With companies now putting their most sensitive data and applications into the cloud, they're starting to worry a lot more about the security of such services.
According to analyst Forrester, one-third of enterprises are already using software-as-a-service (SaaS) applications in their group or department, a figure that will rise to almost 60 percent in the next year. But as firms move their crown jewels -- customer data, employee data, and intellectual property -- into the cloud, tech chiefs are getting worried. Forrester estimates that firms are already spending $282m on cloud security and predicts this will rise to $2bn within five years.
Part of tech chiefs' concern stems from the fact that while they can transfer the data or applications to the cloud, they can't transfer risk and liability. If something goes wrong it's the fault of CIO (or CEO), even if they can't really tell what's going on inside an opaque cloud service.
"If your firm uses cloud services, ultimately, your firm is responsible and liable from a legal perspective for protecting your customers' data -- it's not the cloud provider's liability. Your auditors know this, too," said Forrester in its report Sizing The Cloud Security Market.
Privacy and compliance, for example, can be more of a headache in the cloud as often cloud providers will have data strewn across the globe in a variety of datacentres, whereas legislation such as the EU Data Protection Directive lay out strict rules for how organizations must process and store personally identifiable information, and how it can be transferred across international borders.
Forrester argues that familiar security tools have limited utility when it comes to securing the cloud. Traditional perimeter-based security solutions, such as VPN-based network access controls and security information management, do little to protect cloud workloads.
Instead, CIOs need tools that provide visibility, user access control, and data security across hosting models, user populations, and device access methods. Forrester sees the cloud security market as consisting of four different areas: cloud data protection (mainly encryption), cloud data governance, cloud access security intelligence, and cloud workload security management.
Tech chiefs are interested in third-party tools because that can help keep cloud providers honest. Third-party tools are better because CIOs need security across multiple cloud providers and a set of tools that can give them visibility across all their data.
A wave of startups - buoyed by over a $1bn in investment - are developing products which aim to make up for the weaknesses of classical perimeter-based security systems by being able to find, analyze, and control corporate data across bare metal, virtual machines, IaaS, PaaS, and SaaS.