By Jim Lundy
You can’t read a technology blog today without getting hit with Cloud. The question that asked most often is: Are you ready for the Cloud? I’d like to suggest that you flip it and see if your vendor’s Cloud is really ready for you and your needs. The problem with Cloud, Applications and Content is that it often just isn’t as easy as it sounds. Doing a Public Cloud right and in a secure fashion takes work and it takes time.
Today, there are many ways to leverage Cloud with SaaS applications being the main one. There are some surprisingly basic things that sometimes are not happening when it comes to Cloud. Often this has to do with shortcuts in how SaaS applications are deployed and managed in a Cloud. Getting smart about some of things that are implied and basic (but often don’t happen), is the first step to understand before deciding to evaluate Cloud providers and their applications. This includes things like Diesel Generator backup power (see related post about Diesel Generators, Amazon and Cloud Computing).
Cloud Security Basics
Google didn’t add SSL to its email service until 2010, shortly after they were hacked. There are many other vendors out there proclaiming to be SaaS, but they don’t do some of the basics to secure the content or event the SaaS application you are licensing from them. Sounds basic, but SSL enablement of applications is a must do. Making Mobile apps SSL compliant is also something to check. If the end points aren’t secure, then getting access to the application and then your content is fairly easy. This isn’t limited to start-ups. Large vendors also have security issues that go unnoticed.
Also, increasingly, enterprises need to start managing their multiple cloud based applications through unified identity management from providers such as Okta, McAfee, IBM and others.
Cloud and Securing Content
The big issue that exists with the Cloud is that bad people want access to your information. They monitor your staff and what they do. They look for announcements about applications you are using and then they start to plan their attack. The biggest issue with content shifting to the Cloud is with the security that surrounds it. Not all content and data is ready to be moved to the Cloud, mainly due to security risks that still need to be addressed by vendors.
Webconferencing (which is now on a collision course with Video Conferencing) is one of the oldest forms of a Cloud SaaS application on the market. These systems connect people in real-time via a robust and secure cloud. Some of the providers (such as WebEx and Saba) will store the meeting recording in their respective Cloud for later access. Most big users of these services do regular verifications of the Security offered by these services.
Let’s examine Human Capital Management (HCM) and Talent applications. Talent Applications such as Learning and Performance Management have been available as SaaS applications for years. They take feeds about employees from the systems of record – the HCM system, but they don’t contain all of that valuable information, such as payroll and employee bank account information.
HCM in the Cloud is now a hot topic and Oracle and SAP are racing ahead with their Clouds. Even with that, it is still early days for HCM and Cloud. I have spoken with numerous CIOs and their staffs about HCM. Many are being very careful about shifting their HCM system to the Cloud for the simple reason: that they are worried about the security of their data. In some cases it is a simple discussion. “If I move our apps to the Cloud and we get hacked, I’ll get fired.”
For Enterprise Content Management, it is also still early days for the Cloud. Lots of Cloud Content Management providers are emerging, but today we estimate that 95% of enterprise content is stored onsite in ECM systems. Because of BYOD and limits on email storage, Users are fighting this and buying their own content sharing accounts at places like YouSendIT and DropBox. That creates risks to the enterprise when those vendors get hacked, as DropBox just did. If you are a large enterprise, you might want to check how many of your employees are sharing your content via these services.
We do see Cloud Content Management as a growing area, but there are numerous considerations that need to be examined to ensure your content is secure. Some of the things to be careful about has to do with the basics of the security that surrounds the users and their access to the cloud application. Some of it has to do with the Cloud Data Center, where it is located and in what country. Looking at the basics of how the application is managed and how the data center where the servers are housed is run.
Suffice to say, that Cloud isn’t going away. But making the shift to the Cloud takes a lot of work and examination of your potential providers. So, we end with what we started with. Your Cloud vendors may not be as ready as they claim when it comes to securing your content. Careful due diligence is needed before taking the plunge into Cloud.
Author’s note: During my Sabbatical away from being an Analyst, I had a General Manager role and it involved delivering applications via the Cloud. Ensuring that Cloud SLAs are met and exceeded is an eye opening experience.
Thanks for the piece, but I don’t see a lot of info about specific measures to look for in order to determine whether a cloud vendor is sufficiently secure. What should, say, a web conferencing customer look for in a cloud vendor’s security infrastructure?
Alex, thanks. We don’t publish everything in our blog. We have conversations everyday with our clients about issues and opportunities regarding Cloud and Cloud applications like Web Conferencing.
Some of the areas are simple, like ensuring that the Mobile app for your Web Conferencing provider is SSL enabled. Since we have an Aragon Research Globe for Real-time Collaboration under development, you’ll be hearing more about this topic going forward.
I think the biggest blocker for adoption of software as a service is security concerns. Big corporations don’t like the idea of not really knowing where their data is, and this is a tricky one to overcome although I believe it’s inevitable that they will overcome their concerns given time and early adopters.
Excellent post. I was checking continuously this blog and I’m impressed! Very useful info specifically the last part
I care for such info a lot. I was seeking this particular information for a very long time. Thank you and best of luck.