Cloud Adoption Checked by Security Concerns

Cloud computing security concerns outweigh the potential cost savings by a two to one margin, according to a recent survey of government and industry IT professionals by nCircle.

Only 32 percent of those questioned in the study conducted by automated compliance auditing company said that cost savings outweigh security issues, but that is an increase of 6 percent from last year. Thirty-five percent said they are already are doing some cloud computing, up from 24 percent last year, and another third are considering the move.

"Cost savings is definitely a big driver here," said Keren Cummins, director of federal markets for nCircle. "The first persons to be interested in the cloud were those for whom security was not a big concern."

As the adoption becomes more general, however, users are beginning to address practical implications, including maintaining security in a new environment provided by a third party. That is reflected in the finding that 69 percent of respondents would be more likely to use a cloud vendor that complies with requirements of the Federal Information Security Management Act or Payment Card Industry requirements.

"I think we are going to see the government proactively assess the security of cloud providers," Cummins said.

nCircle surveyed 551 IT professionals for the study on cloud computing in March, 40 percent of whom had some security role in their organizations. About 11 percent of respondents were in federal government and another 5 percent were in state and local government.

Government is readying a program for proactive security assessments for cloud providers. FISMA requires that government IT systems, including those operated by cloud providers, be formally authorized to operate. Federal Risk and Authorization Management Program (FedRAMP) requirements for authorizing the use of cloud services are undergoing final review and are expected to be released soon. A lack of expertise in cloud security, management and administration, particularly in government, could slow the move to the cloud if agencies become overly cautious, officials warned, however.

Cloud computing could benefit from another trend in government, Cummins said: the move toward continuous monitoring of the security status of systems. This is becoming federal policy under new FISMA compliance requirements, but a number of agencies already have made improvements in security by putting it into practice.

The State Department implemented the monitoring of key security controls within its offices more than two years ago and has become a poster child for the approach. With a program of continuous monitoring, distributed responsibility for IT security and focusing on critical controls and vulnerabilities, the department has significantly improved its security posture while lowering the cost, Chief Information Security Officer John Streufert has said.

How effectively current monitoring tools and metrics can be applied in a cloud environment still is not clear, but Cummins said that she expected market forces to push continuous monitoring into the cloud.

"This is something where we're going to see a lot of competitive pressure," she said. The ability to monitor and validate security assertions could become a differentiator in the market. "I think there is going to be a place for cloud providers who are willing to do that."

Economy and security do not have to be competing forces within in the enterprise, Cummins said. "If the cost saving are substantial enough, you can bring more resources to bear on security issues."

About the Author

William Jackson is the senior writer for Government Computer News (


  • Microsoft Shifting Away from Office 365 Brand Name in April

    Microsoft on Monday announced coming product naming changes, where "Office 365" is mostly getting replaced by the "Microsoft 365" brand.

  • Microsoft Grows Services Amid COVID-19

    Microsoft in a Saturday announcement recapped how its services have been affected by "shelter-in-place" governmental mandates in the last week, providing details on growth stats and prioritizations.

  • Microsoft Adds 6 More Months to Expiring Certification Programs

    Microsoft has announced an extension to the end date of three certification programs slated for retirement.

  • Microsoft's Surface Pro X: It's Like the Surface RT, But Better

    There's a lot about the Surface Pro X that's reminiscent of the ill-fated Surface RT. But despite the similarities, this might just be one of the rare cases where the sequel is better than the original.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.