Security on the cloud: Myths dispelled
By A. Asohan May 23, 2012
A shorter version of this issue was previously published here.
- Malaysian SMEs on the cloud say they are more secure
- Non-users still cite security concerns as a barrier, however
WHILE many companies are wary of moving to cloud computing, citing security as a main concern, new research by comScore showed that actual users are spending less time and money on managing security, while achieving higher levels of it.
The research was commissioned by Microsoft Corp and conducted on small and medium enterprises (SMEs) across five markets – Hong Kong, India, Malaysia, Singapore and the United States. SMEs in this case were defined as companies managing between 100 and 250 personal computers in their organization.
“In Malaysia, 50 cloud users and 43 non-users were surveyed independently by comScore in March and April this year,” says Adrienne Hall, General Manager of Microsoft’s Trustworthy Computing Group. “The respondents were unaware that the survey was commissioned by Microsoft.”
The study was funded by the Trustworthy Computing Group, which was established more than a decade ago. “Our team sits outside the business groups where products are created. This way, we can look across the company and focus on processes and procedures to improve the security, privacy and reliability of all the company’s products and services.”
“We are extending all those investments to the cloud,” she adds, speaking at a May 22 media briefing on the survey findings at Microsoft Malaysia’s office in Kuala Lumpur.
“The cloud is a game-changer, giving new levels of agility and flexibility that allow companies to focus on their own core business, instead of having to focus on the business of IT security, for example,” Hall says.
However, many companies are reluctant to make the transition because they fear the cloud is less secure, she notes.
The findings in Malaysia, especially the experiences of SMEs who have made the switch, are a surprising retort to these fears:
- 56% of the SMEs said they spent less time managing security since adopting the cloud;
- Almost two-thirds of cloud-using SMEs said they believe that IT cost savings are a primary benefit of cloud usage, and 52% said the same about higher levels of security;
- 22% of SMEs that transitioned their businesses to the cloud said they had been able to reduce the portion of their IT budget used for managing security during the past three years; compared with 13% that do not use the cloud;
- 52% of Malaysian SMEs said their business was more secure as a result of moving to the cloud;
- 46% said they were more confident of their company’s regulatory compliance; and
- 46% said they found it easier to integrate new systems or technologies than to being on the cloud.
“Integrating systems here includes, for example, adding new features to your customer care system. With the cloud, you don’t need someone to go to all regional offices to upgrade the software, and so on,” says Hall.
Furthermore, cloud-using SMEs said they were able to:
- Invest in more product development or innovation (70%)
- Focus more internal resources on core business (52%)
- See spending less time managing security information as a primary benefit (44%)
- See an easier ability to scale business to new markets (38%)
- Employ more staff in roles that directly benefit sales or growth (38%)
This contrasted deeply with the perceptions of SMEs that had yet to adopt the cloud, Hall notes, with 51% citing security concerns as the reason why they had not moved to cloud computing. “Also, 53% cited the perceived cost of transitioning to the cloud as a barrier to adoption.”
“This really dispels some of the myths surrounding cloud computing and its adoption,” says Mohit Pande (pic), general manager of Microsoft Malaysia’s Small and Mid-Market Solutions & Partners Group.
“Companies that have adopted the cloud are feeling more secure, they are really saving costs and are able to focus on their business.
“In my personal opinion, a lot of the security concern stem from the fact that when you relinquish control of something you’re used to controlling, there is that certain amount of insecurity you would feel. ‘I used to have my data stored here on my server, and now it is stored with somebody else, on the cloud.’
“That creates a security perception, but we’re now finding out that reality is the opposite – that when they do adopt the cloud, SMEs are seeing added security benefits,” Mohit says.
According to the survey findings, 68% of Malaysian SMEs that do not use the cloud said that industry standards for cloud security would go a long way in giving them greater confidence, while 63% said that vendors needed to be more transparent about the security measures and levels in their cloud offerings.
“The findings in this study tells us there is a role for vendors to not only share information and educate, but to also work towards greater transparency and industry standards,” says Hall.
“On Microsoft’s part, we’re embarking on several initiatives in this regard. First, we’re participating in the group called the Cloud Security Alliance (CSA), an industry organization which includes about 40 other companies involved.
“This allows us to participate in training activities, industry talks and programs that the CSA conducts,” he adds.
Other members include Microsoft’s keenest cloud competitors: Amazon Web Services, Google, Salesforce, Oracle and the like.
On the point of transparency, the CSA has created something called the CSA STAR (Security Trust and Assurance Registry).
“This is a registration that cloud vendors can complete, essentially a self-assessment covering the security profiles and policies of a company’s cloud offering. This registry is published so that customers can have a look at how cloud vendors approach security,” says Hall (pic).
“We have done this for Office 365, Windows Azure and Dynamics CRM. Thus far, we are the only large cloud vendor which has completed the registry,” she claims. “We think it’s a very important transparency point.”
Microsoft, she adds, has also completed other registrations and certifications, like the ISO 27001 on information security management systems, as well as those necessary to comply with the US Government’s Federal Information Security Management Act 2002 (FISMA).
“Although it is a US standard, the FISMA requirements are extremely stringent and high, and serve as a good reference for any customer.
“We’re also regularly audited by independent third parties such as Deloitte Touche and the British Standards Institute,” adds Hall.