Belt, braces and external security standards
The risky business of assessing the public cloud
If you are about to hand the day to day running of your company’s technology and handling of data to a third party, you had better be sure they know what they are doing, and that what they are doing matches your requirements.
The business case for adopting cloud computing is already clear for many: it can save a lot of money, and give companies access to technologies that are otherwise be beyond their means. But for IT professionals, shifting technology and data offsite brings new challenges, especially to the smaller businesses for whom cloud computing is so useful.
Enterprise organisations are used to doing risk assessment as part of everyday due diligence. Now smaller businesses must learn how, too.
Cloud computing lets smaller firms play with enterprise level software, but it also means they have to surrender a level of control of their data and give a third party an unprecedented degree of access to their business.
Jensen - which bits
“Companies really need to understand how the service will be managed: which bit they are responsible for and which bit their cloud provider is responsible for,” says Gary Jensen, lead consultant at Silversands, a Microsoft partner based in Poole, Dorset.
Core areas of risk are mostly obvious: security, both of data and around access; support; upgrades; managing product lifecycle and so on. These are not new issues for anyone working in IT, but the difference lies in who is responsible for what, and making a by-definition standardised service work for you, as an individual company.
Cloud providers should normally have responsibility for backups, management of infrastructure and ensuring uptime, but clients can still retain control of general configuration issues, such as creating user accounts. Some companies might need support contracts to handle this.
Another crucial issue is how the support contract works. Will an email-only support programme be sufficient for you or do you need to be able to get someone on the phone 24 hours a day?
“The problem with email-only support is that you have latency, and no ability to talk through an issue,” Jensen says. “Companies need to be sure about what is right for them.”
Consider how are upgrades will be managed. “One benefit of the cloud is that you as the customer don’t have to worry about upgrades. They happen automatically.” Nevertheless, talk to your supplier about potential downtime and what happens in the event of data loss, he advises. Make sure any disaster recovery plan is regularly exercised. Otherwise it is just a piece of paper, as the mantra goes.
Upgrades might require a client to make changes to other systems to be compatible with new products. Before signing up to a service, find out about upgrade cycles, especially if major product refreshes are due.
"External security standards can offer some reassurance"
Data protection is a huge area, but another that has to be tackled by anyone considering moving data offsite. In short, you need to know where your data will be kept, even in the event of an outage; what the disaster recovery plans are and how data is disposed of at the end of a contract. (We’ll tackle this subject in more depth in an upcoming article).
Anecdotally, security is cited by IT staff as their biggest concern about cloud computing, and Vladamir Jirasek, a spokesman for the UK & Ireland chapter of the Cloud Security Alliance, explains that the issue is one of a cultural shift.
When all your IT is in-house, you typically share data internally and perhaps with a few third parties. You plan and manage your own upgrades, set your own security policies and so on. But once it goes into the cloud, it is outside your direct control.
“It will be very hard [for IT] to give up the level of control they are used to,” he says, adding that IT staff cannot be too rigid, and must be willing to compromise to make a cloud deployment work.
External security standards such as the ISO27001 can offer some reassurance for those yielding this control. Any agency claiming to be ISO compliant can of course be audited. It would not be a bad idea, then, to ask to see an external audit – such as SAS70 – when discussing terms with the cloud provider.
According to Conor Callanan, MD of CoreGB, a Microsoft SharePoint specialist based in London, security can be overblown as an issue.
“Of course you have to verify access controls, and make sure the provider has strong authentication, but a company like Microsoft would be destroyed if it gave away data through a lapse in security,” he told us. “IT might have concerns about security, but as always the real security issue is not in the technology. It is in the people.”
Jensen says the last few years have provided an insight into the kinds of issues the IT department needs to think about when considering cloud computing.
“It takes a few brave souls to dip their toes into the water and find out how new technologies really work,” he said. With every new technology, there will be teething problems at first. The good news is that these lessons make it easier for the next wave of adopters, Jensen says, arguing that this is the stage we have reached with cloud computing. ®