Companies get the flexibility and cost-saving benefits of going to the cloud a.k.a. software-as-a-service (SaaS) from premises-based computers. Gartner (News - Alert) forecasted that the worldwide SaaS market will double from $8 billion in 2009 to $16 billion by the end of 2013.
Yet many organizations are still reluctant to go the cloud despite the array of security tools on the market. The reason, according to PerspecSys, a maker of cloud data security platforms, lies in two areas. The first is a lack of internal governance to ensure that security tools are put in and in used and that practices are in compliance with increasingly strict regulations. Organizations need "to take the robust governance that typically already exists for enterprise-sensitive data behind the firewall and transfer this to the cloud." The second is ensuring application functionality in this secure environment to avoid deciding which side of the fence to land on at the sacrifice of giving up what was on the other side i.e. tearing down the barrier.
The cloud security issue has created a governance gap that potentially makes these enterprises non-compliant with legal, regulatory or internal governance policies. For example, in the recent 'Security of Cloud Computing' study by the Ponemon Institute and CA (News - Alert), more than 50 percent of respondents in the U.S. said their organization was unaware of all the cloud services deployed in their enterprise. These rogue users threaten the security of the organization's sensitive data.
"Enterprises that are adopting cloud applications such as Salesforce.com (News - Alert) are increasingly doing so along with the implementation of SaaS security solutions," said Jeff Campbell, president and CEO of PerspecSys. "This is indicative of IT adapting their infrastructure to address the unique security requirements for cloud computing in support of the evolving needs of the business. However, the key challenge that remains is ensuring security without sacrificing functionality."
PerspecSys has sliced the public cloud into three layers: The first is platform as a service (PaaS), which is governed by standards set forth by Open Web Application Security (News - Alert) Project (OWASP). The second is infrastructure as a service (IaaS), which is governed by the SAS 70 II auditing standard developed by the American Institute of Certified Public Accountants. The third is SaaS (News - Alert) where users' data resides, has attracted the most interest and positive response from the market place, yet it is the one layer of the cloud not governed by any standards to ensure data security.
This lack of security regulation and standard in the data layer presents huge adoption barriers for many enterprises, says PerspecSys. In its March 2010 Security Spending Survey, Goldman Sachs observed a significant shift in user sentiment to cloud and SaaS solutions. In its survey, only 24 percent of respondents said they would not use any SaaS or cloud applications until they have more clarity on how to secure their data, compared to 46 percent in an October 2009 survey.
Goldman Sachs attributed this shift in attitude to companies' abilities to design customized solutions to solve some of the data security problems, as 20 percent, (versus 10 percent previously) now say that they use the cloud after an additional security solution has been purchased. However, these customized or third-party security solutions - mash-ups developed in-house, application integration, and encryption tools - can significantly impair the functionality of the cloud application.
"Consequently, the public cloud still presents serious issues for many organizations," says PerspecSys. '[This includes] data privacy demanded by regulatory compliance requirements, accepted industry standards and the organization's own internal directives; data residency that dictates control and governance of data, including its backup and recovery; and ensuring data security from both external and internal threats."
In its March 2010 report, "Top Threats to Cloud Computing," the Cloud Security Alliance highlighted common cloud-computing threats, including shared-technology issues, data loss or leakage, and account or service hijacking. It's these threats to sensitive data, the firm says, that cause C-level decision makers to block adoption of SaaS applications. And why organizations need to find ways to make the cloud just as functionally secure as premises.
"While IT departments can set and manage policies regarding platforms and infrastructure, regulatory compliance means the top-level executives must take responsibility for their data protection," said Terry Woloszyn, founder and CTO of PerspecSys. "PerspecSys allows the enterprise to apply their current data compliance standards and procedures to sensitive cloud data as well."
PerspecSys has eliminated the security-functionality paradox of the cloud with its Privacy, Residency and Security (PRS) data governance platform, the PRS Server. The PRS Server addresses the current concerns surrounding cloud adoption, namely the ceding to the cloud provider of control over private and sensitive data such as company secrets, personally identifiable data such as customer records, and other commercially sensitive information. PerspecSys allows the company to retain the control over sensitive data, thereby mitigating the emerging threats to cloud applications, and remaining compliant with regulatory and standards requirements.
The PRS Server has an available plug-in for Salesforce.com. PerspecSys plans to apply the same principles to other cloud applications in additional plug-ins to be released.
"We sincerely believe SaaS in the public cloud is the future," said Campbell. "But without a platform that can maintain the integrity of the value proposition and the functionality of applications in the public cloud while mitigating their inherent privacy, data residency and cloud security concerns, widespread adoption simply will not happen."Brendan B. Read is TMCnet's Senior Contributing Editor. To read more of Brendan's articles, please visit his columnist page.
Edited by Patrick Barnard