‘Tis the Season of Goodwill; so let’s put the record straight on Cloud Security

Security is oft touted as the number one inhibitor to cloud adoption, but is there grounding for this in technology terms?

I know you probably have your mind on some last minute Christmas shopping or maybe how you can survive the office party so I’ll keep this posting at a high level and not delve deeply into the many and varied aspects of security, privacy, risk perception etc. I will however recommend a excellent article called ‘Risk Perception and Trust in Cloud¹‘that covers such issues in much greater depth.

So, back to the question – why does security get highlighted as a major inhibitor to cloud adoption?

Juniper has been the market leader and segment leader² of secure remote access solutions for many years and almost all enterprises will have a secure means of accessing business services over the Internet, be they in-house or hosted. Is cloud really all that different?

‘What about virtualization?’ you may say. Well, yes, that is a more recent innovation but even that has been around for many years and we are now at a point where solutions are available to implement security in the virtual world just as you would in the physical one. So virtualization may make things a little more complex but it certainly doesn’t prevent secure service implementations to be deployed.

So why does survey after survey put forward ‘security’ as the major inhibitor? What’s so different about cloud service models versus well established remote application access?

I think the answer lies in people. As people, we have feelings, instincts, concerns and emotions. When we look to implement change, emotion is a strong influencer. The emotion of the change surfaces in the form of an aversion to risk. Change is possibly one of the biggest risk factors facing IT managers today and the fear of a ‘bad change’ is considerable. However, not making change is also a massive risk as technology races ahead and so may the competition.

Within the enterprise an emotional commitment from all business functions, not just IT, can help drive change.  Where the risk benefit can be understood by all, so a culture of change can be supported and encouraged; rather than waiting to jump on IT if a change goes bad. As I discussed in my blog ‘Meatballs and Spaghetti’, this requires a translation from technical language into business language. Security solutions are re-positioned as business risk and business impact. People can then relate emotionally to the need and purpose for change.

I believe a similar but inverse situation exists between the enterprise and the cloud service provider. The fundamental emotion in this instance is trust. Can the enterprise trust the provider with its business data and processes? Of course, it’s difficult to specify ‘trust’ in an RFP, so a different language is used. The emotional language of trust is replaced with the technical language of security. Hence, in a way, security gets the blame when in reality security technology per se is not the issue but rather the holistic manner in which security and process are applied in the context of trust.

So if security becomes an ‘attitude to risk’ conversation inside the enterprise, it becomes an ‘attitude to trust’ conversation between the enterprise and the provider. As a provider, you need to be able to address the emotional needs of the customer. ‘Security’ is not the issue. People buy from people they trust.

A very merry Christmas and happy new year to you all – be secure, be safe.

Nigel Stephenson

Head of Cloud Services Solutions Marketing, EMEA

References:

1. Risk Perception and Trust in Cloud. ISACA Journal (2010)
2.  Gartner Magic Quadrant for SSL VPNs. (2011)