Cloud computing allows companies to outsource part (and sometimes almost all) of their computer processing. Instead of spending on in-house servers and (in the view of CIOs) the surly IT pros needed to service them, businesses simply pay an external provider. They then access their computing infrastructure over the Internet though the cloud, in IT-speak.
Better still, cloud vendors tell us, cloud computing is massively scalable. The big box retailer handles a holiday rush with a quick online request for more computing capacity. The growing small business without a big data center can leverage the heavy-processing muscle of a cloud provider.
Seeing gold in them hills, big players have launched divisions to provide cloud computing. The leaders include Amazons EC2 and Google App Engine. In the excitement, the acronyms are multiplying. Cloud computings near cousin is Software as a Service (SaaS) software delivered over the Net and Salesforce.com touts a version of cloud computing called Platform-as-a-Service (PaaS).
But Carrs analogy falters when you look at the difference between electricity and data. Theres nothing confidential or sensitive about the wattage that flows into your business. But theres something profoundly sensitive about the data that flows in and out of your business.
Merely whispering the phrase Sarbanes Oxley, with its labyrinthine compliance requirements, is enough to make some CIOs shudder at giving a cloud-based provider even partial responsibility for their document management.
Making those CIOs even more anxious is this uneasy truth: as it evolves, cloud-based service is increasingly provided by a chain of providers. So youve contracted with an outsourcer, who in turn contracts with a series of outsourcers, and on and on and this global crowd of unknowns is handling your most precious corporate secrets.
Its like the pretty girl in high school who doesnt want to give out her phone number, except she shares it with her steady sweetheart, the football captain who keeps his address book posted on his Facebook page.
Cloud Computing or Bust
The many red flags of cloud computing are catalogued in Assessing the Security Risks of Cloud Computing, co-written by Gartner analysts Jay Heiser and Mark Nicolett.
Their thesis isnt that companies shouldnt use cloud computing. Rather, companies must go into the process with their eyes wide open, fully aware of the risks, taking essential precautions to stay safe. Or, as safe as possible, given the black box nature of cloud computing.
Probably [cloud computing] would be more popular already if people didnt have concerns about the risks, Heiser tells me. Still I dont think most of the potential users are truly cognizant of the risks. But they have a usefully intuitive sense that this is something new and it shouldnt be undertaken lightly.
(Indeed, a recent Goldman Sachs survey of CIOs plans for 2009, which indicates that the recession is giving them an upset stomach, doesnt bode well for cloud services. Less than 2 percent of respondents made cloud a priority.)
Cloud computings myriad security concerns are enough to make one ask: cant we just stay with that golden oldie known as client-server? After all, servers keep getting cheaper and cheaper (and cheaper), and the IT worker who maintain them are, sadly, surely not paid outlandish wages. Why go out of house?
Despite these doubts, cloud computing will indeed realize its potential as the industry-shifting trend it appears to be, Heiser opines. The train has left the station, recession-scared CIOs notwithstanding. Simply put, the cost savings are too great and the business potential too efficient and flexible for the cloud to be ignored.
Its basically economic, but there are convenience issues, Heiser says.
Theres a control issued. I lump [cloud computing] in with consumerization with being yet another example of how the end user is taking over the initiative from IT. If they dont like the answer that IT gives them, theyll just go out and buy the thing.
For instance, How much of SalesForce.com was motivated by sales mangers who just wanted to get away from IT and put in their own CRM?
Moreover, spending on cloud computing is seen as more desirable than writing checks for servers that start aging the moment theyre unwrapped. When you buy something in the cloud, its an expense. When you buy something like a computer, its an investment, Heiser says.
So its a different color of money and people like that.
Nine Security Concerns and How to Address Them
The most practical way to evaluate a cloud provider is to get a third party to do so, Heiser says. There are so many questions and concerns that doing all the work in-house may be prohibitive. Making the process still more difficult is that fact that many cloud-based service companies are far from transparent.
Call up Google and ask them how transparent they are, he says, indicating that the answer will be, not very. So why should you trust them?
I contrast them with Salesforce.com in terms of their transparency, Heiser says. We emphasize Salesforce as having some early attempts at transparency; we didnt really flag Google as being the evil twin to Salesforce, but theyre awfully opaque.
If you or a third party are kicking the tires of a cloud provider, here are issues to be aware of, and recommendations from Gartner for handling them:
1) Privileged User Access
With cloud computing, your confidential data will be processed by personnel outside the enterprise, so non-employees could conceivably have full access to it.
Advice: Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access.
In the era of Sarbanes-Oxley, companies are held responsible for an exacting level of data monitoring and archiving. Even if a company contracts with an external cloud-based provider, these regulations hold the company itself responsible. Cloud-based providers should submit to audits and security certifications to ensure theyre able to hold up their end of the bargain.
Advice: A cloud computing provider that is unwilling or unable to do this is signaling that customers can only use them for the most trivial functions.
3) Data Location
With cloud computing, you wont know where in the world literally your data is stored. The servers might be in Malaysia, Canada, or Hoboken, New Jersey or a combination of the three.
Ask your provider: are they willing to give a contractual commitment that they are obeying the privacy laws of specific jurisdictions?
4) Data Segregation
Certainly cloud providers use SSL to protect data as it travels, but as it sits in storage it may share a virtual locker with data from other companies. Is your data properly segregated from the rest?
Its likely a provider will offer impressive tales about the strength of its ultra-heavy duty encryption. Youll hear great claims about key length and exotic encryption algorithm.
Still, if your data can be read at your providers site, then you must assume it will be read.
Advice: If your data will be stored and backed up in encrypted form, find out who has access to the decryption keys and whether its possible for authorized individuals at your company to gain access to their employees data in an emergency.
In theory, you dont have to worry about your data disappearing when using a cloud provider its easy for these providers to redundantly mirror your data in various locales, providing peace of mind against a system crash.
But will your staff have access to the data they need to do their jobs, 24/7? What if the virtual pipes are clogged, so to speak? Or some kind of internal snafu within your provider puts a brick wall between you and your critical data?
Advice: Organizations should define service-level requirements for any nontrivial IT workload and demand service-level agreements from the provider and ensure that the contract contains penalty clauses when the service-level agreements are not met.
Hopefully, the worst will never happen, and nothing resembling a total disaster will befall you, your provider or the world at large. But your provider must be prepared for this.
Essential question: Does your provider have the ability to do a complete restoration, and how long will it take?
7) Investigative Support
Its never easy to undertake an internal legal investigation, because it requires combing through masses of documents that may be spread across real and virtual locations. Its even harder to conduct such research when you use a cloud provider: data for many customers may be co-located and spread across a constantly shifting set of data centers.
Advice: If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.
Will your provider get acquired or even worse go broke? If so, how will they return your data to you in a format that you could import into another providers infrastructure?
9) Support in Reducing Risk
Your staff will have a learning curve as they begin using an external provider. How easy does this provider make their interface? Does the provider help your managers set up monitoring policies? What about guards against malware and phishing?
James Maguire is the managing editor of Datamation.