, sourcing and legal considerations of the cloud are being studied and debated by business leaders, IT executives, academics, management consultants and service providers. We are taking existing best practices and applying them to the new computing paradigm. I am on the committee examining the value proposition and business economics of the cloud. The committees have made good progress and are on target to contribute to a comprehensive document which will form the basis for our initial findings, recommendations and programs to be discussed at our next working session in September.

Amid all of the discussions, one area constantly stands out: Security in the cloud. Frankly, I don’t get what all the controversy is about. Management expresses concern over putting sensitive data into the cloud yet we routinely place our servers in shared hosting facilities and outsource payroll and benefits management. IT has been wrestling with third-party computing services for decades and knows full well how to mitigate the risks of availability, reliability and security.

In this regard, today’s “new” IaaS and SaaS are just more of the same. We’ve seen this stuff before and we should be able to readily adapt our proven contract language, deliverable definitions, SLAs, governance and other management practices to it.

Do you have a different point of view? I will be discussing this topic further as a panelist on the Smart Enterprise Exchange live videocast, May 10. I hope you will join us so that we can address your questions in real-time. You can register here now.

*About the Cloud Computing Consortium

The emergence of cloud computing will be a ground change for IT and a highly disruptive business event. The Cloud Computing Consortium was created to help you navigate through all of the competing claims. It operates within the Stevens Center for Information Research at Stevens Institute of Technology. For more information, contact Ken Saloway, Program Director, ksaloway@stevens.edu