How compliance can be an excuse to shun the cloud
Read original article here: http://www.cio.com/article/3056020/compliance/how-compliance-can-be-an-excuse-to-shun-the-cloud.html
By: By Andy Patrizio, CIO
Every company has its reason for embracing or not embracing the cloud. In the case of companies in heavily regulated industries such as healthcare and financial services, regulatory compliance is a convenient excuse for luddites to shun the cloud and its potential benefits.
And consultants who serve those markets say that while CIOs and other IT managers cite compliance as the reason for not embracing cloud services and applications, it's really an excuse by managers who just don't want to move to the cloud for whatever reason.
"There's a perception that has existed that the cloud is less secure," said Tom Crawford, CIO strategic advisor and president of the consultancy AVOA. "Part of that stems from the basis, wrongfully so, that I cannot secure something unless it's inside my own data center. For the most part that no longer holds water. Internal systems are often less secure."
In fact, Crawford says the cloud providers are often more secure because they dedicate themselves to security in ways many firms don't, since a loss of security credibility would be death for a cloud provider.
"When you think of internal security, security tends to be a line item in a job description. Cloud-based providers have departments and teams where all they do is security. That is their sole focus. So the extreme there is an average enterprise, where people have security as one line in their job description versus a department with a dedicated focus," he says.
Paul Castiglione, senior product marketing manager of Ipswitch File Transfer, a maker of secure file transfer and data monitoring software, says cloud vendors often know the compliance rules as well or better than many compliance-governed customers.
"Cloud vendor providers like us spend a lot of their time understanding regulations. We're certified for PCI and HIPAA. So we're pretty expert at it. Companies attempting compliance on their own are having to invest in the education, all of the requirements related to it, penetration testing, access control, all of the physical requirements around compliance," he says.
Crawford says that more often than not "people use compliance as an all-encompassing excuse" to reject the cloud when compliance is only for specific apps and data sets, not the whole company.
"When you break down the problem it only governs a specific piece or component of data and only those apps," he says. "They aren't breaking down the problem and laying out the workloads and data sets."
As it turns out, the excuses for not embracing the cloud are numerous. One cause is generational. People have been running internal data centers for decades. Good luck convincing a CIO in his or her 50s who fears being cut out of a job in the first place that data and applications should be moved off-site into a data center somewhere across the country.
"We kind of got conditioned into a mode of operating under internal data centers, and now they have to learn you don’t have to do it," Crawford says. "Even though IT says we're change agents, unfortunately it is not as much of a change agent as they think they are."
The problem is also dependent on the size of the company. Small firms without a dedicated IT staff can be more reticent because they don't have someone who is fully dedicated to understanding computing services and products, said James Gast, founder of Splicenet, a technology consultancy servicing the tech needs of law firms in the Ohio region.
"If we're selling into a 20-person law firm, you run into much more objection than an enterprise-sized law firm, and I think the reason is you have a more diverse workforce," he says. "You have people whose job it is to understand this stuff. At a 20 person firm, the lawyer doesn’t have the time to understand it. It's the nature of the business."
In Josh Bauer's experience as associate director of IT infrastructure at Acorda Therapeutics, a biotech pharmaceutical company, it depends on the size of the vendor as well because the newness of the cloud market means some of these companies are not up to speed yet.
"Smaller vendors might be behind the times and not have a cloud app yet," he says. "If they do both on premises and cloud, a lot of times we go with on premises because they don’t have a good grip on the cloud app. The larger vendors who have been doing it for years have good policies around their apps, have better SLAs, and offer better uptime than even we can deliver so it makes sense to go with them."
The problem is not insurmountable, it just requires the right pitch, say the consultants. That means educating companies in these industries that there are some parts of the cloud they can embrace, and might already be doing so without realizing it.
"There are IT organizations that are steadfast against the cloud," said Crawford. "They think it's a fad, they think it's insecure. They don’t think it's ready and robust for enterprises. That's very sad because nine times out of ten, you can point to Salesforce and ask if they use it and they say yes, but don't realized it's a cloud company."
"I hate the word 'cloud' because the minute you mention cloud to someone, their mind goes somewhere else," Gast says. "They think they don’t own their data. But when we say you're documents will be in a place where you can get to it from more places more often then they get it. When you bring it down to a more basic understanding they start to get it."
He added that there needs to be a different way of selling the cloud to people who don't get it. Instead of pushing the bits and bytes angle, tell them how their people will benefit and use it. "People react better to stories. It doesn't matter if it's cloud or a car. It's about helping them understand and relate to it," Gast says.
Castiglione says Ipswitch finds many customers are still learning the cloud, and it goes in with its own auditors who understand compliance to help educate clients. "Compliance is still the organization's responsibility, so there is no offloading of the responsibility for compliance. But there's not an established set of criteria that I've heard from customers around what they are looking for or expectations they need from a reseller," he says.
"The only successful way is you have to build trust and relationships with these people so you can understand their concerns and where they are coming from and they are open to listening to your perspective as well. And that just doesn't happen overnight," says Crawford.