Many companies have warmed to the idea of outsourcing lightweight tasks such as software testing and data backup to the cloud, but few are willing to trust a third party with vital jobs that could pose serious financial risk if they aren't performed properly.
Only about a fifth of the largest companies use cloud services for critical data tasks, said John Pescatore, director of emerging trends at the SANS Institute, a security research and training organization. Hackers and reliability are the key concerns.
The story of one European financial-services company -- which Pescatore outlined but did not identify in a case study last year when he was a Gartner analyst -- holds an important lesson for how large businesses can allay some of those fears.
The company, Pescatore said, was unusual in that it wanted outside help with a key part of its business -- an application that supports 5,000 global users and involves "business-critical" analytics that are delivered to financial analysts.
The company was running the application in its own data center and sought to move to a "cloudbursting" model, where the application still runs internally on a private cloud but "bursts" out during times of peak usage to a public cloud.
The goal was to cut staffing and computing costs, but the company was worried about exposing customer data. So it did what many don't do when attempting a move to the cloud, Pescatore said: It drew on prior experiences in dealing with outsourcers and had a long list of security demands ready.
It vetted several cloud services companies, including Amazon, AT&T, Rackspace, Savvis and Terremark, to determine which company would get its $5-million-a-year contract.
The company chose Savvis, which agreed to the lengthy security requirements, including allowing the customer to perform on-site audits and deploy its own hackers against the service to test its security.
"Essentially, the financial services company wanted very similar visibility into key security issues that it has within its own data center operations," Pescatore wrote.
The rollout took two months and 10 full-time workers and, while a couple of glitches slowed the process, the company considers it a success, overall.
Pescatore's advice? Companies that want to move data to the cloud need to conduct a rigorous security evaluation of potential providers before signing a contract. In the cloud, good security comes from spelling out needs early -- and from tough negotiations.
To contact the reporter on this story: Jordan Roberston in San Francisco at firstname.lastname@example.org
To contact the editor responsible for this story: Marcus Chan in San Francisco at email@example.com