You hear it over and over again – security is the biggest concern in moving to the cloud. Well, guess what? It’s not, according to five CIOs in the Enterprise CIO Forum Council. Find out what their biggest concerns are. The CIOs interviewed are Campbell Soup Co. CIO Joseph Spagnoletti; SUPERVALU EVP and CIO Wayne Shurts; China UnionPay director and EVP Chai Hongfeng; Cable & Wireless CIO & director of service operations Richard Wilson and General Dynamics Information Technology CIO & VP, IT Strategy Spain “Woody” Hall. The interviews were conducted by Enterprise CIO Forum editorial director Bill Laberis. The Q&A was written by community manager John Dodge.
ECF: Is security your biggest concern in adopting the cloud? If not, what is?
Shurts: My going-in assumption is that cloud providers are working feverishly to address security in the cloud. I’m more concerned about the “price of entry” – the cost of getting our network architecture cloud-ready. Although security started off as a big concern, it has been reducing as we better understand cloud service security controls, which sometimes could be better than internal because they are building a green field.
Chai: At present, security is not what concerns us most. We are concerned most with value cloud computing can bring to the enterprise. Despite cloud computing becoming very hot in IT, financial users still hold a caution attitude about it. While past physical sites will be replaced by cloud-based platform, how can the banks operate a new business model on it? Technology development is a new chance for bank business and for the technical sector as well. How cloud computing can bring value to the business is what we focus most for now.
Hall: Being a cloud “provider,” we believe that the cloud is securable. I would want to ensure that our provider had indeed secured their cloud. If we were going to put something in the cloud, we would be more concerned about enforceable service level agreements and assurances of the return or destruction of proprietary/intellectual property/business sensitive information if we decided to change our provider to someone else.
Wilson: No – technical compatibility with legacy systems is our key issue.
Spagnoletti: Campbell’s biggest concern is service integration, with the explosion of cloud solutions and the change in buying pattern for these services (from IT to the business) the key challenge is to make sure that the integration of these services in to the IT support processes take place.
Key areas of concern for service integration are:
- User provisioning and de-provisioning
- Integration into our sign-in architecture
- Enabling client side capabilities if needed (plug-ins)
- Cloud solution SLA adherence and integration into the monitoring infrastructure where applicable
- Application of data governance and data retention policies
- Ensuring an acceptable user experience on the internet and the corporate network
ECF: Are there certain kinds or classes of applications you feel will never, or not for many years to come, be ‘cloud-ready’ (if so, what kinds, and why)?
Shurts: The cloud is a young concept and although many want to rule out what could be done in the cloud, I don't. We will see how the cloud develops and matures. What we can't conceive of being in the cloud today could be standard fare in five years. In the meantime, we are starting pragmatically by looking at less risky and non-customer-facing applications.
Chai: I admit there are some unsatisfied hardware and software in the data center of each enterprise that can’t be “cloud-ready.” For example, we don’t have time to migrate the mainframe machine that operates the applications and internal data center(s) to the cloud or the funds. Some users might still use [mainframes], and clearing these facilities will spend almost the whole IT budget. On the other hand, if we don’t clear those legacy systems or facilities, we can’t really develop our business based on cloud.
Hall: We currently put confidential human resources information in the cloud…performance reviews, pay adjustments, personnel actions. We do not put financials or business development information in the cloud.
Wilson: I think pretty much anything can move to IaaS once there is sufficient confidence in the service delivery model. SaaS is only suitable for certain types of application.
Spagnoletti: Campbell’s has low latency applications that will not be cloud-ready in the foreseeable future. The reason for this is that current and future network technologies do not meet our latency requirements. These applications are mainly in manufacturing.
In addition, Campbell’s ERP backend is not expected to be cloud-ready over the next 3 years. This is mainly driven by our current architecture for application integration that is not SOA- based, but instead relies on exchanging flat files. For applications holding highly confidential data, Campbell’s sees no limitation as long as the provider can meet our requirements for data and systems security and we can effectively integrate the solution into our service/monitoring framework.
ECF: To what extent do compliance and regulatory realities influence how you feel or act regarding security in the cloud?
Shurts: I think compliance is one of many factors. They rule out some applications today, but there are so many places to get started in the cloud such as email, storage, test & QA environments as well as some applications. My suggestion is to start in these areas and learn, and let cloud security mature in the meantime.
Chai: Cloud standards are still not uniform so various organizations have different standards on cloud computing which creates confusion for the enterprises applying cloud computing. Standards are the key point for industry development, especially for the emerging cloud computing industry. Accelerating cloud computing standards has a strategic significance to drive the development of cloud computing applications and technology in China.
Hall: The growing number of liability statutes regulating the protection of personnel information strongly shapes the design requirements for cloud solutions and the risk/benefit profile of various business opportunities. The attitudes of our government customers also strongly influence our approach to cloud solutions. Their risk profile is generally more conservative than commercial and consumer customers.
Wilson: It’s certainly a factor. The different regulatory regimes around data protection and user rights across different territories makes life difficult when you can’t necessarily be certain where your data is physically stored. We had to exclude colleagues in Europe from a recent cloud service rollout due to data protection issues.
Spagnoletti: If a cloud service provider cannot meet the regulatory requirements for the cloud solution we want, it is not a viable candidate for delivering this service.
From more on this topic: