Cloud computing allows companies to outsource part (and sometimes almost all) of their computer processing. Instead of spending on in-house servers and (in the view of CIOs) the surly IT pros needed to service them, businesses simply pay an external provider. They then access their computing infrastructure over the Internet – “though the cloud,” in IT-speak.
Better still, cloud vendors tell us, cloud computing is massively scalable. The big box retailer handles a holiday rush with a quick online request for more computing capacity. The growing small business without a big data center can leverage the heavy-processing muscle of a cloud provider.
Seeing gold in them hills, big players have launched divisions to provide cloud computing. The leaders include
Amazon’s EC2 and Google App Engine. In the excitement, the acronyms are multiplying. Cloud computing’s near cousin is Software as a Service (SaaS) – software delivered over the Net – and Salesforce.com touts a version of cloud computing called Platform-as-a-Service (PaaS).
IT pundit Nick Carr hails cloud computing, in his book The Big Switch, as the inevitable next step in business computing. Just as we now access electricity from huge external plants, he explains, we will access computing power from sprawling external processing facilities. Messy in-house data centers are passé. The future is bright, well ordered and reasonably priced.
But Carr’s analogy falters when you look at the difference between electricity and data. There’s nothing confidential or sensitive about the wattage that flows into your business. But there’s something profoundly sensitive about the data that flows in and out of your business.
Merely whispering the phrase “Sarbanes Oxley,” with its labyrinthine compliance requirements, is enough to make some CIOs shudder at giving a cloud-based provider even partial responsibility for their document management.
Making those CIOs even more anxious is this uneasy truth: as it evolves, cloud-based service is increasingly provided by a chain of providers. So you’ve contracted with an outsourcer, who in turn contracts with a series of outsourcers, and on and on – and this global crowd of unknowns is handling your most precious corporate secrets.
It’s like the pretty girl in high school who doesn’t want to give out her phone number, except she shares it with her steady sweetheart, the football captain – who keeps his address book posted on his Facebook page.
Cloud Computing or Bust
The many red flags of cloud computing are catalogued in Assessing the Security Risks of Cloud Computing, co-written by Gartner analysts Jay Heiser and Mark Nicolett.
Their thesis isn’t that companies shouldn’t use cloud computing. Rather, companies must go into the process with their eyes wide open, fully aware of the risks, taking essential precautions to stay safe. Or, as safe as possible, given the “black box” nature of cloud computing.
“Probably [cloud computing] would be more popular already if people didn’t have concerns about the risks,” Heiser tells me. Still “I don’t think most of the potential users are truly cognizant of the risks. But they have a usefully intuitive sense that this is something new and it shouldn’t be undertaken lightly.”
(Indeed, a recent Goldman Sachs survey of CIOs’ plans for 2009, which indicates that the recession is giving them an upset stomach, doesn’t bode well for cloud services. Less than 2 percent of respondents made cloud a priority.)
Cloud computing’s myriad security concerns are enough to make one ask: can’t we just stay with that golden oldie known as client-server? After all, servers keep getting cheaper and cheaper (and cheaper), and the IT worker who maintain them are, sadly, surely not paid outlandish wages. Why go out of house?
Despite these doubts, cloud computing will indeed realize its potential as the industry-shifting trend it appears to be, Heiser opines. The train has left the station, recession-scared CIOs notwithstanding. Simply put, the cost savings are too great and the business potential too efficient and flexible for the cloud to be ignored.
“It’s basically economic, but there are convenience issues,” Heiser says.
“There’s a control issued. I lump [cloud computing] in with consumerization with being yet another example of how the end user is taking over the initiative from IT. If they don’t like the answer that IT gives them, they’ll just go out and buy the thing.”
For instance, “How much of SalesForce.com was motivated by sales mangers who just wanted to get away from IT and put in their own CRM?”
Moreover, spending on cloud computing is seen as more desirable than writing checks for servers that start aging the moment they’re unwrapped. “When you buy something in the cloud, it’s an expense. When you buy something like a computer, it’s an investment,” Heiser says.
“So it’s a different color of money and people like that.”
Nine Security Concerns – and How to Address Them
The most practical way to evaluate a cloud provider is to get a third party to do so, Heiser says. There are so many questions and concerns that doing all the work in-house may be prohibitive. Making the process still more difficult is that fact that many cloud-based service companies are far from transparent.
“Call up Google and ask them how transparent they are,” he says, indicating that the answer will be, ‘not very.’ “So why should you trust them?”
“I contrast them with Salesforce.com in terms of their transparency,” Heiser says. “We emphasize Salesforce as having some early attempts at transparency; we didn’t really flag Google as being the evil twin to Salesforce, but they’re awfully opaque.”
If you or a third party are kicking the tires of a cloud provider, here are issues to be aware of, and recommendations from Gartner for handling them:
1) Privileged User Access
With cloud computing, your confidential data will be processed by personnel outside the enterprise, so non-employees could conceivably have full access to it.
Advice: “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access.”
In the era of Sarbanes-Oxley, companies are held responsible for an exacting level of data monitoring and archiving. Even if a company contracts with an external cloud-based provider, these regulations hold the company itself responsible. Cloud-based providers should submit to audits and security certifications to ensure they’re able to hold up their end of the bargain.
Advice: “A cloud computing provider that is unwilling or unable to do this is signaling that customers can only use them for the most trivial functions.”
3) Data Location
With cloud computing, you won’t know where in the world – literally – your data is stored. The servers might be in Malaysia, Canada, or Hoboken, New Jersey – or a combination of the three.
Ask your provider: are they willing to give a contractual commitment that they are obeying the privacy laws of specific jurisdictions?
4) Data Segregation
Certainly cloud providers use SSL to protect data as it travels, but as it sits in storage it may share a “virtual locker” with data from other companies. Is your data properly segregated from the rest?
It’s likely a provider will offer impressive tales about the strength of its ultra-heavy duty encryption. You’ll hear great claims about key length and exotic encryption algorithm.
Still, if your data can be read at your provider’s site, then you must assume it will be read.
Advice: “If your data will be stored and backed up in encrypted form, find out who has access to the decryption keys and whether it’s possible for authorized individuals at your company to gain access to their employees’ data in an emergency.”
In theory, you don’t have to worry about your data disappearing when using a cloud provider – it’s easy for these providers to redundantly mirror your data in various locales, providing peace of mind against a system crash.
But will your staff have access to the data they need to do their jobs, 24/7? What if the virtual pipes are clogged, so to speak? Or some kind of internal snafu within your provider puts a brick wall between you and your critical data?
Advice: “Organizations should define service-level requirements for any nontrivial IT workload and demand service-level agreements from the provider and ensure that the contract contains penalty clauses when the service-level agreements are not met.”
Hopefully, the worst will never happen, and nothing resembling a total disaster will befall you, your provider or the world at large. But your provider must be prepared for this.
Essential question: Does your provider have the ability to do a complete restoration, and how long will it take?
7) Investigative Support
It’s never easy to undertake an internal legal investigation, because it requires combing through masses of documents that may be spread across real and virtual locations. It’s even harder to conduct such research when you use a cloud provider: data for many customers may be co-located and spread across a constantly shifting set of data centers.
Advice: “If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”
Will your provider get acquired or – even worse – go broke? If so, how will they return your data to you in a format that you could import into another provider’s infrastructure?
9) Support in Reducing Risk
Your staff will have a learning curve as they begin using an external provider. How easy does this provider make their interface? Does the provider help your managers set up monitoring policies? What about guards against malware and phishing?
James Maguire is the managing editor of Datamation.>