Belt, braces and external security standards

The risky business of assessing the public cloud

Combat fraud and increase customer satisfaction

If you are about to hand the day to day running of your company’s technology and handling of data to a third party, you had better be sure they know what they are doing, and that what they are doing matches your requirements.

The business case for adopting cloud computing is already clear for many: it can save a lot of money, and give companies access to technologies that are otherwise be beyond their means. But for IT professionals, shifting technology and data offsite brings new challenges, especially to the smaller businesses for whom cloud computing is so useful.

Enterprise organisations are used to doing risk assessment as part of everyday due diligence. Now smaller businesses must learn how, too.

Cloud computing lets smaller firms play with enterprise level software, but it also means they have to surrender a level of control of their data and give a third party an unprecedented degree of access to their business.

Gary Jensen, Silversands, headshot

Jensen - which bits

“Companies really need to understand how the service will be managed: which bit they are responsible for and which bit their cloud provider is responsible for,” says Gary Jensen, lead consultant at Silversands, a Microsoft partner based in Poole, Dorset.

Core areas of risk are mostly obvious: security, both of data and around access; support; upgrades; managing product lifecycle and so on. These are not new issues for anyone working in IT, but the difference lies in who is responsible for what, and making a by-definition standardised service work for you, as an individual company.

Cloud providers should normally have responsibility for backups, management of infrastructure and ensuring uptime, but clients can still retain control of general configuration issues, such as creating user accounts. Some companies might need support contracts to handle this.

Another crucial issue is how the support contract works. Will an email-only support programme be sufficient for you or do you need to be able to get someone on the phone 24 hours a day?

“The problem with email-only support is that you have latency, and no ability to talk through an issue,” Jensen says. “Companies need to be sure about what is right for them.”

Consider how are upgrades will be managed. “One benefit of the cloud is that you as the customer don’t have to worry about upgrades. They happen automatically.” Nevertheless, talk to your supplier about potential downtime and what happens in the event of data loss, he advises. Make sure any disaster recovery plan is regularly exercised. Otherwise it is just a piece of paper, as the mantra goes.

Upgrades might require a client to make changes to other systems to be compatible with new products. Before signing up to a service, find out about upgrade cycles, especially if major product refreshes are due.

"External security standards can offer some reassurance"

Data protection is a huge area, but another that has to be tackled by anyone considering moving data offsite. In short, you need to know where your data will be kept, even in the event of an outage; what the disaster recovery plans are and how data is disposed of at the end of a contract. (We’ll tackle this subject in more depth in an upcoming article).

Cultural shift

Anecdotally, security is cited by IT staff as their biggest concern about cloud computing, and Vladamir Jirasek, a spokesman for the UK & Ireland chapter of the Cloud Security Alliance, explains that the issue is one of a cultural shift.

When all your IT is in-house, you typically share data internally and perhaps with a few third parties. You plan and manage your own upgrades, set your own security policies and so on. But once it goes into the cloud, it is outside your direct control.

“It will be very hard [for IT] to give up the level of control they are used to,” he says, adding that IT staff cannot be too rigid, and must be willing to compromise to make a cloud deployment work.

External security standards such as the ISO27001 can offer some reassurance for those yielding this control. Any agency claiming to be ISO compliant can of course be audited. It would not be a bad idea, then, to ask to see an external audit – such as SAS70 – when discussing terms with the cloud provider.


According to Conor Callanan, MD of CoreGB, a Microsoft SharePoint specialist based in London, security can be overblown as an issue.

“Of course you have to verify access controls, and make sure the provider has strong authentication, but a company like Microsoft would be destroyed if it gave away data through a lapse in security,” he told us. “IT might have concerns about security, but as always the real security issue is not in the technology. It is in the people.”

Jensen says the last few years have provided an insight into the kinds of issues the IT department needs to think about when considering cloud computing.

“It takes a few brave souls to dip their toes into the water and find out how new technologies really work,” he said. With every new technology, there will be teething problems at first. The good news is that these lessons make it easier for the next wave of adopters, Jensen says, arguing that this is the stage we have reached with cloud computing. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.