Cloud Computing

EXPERT ADVICE

Top 4 Reasons CISOs and CTOs Fear the Cloud

For years, IT departments have had full control over their own infrastructure — for better and worse — and are naturally uncomfortable with anything that prevents them from being the sole resource for their own infrastructure. They have been trained to maintain tight control because of the complexity of their own environment — a positive trait that has helped to assure timely and accurate delivery, but limits their ability to accept change.

It should come as no surprise, then, that IT often views data leaving its network as a negative rather than a positive. However, Software as a Service cost-savings and the ability to help companies foster innovation within their own infrastructure is too strong a value proposition for most enterprises to ignore. Although management may be pushing cloud initiatives on reticent IT staff, many chief information security officers (CISOs) and chief technology officers (CTOs) are wary of the hype and have nagging fears about the loss of infrastructure control, loss of ownership of data, vendor lock-in and data security.

These fears are largely rooted in false perceptions about loss of control and security — and in false beliefs in the flexibility and strength of on-premise solutions. The key to avoiding these potential pitfalls is to thoroughly evaluate your SaaS partner. Like any other industry that achieved popularity quickly, there are many companies that are slapping “cloud computing” stickers on their products and positioning them as brand new.

Enterprises need to delve into the details of their partners’ operations, software and license agreements to ensure they are aligning themselves with a company taking advantage of modern technology and protocols, so none of their fears come to pass.

Fear No. 1: Loss of Infrastructure Control

This is a problem perpetuated by managed service providers during the 1990s, when businesses would move from on-premise solutions to managed services. Back then, some managed service providers could not provide an environment in which they could deliver timely or reactive support or functionality, thus frustrating the end-users.

The sophistication of technology today has allowed the industry to move away from this unwanted scenario and provide the best of both worlds: The administrator retains the granularity and control that is provided by an on-premise solution while still getting timely support.

That said, all vendor infrastructures are not equal. Enterprises should fully understand the infrastructure of a vendor’s SaaS-based solution and ensure there are no single points of failure, such as those found in the recent T-Mobile data fiasco.

A key attribute enterprises can look for in cloud partners is whether or not they use a grid computing system and, if so, how they define “grid computing.” Grid computing is a proven method for achieving 99.999 percent reliability. That’s because in the event of an outage or corruption, these networks are able to shift data burdens to alternate locations or across shared multiple locations rather than creating single points of failure.

Instead of causing an informational bottleneck, data is simply accessed from another part of the grid until the problem is fixed. Rich SaaS implementations are every bit as powerful as on-premise solutions and allow the administrator to maintain control of the application without dealing with the environmental requirements.

Fear No. 2: Loss of Ownership of Data

This ties into the first fear because it deals with IT being uncomfortable with data that is not on its own infrastructure. This fear is a valid concern, as data is generally processed or held offsite by cloud vendors; however, on-premise providers often lock customers into solutions by making any migration or upgrade path both cost-prohibitive and technically undoable.

Enterprises need to ensure that data ownership is addressed in detail in the cloud licensing agreement or terms and conditions. Reputable SaaS vendors will ensure that companies always own their data, that it is not provided to anyone else or used for the benefit of the service provider, and that companies are able to easily access their information whenever they need it and get it back, however large the volume, should the partnership not work out.

Systems based on modern technology provide enterprises with a robust administration console that allows you to set all data policies, review access information, control data users and freely interact with data. If a SaaS company cannot guarantee these types of capabilities, enterprises should be wary of partnering with them. Also, enterprises should research the company’s partners, press clippings and case studies to get an idea of what industries its solutions are best suited for and how it works with clients.

Fear No. 3: Vendor Lock-in

SaaS solutions can lock customers into their products by using proprietary formats for encryption and data storage that make future migration difficult. But guess what? So do on-premise vendors.

This is a long-standing IT problem that goes back well before the cloud. The reality is that cloud vendors make access to data easier and allow customers to export data as is, and when required.

Fear No. 4: Data Security

Data security is an excuse that has underpinned the cloud skeptic’s position since the introduction of cloud computing or SaaS solutions. Issues such as the potential for multitenant systems to cross-contaminate data and allow a breach have made the rounds — but have no grounds in reality.

This mindset does not take into account that a cloud vendor is a security provider. Cloud vendors can build security and resilience into their solutions from the ground up and are able to provide massively more security and resilience to their customers than would ever be possible with an on-premise solution.

Encryption and data loss prevention capabilities are a given for SaaS vendors, but there are a few additional areas companies can look into to ensure their potential partners are secure:

  • the security policies for data in flight, in use and at rest;
  • the physical security practices the company employs for its servers; and
  • the process by which data is shared with separate clients (to learn more about cross-contamination possibilities).

In reality, it is the CTOs and CISOs that are generally pushing for the adoption of cloud-based solutions because they are technical users and decision makers who understand the concepts and architecture of the cloud. As with any technology with a ton of hype, sometimes they are not able to filter through the rhetoric generated by skeptics and those afraid to make a change to the status quo.

Methodical evaluations of SaaS vendors can go a long way toward alleviating these fears and ensuring their cloud computing projects are successful.

These four fears often overshadow the one true SaaS benefit for CISOs and CTOs: namely, transforming the IT department from a help desk to a competitive differentiator.


Mary Kay Roberto is senior vice president and general manager ofMimecast North America, a SaaS provider of a technology platform designed to radically improve the way companies manage their most important business communications and data.

1 Comment

  • Succinct myth-busting. We advise a lot of clients on moving to the cloud (reviewing the agreements) and often find unnecessary resistance if this type, most of which is addressed in the SLAs of the Cloud providers. They are, as you well point out, SECURITY providers.

    Well done.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels