Security tensions at the core of the cloud concept hobble cloud growth

a viable business model. As the U.S. federal government and other large institutions (including state governments and corporations) begin to eye the cloud as a way to consolidate IT resources, cut computing costs, or both, cloud-service providers have a golden opportunity to expand their businesses. “This opportunity could pass these providers by if they fail to convince companies and governments that the cloud can meet these potential customers’ security needs,” Clark warns.

A Computer World article (“Lawmakers question the security of cloud computing”) cites concerns on the part of federal legislators that the federal government’s increasing reliance on the cloud “could lead to new data security risks, with agencies compelled to put their trust in vendors’ security efforts.” With its ongoing effort to consolidate its 1,100 data centers, the U.S. federal government is a potential client (with apparently unlimited resources by way of the Federal Reserve printing press) that cloud-service providers cannot ignore. Republican Representative Darrell Issa (R-California), for instance, is “particularly interested in details as to how companies believe that they can implement guaranteed security in a cloud environment.” If cloud-service providers are unwilling to disclose such details, however, they could endanger their chances of landing clients such as the federal government.

Network World notes that data center locations are “a big issue in contract negotiations, where legislative and judicial issues abound.” In such cases, secrecy on the part of providers can sink potential deals with customers. Thus, what the article calls “security by obscurity” may not be sufficient in many cases, especially with regard to the laws of various countries. “To be sure, the cloud model and the notion of data having a specific location are somewhat antithetical,” Clark writes: some cloud-service providers attempt to maintain security and availability by locating the data in multiple servers or data centers, or by locating it in an undisclosed data center. Nevertheless, despite attempts to hide information regarding the location of data, some individual or group of individuals somewhere in the provider’s company structure must be aware of such information. Thus, complete security cannot be achieved through these means. On the other hand, by limiting knowledge, the provider reduces chances of a security breach.

“Cloud-service providers are in a tight situation with regard to secrecy about their data centers and security procedures. Many of these providers believe that this information must remain secret, but many customers (including giant potential customers, such as the federal government) want to be made aware of such information before signing on with a provider,” Clark concludes.