Everyone is talking about the race toward cloud-based computing, but apparently, most organizations aren't rushing to embrace the emerging Web-based infrastructure as quickly as they might - based at least in part on concerns over security.
A new study into cloud computing adoption trends published by enterprise IT consultants Avanade and conducted by pollsters at Kelton Research finds that security remains a significant question in the minds of many C-level executives and IT managers.
According to the 500 or so enterprise executives and IT buyers interviewed by Kelton around the globe, organizations still prefer the control and security offered by internally managed IT systems over cloud-based computing by a 5-to-1 margin. It's worth noting that at least half of these respondents also consider themselves to be early adopters of cloud computing.
Driven by concerns about security, 84 percent of the respondents indicated that they have no plans to transition to greater doses of hosted infrastructure in the immediate future.
What can we take from these results beyond the obvious? Well, for one thing we can deduce that on the highest levels of IT management, security priorities still take precedence over the opportunity for cost-savings - since one of the biggest advantages promised by cloud computing is the ability to offload the expense of staffing and maintaining your own data centers.
It would also seemingly say that most organizations still like to run their own IT shops with their own people - as offloading the management headaches of computing infrastructure is the other leading driver for proposed adoption. Simply put, organizations just aren't yet willing to trust some cloud services provider with every element of IT systems management.
But the fact that security remains one of the big issues halting faster movement into the cloud really shouldn't surprise anyone. If anything, the people surveyed know best how hard they've been working to keep an eye on their own stuff and obviously have to wonder if a service provider will care as much.
There's also the idea that the providers hosting many companies' sensitive business information will become such a huge, centralized target for attacks that they become virtual feeding grounds for cyber-thieves.
As far back as 2007, SaaS market leader Salesforce.com confirmed that malware and phishing attacks being aimed at its customers had resulted from an incident involving one of its employees who was themselves swept up in a phishing scam and exposed the hosted applications vendor's own customer database.
And then there's the question of liability. If a cloud services provider gets hacked, are its customers still liable for any of their data that is stolen as a result?
On the flip side, if liability is transferred to the provider, the ongoing move to approach IT security strategy from the perspective of risk management could benefit cloud adoption.
For, if a company can offload a good deal of its risk onto service providers, for things like electronic data breaches, it would seem like that might make sense, especially if courts will allow companies to pass off the blame on hosted services providers when security breaches inevitably occur.
So, just how cloud computing will eventually affect IT security remains to be seen, with the potential for benefits and risks to be seen on both sides of the argument for or against the transition.
However, for now, it seems that cloud computing remains something of a pie-in-the-sky prospect for most organizations, specifically related to security.
Can you stand the rain?
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.