Belt, braces and external security standards

The risky business of assessing the public cloud

Next gen security for virtualised datacentres

If you are about to hand the day to day running of your company’s technology and handling of data to a third party, you had better be sure they know what they are doing, and that what they are doing matches your requirements.

The business case for adopting cloud computing is already clear for many: it can save a lot of money, and give companies access to technologies that are otherwise be beyond their means. But for IT professionals, shifting technology and data offsite brings new challenges, especially to the smaller businesses for whom cloud computing is so useful.

Enterprise organisations are used to doing risk assessment as part of everyday due diligence. Now smaller businesses must learn how, too.

Cloud computing lets smaller firms play with enterprise level software, but it also means they have to surrender a level of control of their data and give a third party an unprecedented degree of access to their business.

Gary Jensen, Silversands, headshot

Jensen - which bits

“Companies really need to understand how the service will be managed: which bit they are responsible for and which bit their cloud provider is responsible for,” says Gary Jensen, lead consultant at Silversands, a Microsoft partner based in Poole, Dorset.

Core areas of risk are mostly obvious: security, both of data and around access; support; upgrades; managing product lifecycle and so on. These are not new issues for anyone working in IT, but the difference lies in who is responsible for what, and making a by-definition standardised service work for you, as an individual company.

Cloud providers should normally have responsibility for backups, management of infrastructure and ensuring uptime, but clients can still retain control of general configuration issues, such as creating user accounts. Some companies might need support contracts to handle this.

Another crucial issue is how the support contract works. Will an email-only support programme be sufficient for you or do you need to be able to get someone on the phone 24 hours a day?

“The problem with email-only support is that you have latency, and no ability to talk through an issue,” Jensen says. “Companies need to be sure about what is right for them.”

Consider how are upgrades will be managed. “One benefit of the cloud is that you as the customer don’t have to worry about upgrades. They happen automatically.” Nevertheless, talk to your supplier about potential downtime and what happens in the event of data loss, he advises. Make sure any disaster recovery plan is regularly exercised. Otherwise it is just a piece of paper, as the mantra goes.

Upgrades might require a client to make changes to other systems to be compatible with new products. Before signing up to a service, find out about upgrade cycles, especially if major product refreshes are due.

"External security standards can offer some reassurance"

Data protection is a huge area, but another that has to be tackled by anyone considering moving data offsite. In short, you need to know where your data will be kept, even in the event of an outage; what the disaster recovery plans are and how data is disposed of at the end of a contract. (We’ll tackle this subject in more depth in an upcoming article).

Cultural shift

Anecdotally, security is cited by IT staff as their biggest concern about cloud computing, and Vladamir Jirasek, a spokesman for the UK & Ireland chapter of the Cloud Security Alliance, explains that the issue is one of a cultural shift.

When all your IT is in-house, you typically share data internally and perhaps with a few third parties. You plan and manage your own upgrades, set your own security policies and so on. But once it goes into the cloud, it is outside your direct control.

“It will be very hard [for IT] to give up the level of control they are used to,” he says, adding that IT staff cannot be too rigid, and must be willing to compromise to make a cloud deployment work.

External security standards such as the ISO27001 can offer some reassurance for those yielding this control. Any agency claiming to be ISO compliant can of course be audited. It would not be a bad idea, then, to ask to see an external audit – such as SAS70 – when discussing terms with the cloud provider.


According to Conor Callanan, MD of CoreGB, a Microsoft SharePoint specialist based in London, security can be overblown as an issue.

“Of course you have to verify access controls, and make sure the provider has strong authentication, but a company like Microsoft would be destroyed if it gave away data through a lapse in security,” he told us. “IT might have concerns about security, but as always the real security issue is not in the technology. It is in the people.”

Jensen says the last few years have provided an insight into the kinds of issues the IT department needs to think about when considering cloud computing.

“It takes a few brave souls to dip their toes into the water and find out how new technologies really work,” he said. With every new technology, there will be teething problems at first. The good news is that these lessons make it easier for the next wave of adopters, Jensen says, arguing that this is the stage we have reached with cloud computing. ®

5 things you didn’t know about cloud backup

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7
New chip scales to 1024 cores, 8192 threads 64 TB RAM, at speeds over 3.6GHz
Docker kicks KVM's butt in IBM tests
Big Blue finds containers are speedy, but may not have much room to improve
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
Gartner's Special Report: Should you believe the hype?
Enough hot air to carry a balloon to the Moon
Flash could be CHEAPER than SAS DISK? Come off it, NetApp
Stats analysis reckons we'll hit that point in just three years
Dell The Man shrieks: 'We've got a Bitcoin order, we've got a Bitcoin order'
$50k of PowerEdge servers? That'll be 85 coins in digi-dosh
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.