Should cloud service providers take a vertical tack?
A specialty approach could be the answer for cloud service providers looking to ease enterprise CIO risk and compliance concerns.
I know what I'm about to propose goes against the mass appeal of the cloud computing model -- low cost, on-demand standard configurations that meet the needs of a broad customer base. Customization does not, for the most part, enter into the equation, but there is an argument for a customization of sorts in the cloud.
Data security, including regulatory compliance, is a big factor in keeping enterprise companies out of the public cloud. But some cloud service providers are starting to see the value in catering to industry-specific data security needs. This past May, for example, Microsoft introduced Office 365 for Government, which segregates government agency customer data in a multi-tenancy public cloud. Microsoft also has Office 365 ITAR, a caged data center environment that supports FISMA (Federal Information Security Management Act)and ITAR (International Traffic in Arms Regulations) requirements. The Federal Aviation Administration marked its entrance into the public cloud with plans to give 80,000 employees access to Office 365 productivity tools.
In talking with Michael Daly, corporate director of information technology security at defense and aerospace systems maker Raytheon Co., about how he sees security policies having to change with the move to cloud services and mobile device proliferation, he pointed to the possibility of industry specialization in the cloud. Given the business he is in, the use of the cloud is limited; but maybe other industries (retail, health care and so on) would make better headway in the public cloud if they formed industry groups to present their specific needs to cloud services providers, he said.
Daly believes that enterprise security policies will need to be rebuilt for the cloud and tested in a legal framework. But where to begin the rebuilding?
Maybe the answer is that industry groups work with each other to establish data security controls, and cloud service providers sit on the sidelines -- or rather, the back end.
"I would start with supplier agreements, so that some of the boilerplate work is done by industry organizations, not only by one company coming forward at a time," he said. "I would think that industry groups telling [cloud providers and mobile device providers] what works for their given industry, what type of legal agreements they'd like, is a place to start developing those security policies."
Daly isn't alone in his thinking. The CIO of a global commercial and personal insurance provider said his chief architect is hammering out a single-sign-on approach with other insurance providers that use public cloud services. The idea is to work as an industry group to ease the use of cloud services by giving insurance agents one identity for the use of the cloud services these providers have in common.
A vertical approach will not work for cloud service providers
There's precedent for this strategy -- but not in a way that bodes well, some say. Gartner analyst John Pescatore has seen the idea of companies within a given industry banding together to develop a standard for their specific technology needs, and he has watched it fail time and again. "We've seen the insurance industry come together, form a consortium, for example; and then one company needs to do things slightly differently and the technology requirement agreement falls apart," he said. "It's part of natural competitiveness."
More on cloud service providers
Four big cloud providers respond to four big cloud computing questions
Why cloud service providers also should be security coaches
cloud-based storage, replete with pros and cons, gaining traction
He does agree that it makes sense for cloud providers to meet specific regulatory requirements like HIPAA (The Health Insurance Portability and Accountability Act) and PCI DSS (The Payment Card Industry Data Security Standard)."Cloud providers can meet those kinds of requirements because they don't change rapidly, so they can make a long-term business out of it," he said. The same cannot be said for security policy specializations by industry. "There are just too many variables."
And yet, for some sectors, the commonalities outweigh the competitive advantage of going one's own way. Government agencies, driven to the public cloud in part by government mandates to cut costs, are banding together because they already have or want to develop a lot of the same cloud services. Just look at the city of Boston and its CIO's desire to share public cloud resources and services with other agencies. Some government agencies have enough space to act as their own public cloud, as is the case with the National Business Center in Washington, D.C. It developed the NBC CLOUD, its own set of cloud computing services for the 150 government agencies it serves. Now agencies can have their applications hosted on NBC's mainframe or x86 servers.
So, maybe the answer is that industry groups work with each other to meet their specific service needs, including data security controls, and cloud service providers sit on the sidelines -- or rather, the back end.