The REAL concern over Cloud data security

Recently I have been involved in a discussion in the LinkedIn Integration Consortium group on managing data in a Cloud Computing environment, and the subject has turned to security.

I had maintained that data security concerns may sometimes result in companies preferring to look at some sort of internal Cloud model rather than risk putting their data in the Cloud-

the concept that I find is intriguing larger companies is the idea of running an INTERNAL cloud – this removes a lot of the concerns over data security, supplier longevity etc.

This generated a reaction from one of the other discussion participants, Tom Gibbs of DiCOM Grid.

I hate to poke at other commentators but security is an overarching issue for IT and telcom as a whole. No more and probably less of an issue with cloud or SaaS.

It’s almost amusing to watch legacy IT managers whine that b/c it isn’t local it isn’t secure. I’m sorry but this is totally naive.

This brings up an important point. What Tom is saying is that the Cloud provider will almost certainly offer top-notch security tools to protect data from unauthorized access or exposure, and therefore what’s the problem?

The answer is that the executive concern with putting data outside the corporate environment is likely to be more of an emotional rather than logical argument. With so many topical examples of confidential information being exposed, and executives knowing that regulations/legislation/corporate policies often make them PERSONALLY responsible for protecting information such as personal details of clients/customers/citizens, for example, the whole thing is just too scary.

IT folk may see this as naive, just as Tom says. After all, modern security tools are extremely powerful and rigorous. But of course this depends on the tools being properly applied. In the UK, for example, there have been a number of high-profile incidents of CDs or memory sticks containing confidential citizen information being left on trains and exposed to the media. The argument allowing data to be taken off-site was based around the fact that policy required all such data to be encrypted, making it useless if it fell into anyone else’s hands. These encryption algorithms were top-notch, and provide almost total protection. BUT the users who downloaded the information in each of these cases did not bother to encrypt it – in other words, if the procedures had been followed then there would have been no exposure but because people did not implement the procedures then the data was exposed.

These situations have not only proved extremely embarrassing to the data owners involved, but have resulted in heads rolling in a very public fashion. So the concerns of the executive moaning about risk are visceral rather than rational – ‘Moving my data outside of the corporate boundary introduces personal risk to me, and no matter how much the experts try to reassure me I don’t want to take that risk’. Of course less sensitive information will not be so much of a concern, and therefore these worries will not affect every Cloud project. But for some executives the ‘security’ concern with moving data into the Cloud, while not logically and analytically based, is undeniably real.

Steve

What software buyers are looking for in 2009

With the global downturn in full swing, there are a lot of concerns over how software markets will perfom.

However, one trend is emerging as a vital ingredient if software companies are to succeed, and those companies that have recognized it are already benefiting.

Software buyers in 2009 are finding an industry vertical specialization to be essential to support any investment justification. The problem for many users is that although the technologies and products available offer the same sorts of benefits as before, in order to get any purchase through the system it has become critical to have a strong business backing all the way. Nothing will move if a business sponsor is not pushing for it. Of course, investments have always had to be justified, and a business alignment is a key part of this process, but in the economic downturn this focus has moved from being part of the justification to being the overriding element. A business sponsor has to be brought on board right at the beginning if the particular project has any chance of success.

As a result, companies that do more than pay lip-service to describing business benefits are prospering. The software vendors that offer truly vertical solutions, tuned for particular industry needs and taken to market by field teams with the relevant industry domain knowledge, are the ones that are succeeding. One proof point is Pegasystems, who I blogged about a few days ago. Onereason that Pegasystems has maintained such strong growth in 2008 with its BPM offerings is a strong industry vertical sensitivity. 

Another excellent example is IBM and in particular its Information Management division. Information Management software is regarded as unsexy – although still important, it has tended to be neglected in the rush towards application-oriented strategies and initiatives. Enter a new IBM management team that has restructured the go-to-market approach for Information Management software to an industry-vertical one, generating models of particular industry challenges and processes, looking at the specific needs of these industries and carrying the industry-vertical business messages to prospective buyers. Whether serendipitous or the result of impressiveexecutive insight, this approach has almost exactly dovetailed with the software buyers’ needs for a more relevant, industry-related message in order to secure investment. The result is that IBM is claiming significant sales and successes in its information management software business segment, even in the current environment. 

Other software companies would do well to take note. If you want to sell software this year, you have to help your prospective buyers by going to market with clearly aligned business vertical offerings and messages.

Steve