Security remains a chief inhibitor to enterprise adoption of cloud computing resources and one Gartner analyst says the biggest concern should not be that data could be compromised in the cloud, but rather that there may be a cloud outage that could lead to data loss.
There's a perception, says Gartner cloud security analyst Jay Heiser, that the most significant risk in using the cloud is that sensitive data can be leaked. But there's been little evidence of that, he says. Sony suffered a compromise of potentially tens of millions of customers in 2011 related to its cloud, and there have been a handful of other breaches of personally identifiable information being leaked from the cloud.
But more common nowadays are cloud outages and data loss, and Heiser says many enterprises are ill-prepared for those incidents.
Just look at some of the major outages from the past few years. Amazon Web Services, the market-leading cloud provider, has experienced three major outages in the past two years. After an April 2011 Elastic Compute Cloud (EC2) outage, some level of data was irrecoverable, Heisler says. Evernote lost the data of 6,000 customers in 2010 and Carbonite lost a portion of its customer's backups in 2009, he says.
Many of these events are caused by errors following upgrades of systems, he points out. Amazon, for example, credited its most recent outage on a new piece of hardware being installed in its data center.
The outage led to Reddit, Imgur and other popular sites being down, and AWS issued credits following the incident.
These issues have happened over and over, so they're likely to happen again, Hieser said during a webinar hosted by Gartner this week. Despite this being one of the biggest concerns for cloud users, Heiser says only half of companies recently surveyed by Gartner had a process to evaluate their business continuity processes. He adds that security breaches should not be ignored, but the more pressing concern is around business continuity.
The cloud industry is slowly addressing these concerns, but vendors, users and third-party bodies that are attempting to push cloud security improvements could all be doing more, he says.
Vendors have been reluctant to address security recoverability from data loss in service-level agreements (SLA), he says. "It remains a common complaint that cloud service providers are being ambiguous around what they're specifically doing to protect customers," he says. Some providers may not divulge information because doing so could represent a security threat, they say. Providers many times claim a high level of availability and confidentiality of users' data, but Heiser says they provide little evidence for customers to verify those statements.
Sign up for CIO Asia eNewsletters.