National statisticians dampen as-a-service hype

Australia’s official statistics body has found that media and telecommunications businesses are the nation’s most consistent buyers of cloud computing services, but also that the rate of commercial adoption is much more subdued than industry hype may suggest.

The ABS collected data on the use of cloud services from 6640 Australian businesses for the first time in the 2013-14 year, and published the first results of its survey today.

According to its data, less that one in five Australian companies reported using a paid cloud service.

The proportion of those using cloud services increased steadily between sole traders and small businesses with fewer than four employees (16 percent adoption) and businesses employing upwards of 200 people (37 percent).

However, even in the biggest businesses surveyed, those not using cloud services outnumbered those who do.

More than half of the surveyed businesses could not provide a reason for not using cloud services. Across all size categories, 59 percent said “no factors” limited or prevented their use of paid cloud computing.

Amongst those who did identify road blocks, insufficient knowledge of what was on offer was the top reason given, with a steady rate of between 22 percent and 24 percent of businesses of all sizes pleading ignorance.

Amongst the 200+ employee category, the threat of a security breach topped the list of cloud fears, with more than 30 percent of respondents nominating it as an obstacle.

Just over 19 percent of this group also cited uncertainties about the location of data and 20 percent blamed the high cost of cloud services.
Read the full article at itnews

Senetas high assurance security comments

Three crucial data security issues stand out from this first Australian Bureau of Statistics (ABS) survey of businesses and their adoption of Cloud services. Although the initial statistics do not specifically differentiate ‘public’ and ‘private’ Cloud services, the issues are nonetheless important.

The fact that without a strong data security plan, ‘blind’ adoption of Cloud services exposes organisations to very serious data security risks. This appears to be acknowledged by larger organisations (200+ employees) as shown as the key reason for not adopting Cloud services.

Secondly, these large organisations expressed concerns about the data itself. Maximum security ‘control’ is just as important as encrypting the data. Even if data is encrypted using industry standards based encryption (e.g. AES 256); encryption alone is not enough – one must look into the encryption solution’s ‘encryption key management’.

Security experts repeatedly say best practice requires encryption keys to be securely stored on-premises and not live within a service provider’s systems – the keys must only be accessible by you giving you 100% control.

The third data security issue highlighted by the survey responses is the issue of ‘100% control’ over the data itself – even if it is encrypted – data control is very important. Many Cloud services use multiple data centres and may be located in locations in other parts of the world. The data control issue becomes one of ‘sovereignty’. And if you cannot determine or restrict what data centres are storing and backing up your data you do not have that control. Similarly, businesses concerned about data control will likely be concerned about back-up data versions as well.

The significance of these issues, although seemingly of more concern to ‘enterprise’ size businesses, highlights that the business sector is now getting the message that data security must be a key consideration when evaluating business technologies.

And importantly, data security must not be limited to ‘prevention’; it must include ‘protection’ of data when prevention barriers are breached. The ultimate security objective must be to ensure that when data falls into unauthorised hands, it is useless. Only standards based encryption and best practice key management will provide that assurance.

Cloud and other service providers must focus on providing ‘secure Cloud services’.