Do you know the feeling: A mental picture is building up in your mind over time and suddenly you read something and the gloomy picture becomes clear?
For me such a eureka moment was yesterday evening when I read about a survey by the Ponemon Institute, an information security research firm about the connection between cloud adoption and security. In short the survey stated that the better the knowledge and practices of security departments of a company or a governmental organization is the higher is his cloud adoption rate.
At first glance this statement seems to be a contradiction of terms driven by a wishful thinking of cloud providers. The good think about this survey helping its credibility is that it was done by an independent research company and is based on the feedback from 4140 managers.
But for me it also reflects and make sense of a lot of discussions at customer sites which are going on at the moment. When I discuss cloud architectures with customers there are two extreme attitudes I encounter -with a lot of others in between:
Statement 1: We will never implement a cloud solution as it is not secure and contradicts legal requirements. I will never ever agree to the usage of a clod solution.
Statement 2: We are aware of the risks associated with a cloud solution and we want to discuss now the details how to ensure compliance with data protection and security requirements.
Trying to build up the bigger picture I took away two observations from many of these discussions:
- The majority of the representative of the first group belongs to the IT department whereas the second opinion is more likely to be found by line of business managers.
- The second opinion is very often expressed by managers and experts from companies and organizations which have good security practices in terms of skills, an enterprise security concept and also routine tasks like the provisioning of the necessary users and authorizations for a new employee.
Do not get me wrong: I do not want to say that skepticism against cloud solutions is due to insufficient security practices. A possible explanation of statement 1 is also that IT experts know better about security risks than line managers. Rather in my view such results are a call for action for architects and security experts to improve the level of the security practices in their organizations. Perhaps this information from my former publications can help you a bit.
One thing is for sure for me: The momentum to cloud solutions to one degree or another is unstoppable for nearly all organizations. The federal US cloud strategy is just one example. IT departments have to decide whether their importance will decrease when they are perceived as a roadblock to all cloud activities and will be bypassed by the business side.