Blogs

Participating in the US and EMEA meetings of the AIIM.org Executive Leadership Council this past June, one topic of discussion from both groups (but more prominent with the EMEA group) was the concern over security of data within the cloud. The dialog became heated a few times as people shared concerns and some common experiences with vendors and technology limitations. Yet almost every organization represented at these two event  are either operating some aspect of their business in the cloud today, or they are in the process of investigating cloud options.

For a period of time, SharePoint was a central part of the discussion around the US government (NSA) security leak where one individual (Snowden) was hired as a contractor to migrate content between two SharePoint environments, and while each system had layers of security and governance requirements, this person was given full access and control to systems and data that should have been more carefully managed. The problem, as I understand it, was not a failure of SharePoint to secure the content (as some news outlets failed to accurately report) but a failure of the US government's security and governance oversight and protocols. While SharePoint certainly has its flaws, many organizations fail to take the necessary steps to ensure that their environments are secure, compliant, and locked down. Unfortunately for the US government, we don't even know the extent of the damage because they're not even clear on the content that was compromised.

This news has rattled many IT organizations who are looking to the cloud as a way to reduce the costs and overhead of managing IT operations.  In recent weeks, I have been asked repeatedly by analysts and journalists about my thoughts on the NSA leak and other reports on the US government's ability to get past most encryption safeguards, and whether I am seeing impacts within my customer base. It's certainly coming up again and again -- and while I'm not capturing data on the subject -- my opinion is that it is not deeply impacting plans to move toward the cloud. There are always exceptions, but I just don't see the impact -- and here's why:

My observation is that people are continuing to look at workloads that are low risk, with low security thresholds. Activities such as ad hoc collaboration with partners and customers are not going to put sensitive data at risk.

Based on anecdotal information from customer and community discussions on the topic , my opinion is that the NSA leak has reinforced some of our real or perceived concerns about security in the cloud -- but our plans for low-risk cloud activities and work loads has not been deterred. What I mean to say is that the majority of organization are not yet considering a wholesale move to the cloud of every production system, and so this news does not really impact their cloud planning. People understand that we are still relatively early in the cloud model, and that things will continue to improve. Vendors like Microsoft would love to report that the majority of enterprise customers are moving all of their production systems into the cloud, but the reality is far from it: enterprise-scale production systems in the cloud are still the exception.  In fact, the most energetic cloud-adopters are embracing a hybrid model, with the understanding that the tools and platforms out there today are improving week by week, and that the problems we've seen to date will be solved in the future.

I'd love to hear some feedback on this topic. Are companies continuing to move their cloud strategies forward, or have they halted their advances until the technology has time to mature?

Maybe the flow to the cloud will slow, but not for long. If anything, what this tells me is that hybrid models will be around longer than previously anticipated -- until vendors can prove their security models.