Why CIOs Do Not Want Their Data in the Cloud

This paper has been written by by Brandon Faber, marketing manager at Cibecs, a South Africa’s editor of backup software.

The arrival of cloud computing has brought with it new opportunities, many of them offering cost-savings and convenience as an attractive benefit to businesses and enterprises – however, when it comes to the security of company data and the viability of moving user data into the cloud, Enterprise CIOs are not so enthusiastic.

An NTT Europe Online survey of 200 CIOs and CFOs of UK-based companies with 500 or more employees (and a turnover of £100m or more) revealed that:

• 67% of respondents were not planning to adopt cloud computing or were unsure of its adoption within the near future.
• 49% of CIOs and CFOs listed security fears as the primary barrier to adoption.

While the above statistics relate to cloud-based services as a whole, we can assume with great accuracy that the attitude towards service solutions that target company data will be similar at the very least, if not substantially more sceptical.

Gartner lists the following seven risks associated
with cloud computing and data security:

1. Privileged user access. Moving business critical data offsite means removing the “physical, logical and personnel” controls IT departments exert over in-house programs. Not knowing who will have access to company data is, of course, a major concern for company CIOs.
2. Regulatory compliance. Whether a company keeps its data in-house or in the cloud, it is ultimately responsible for the integrity and security of its data. Without stringent audits and security certifications one cannot begin to consider placing business critical and other sensitive data in the cloud – and even then, the guarantees are not always 100%.
3. Data location. The question, “Where exactly is our data located?” does not have a simple answer in the cloud. Any viable solution would have to commit to storing and processing data in a jurisdiction approved by the client’s CIO and then contractually commit to obey local privacy requirements, and other possible legislation, surrounding data security.
4. Data segregation. Typically, data in the cloud is in a shared environment alongside data from other customers. Encryption can be effective but it’s not a bullet-proof solution. In fact, encryption accidents can make data totally unusable or complicate availability.
5. Data recovery. What happens in the event of a disaster? Is company data replicated across multiple sites and how long would it take to do a complete restoration? These are just some of the questions CIOs are asking.

“How quickly can we continue normal business operations?” is the key question any company disaster recovery (DR) plan needs to answer.

1. Investigative support. Gartner reports that “investigating inappropriate or illegal activity may be impossible in cloud computing because logging and data for multiple customers may be co-located and / or be spread across an ever-changing set of hosts and data centres.” Without a contractual commitment to support specific forms of investigation and proof that it has been done successfully in the past, the reality is most investigation and discovery requests will be impossible.
2. Long term viability. Will company data remain available should the cloud services provider’s business fold, or if the business is acquired by another company?

Added to the above seven cloud-computing security risks as highlighted by Gartner, CIOs also need to consider their ability to report on, and prove, the effectiveness of their data backup and recovery strategy and the speed, accuracy and simplicity of data recovery.

CIOs also need to consider the bandwidth and infrastructure impact of thousands of users backing up their data to a cloud service, along with the absence of control over what kind of data users choose to backup.

If continuous access to business critical data is key to a company’s ability to operate effectively, it would seem that a cloud-based solution for enterprise data does not currently enjoy a vote of confidence in terms of data security, accessibility, control and operational efficiency.

As it stands the majority of CIOs agree that a reliable, automated, solution that allows for easy, risk-free management of user data, remains the key component of an effective data backup and recovery strategy for user data residing on company laptops and desktops.