Belt, braces and external security standards

The risky business of assessing the public cloud

Remote control for virtualized desktops

If you are about to hand the day to day running of your company’s technology and handling of data to a third party, you had better be sure they know what they are doing, and that what they are doing matches your requirements.

The business case for adopting cloud computing is already clear for many: it can save a lot of money, and give companies access to technologies that are otherwise be beyond their means. But for IT professionals, shifting technology and data offsite brings new challenges, especially to the smaller businesses for whom cloud computing is so useful.

Enterprise organisations are used to doing risk assessment as part of everyday due diligence. Now smaller businesses must learn how, too.

Cloud computing lets smaller firms play with enterprise level software, but it also means they have to surrender a level of control of their data and give a third party an unprecedented degree of access to their business.

Gary Jensen, Silversands, headshot

Jensen - which bits

“Companies really need to understand how the service will be managed: which bit they are responsible for and which bit their cloud provider is responsible for,” says Gary Jensen, lead consultant at Silversands, a Microsoft partner based in Poole, Dorset.

Core areas of risk are mostly obvious: security, both of data and around access; support; upgrades; managing product lifecycle and so on. These are not new issues for anyone working in IT, but the difference lies in who is responsible for what, and making a by-definition standardised service work for you, as an individual company.

Cloud providers should normally have responsibility for backups, management of infrastructure and ensuring uptime, but clients can still retain control of general configuration issues, such as creating user accounts. Some companies might need support contracts to handle this.

Another crucial issue is how the support contract works. Will an email-only support programme be sufficient for you or do you need to be able to get someone on the phone 24 hours a day?

“The problem with email-only support is that you have latency, and no ability to talk through an issue,” Jensen says. “Companies need to be sure about what is right for them.”

Consider how are upgrades will be managed. “One benefit of the cloud is that you as the customer don’t have to worry about upgrades. They happen automatically.” Nevertheless, talk to your supplier about potential downtime and what happens in the event of data loss, he advises. Make sure any disaster recovery plan is regularly exercised. Otherwise it is just a piece of paper, as the mantra goes.

Upgrades might require a client to make changes to other systems to be compatible with new products. Before signing up to a service, find out about upgrade cycles, especially if major product refreshes are due.

"External security standards can offer some reassurance"

Data protection is a huge area, but another that has to be tackled by anyone considering moving data offsite. In short, you need to know where your data will be kept, even in the event of an outage; what the disaster recovery plans are and how data is disposed of at the end of a contract. (We’ll tackle this subject in more depth in an upcoming article).

Cultural shift

Anecdotally, security is cited by IT staff as their biggest concern about cloud computing, and Vladamir Jirasek, a spokesman for the UK & Ireland chapter of the Cloud Security Alliance, explains that the issue is one of a cultural shift.

When all your IT is in-house, you typically share data internally and perhaps with a few third parties. You plan and manage your own upgrades, set your own security policies and so on. But once it goes into the cloud, it is outside your direct control.

“It will be very hard [for IT] to give up the level of control they are used to,” he says, adding that IT staff cannot be too rigid, and must be willing to compromise to make a cloud deployment work.

External security standards such as the ISO27001 can offer some reassurance for those yielding this control. Any agency claiming to be ISO compliant can of course be audited. It would not be a bad idea, then, to ask to see an external audit – such as SAS70 – when discussing terms with the cloud provider.


According to Conor Callanan, MD of CoreGB, a Microsoft SharePoint specialist based in London, security can be overblown as an issue.

“Of course you have to verify access controls, and make sure the provider has strong authentication, but a company like Microsoft would be destroyed if it gave away data through a lapse in security,” he told us. “IT might have concerns about security, but as always the real security issue is not in the technology. It is in the people.”

Jensen says the last few years have provided an insight into the kinds of issues the IT department needs to think about when considering cloud computing.

“It takes a few brave souls to dip their toes into the water and find out how new technologies really work,” he said. With every new technology, there will be teething problems at first. The good news is that these lessons make it easier for the next wave of adopters, Jensen says, arguing that this is the stage we have reached with cloud computing. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
729 teraflops, 71,000-core Super cost just US$5,500 to build
Cloud doubters, this isn't going to be your best day
Want to STUFF Facebook with blatant ADVERTISING? Fine! But you must PAY
Pony up or push off, Zuck tells social marketeers
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
SAVE ME, NASA system builder, from my DEAD WORKSTATION
Anal-retentive hardware nerd in paws-on workstation crisis
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.