Forrester: security in cloud services in the spotlight

In a Forrester study entitled “Status, Challenges, And Near-Term Tactics For Cloud Services In Enterprise Outsourcing Deals” (Paul Roehrig, November 18, 2009), issues relating to the security of cloud services are discussed extensively.

Before companies take the “giant leap” towards cloud services, 7 major questions will need to be answered by cloud service providers. The most important issue is security: “Even so, perceptions and genuine technical hurdles put security as one of the biggest challenges to broader enterprise cloud services adoption”.

The security of cloud services is highlighted as a recurring issue on which positions are clearly conflicting.

Some claim that security in the cloud is impossible while others fight the opposite corner tooth and nail: the cloud can be more secure than dedicated infrastructures. These contradictory messages can be explained by the fact that the level of technology and processes implemented in cloud platforms is not as well developed as in other domains. On the other hand, security for some “cloud” services can properly be described as having reached maturity.

Personally I would agree with their analysis: you only have to look at mail services. Big companies subcontract (entirely or in part) their electronic communications to service providers. This actually works pretty well.

To draw a parallel: in the cloud, you sometimes encounter terms like “private cloud,” “public cloud” or even “community cloud.” Opposite each of these, place a “dedicated hosted mail platform,” “Gmail” or “electronic messaging services for the business sector” (stay with me here). Each of these “cloud” services can be provided in a secure manner, at the level of functionality and price that people expect.

what does Forrester recommend?

It’s pretty simple: “integrate security as one of the strategic choices and as part of the selection process.”

This comes as no surprise: since companies cannot outsource their risks (they can arguably transfer them, but at a cost), they have to rely on their security experts to assess the security claims made by their cloud service providers.

Security needs to be a part of the project from the beginning.” Nothing new under the sun here. Does this happen as a matter of course? Each individual business is responsible for ensuring it does.


PS: I have deliberately omitted mentioning everything that has nothing to do with security. The document from Forrester does not focus uniquely on security.

PPS : post originally published in French here.

photo credit : © hubis3d -

Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens