NEW REPORT: Cloud Control

The amorphous nature of cloud computing can make IT pros charged with protecting their organizations' data feel as if they're trying to rope the wind.

While privacy and security top the list of governance woes cited by the business technology professionals we spoke with, availability, performance management, accessibility, auditing, and monitoring are far from nonissues, especially for those subject to restrictive regulations such as Payment Card Industry standards or the Health Insurance Portability and Accountability Act.

"Cloud computing, in my opinion, would cause too great a reliance on having Internet connections, plus expose company information to compromise or theft," says one respondent to our September InformationWeek Analytics cloud computing survey. "From a PCI compliance point of view, it would be a nightmare."

Still, the pluses scaling applications quickly and seamlessly while shedding capital and operating expenses associated with maintaining servers – are attractive enough that this model will continue to gain popularity with business leaders. And cloud computing proponents, including the big vendors vying for shares of this lucrative market, are masters of accentuating the positives while downplaying potential negatives, like outages and governance challenges.

So how can information security pros reconcile their need for governance with business leaders' directives to bring capital and ongoing costs under control? Our advice: CIOs must sit security groups down at a table with legal counsel and data owners to hash out issues. Having these hard discussions up front is the only way to counter skepticism, like that expressed in our poll, where just 18 percent of the 456 business technology professionals surveyed said they were using cloud services, compared with 34 percent who have no interest. More than half said they are very concerned about security, with performance, control, and concerns over vendor lock-in and support rounding out the top five worries.We've heard this refrain before for software as a service (SaaS). If you don't control your data – or, in some cases, even know where in the world it's residing – you can't govern it, and you surely can't promise an auditor that it's protected from unauthorized access. But even more than SaaS, cloud computing, by its distributed nature, raises issues regarding privacy rights and regulatory compliance. This is true whether you subscribe to the infrastructure model of cloud computing, where you lease resources on a metered basis, as with Amazon.com Inc. (Nasdaq: AMZN)’s Elastic Cloud Compute (EC2) and Microsoft Corp. (Nasdaq: MSFT)'s Azure, or an application platform model, where application services in the cloud are populated with your data, as with Salesforce.com Inc. or PeopleSoft Inc. (Nasdaq: PSFT). Governance issues, such as data management and regulatory compliance, are still very much in limbo. The courts and industry groups will eventually help develop guidelines, but for now, we're on our own.

You can read the full report here