Security remains a universal concern -- though some CIOs are more bullish about cloud providers' handling of it.
"Security is one of the more complex problems to solve. To really put together an effective solution, you need to cobble together 5-6 solutions," says Randy Spratt, CIO and CTO at McKesson.
McKesson relies on a suite of tools, from antivirus and malware to secure web gateways. One of its more unique features is for data loss prevention: McKesson inspects data in motion, looking for transactions or records that contain protected health information, such as procedure codes and social security numbers. It halts any transaction that triggers a red flag, Spratt says.
Likewise, Humana relies on multiple tools and tactics to protect individuals' information. Before engaging with a cloud-services vendor, Humana assesses the provider's security framework -- what tools they use, the general approach to security, how encryption is handled, the ability to ensure information never leaves the continental U.S., and a whole host of other things, says Brian LeClaire, CIO at the health insurance provider.
On the positive side, cloud providers understand that legal and security issues are some of their biggest obstacles, so they've really concentrated on addressing those issues over the last several years, says Wayne Shurts, CTO at food distributor Sysco. "They have pretty good answers."
Although some skeptics worry about security and risk in the cloud, Whirlpool CIO Michael Heim says those issues are improved by cloud computing because the vendors stay up to date on the latest technology. He points out that the infamous breach at retailer Target was a problem of internal systems, on premise. Security problems arise from "how you're managing, not where it is," Heim says.
Whirlpool today is much less conservative about using the cloud that it used to be. Amazon and Google have come a long way toward being enterprise-friendly, and corporate legal teams have come a long way in their understanding of cloud, Heim says. IT's role is to communicate and demonstrate how the cloud meets business requirements. "People worry about risk and security -- [but] you improve security and de-risk your environment with cloud. I also believe you improve your ability to compete," Heim says.
"The big challenge is that it's just different. You have people thinking in old models, not new ones."
Another challenge that IT teams seem to be getting a handle on is end users purchasing unauthorized cloud services.
Shadow IT is less challenging than it was a few years ago, when cloud vendors would pitch that customers could be up and running without involving IT, says Steve Phillips, CIO at Avnet. Today Avent's IT group is more in step with the business. When business units want new tech, they will talk to IT first, Phillips says. "We rely on quality of relationships as governance."
Sign up for CIO Asia eNewsletters.