In today’s uncertain times, cost-savings are a primary focus for executives. Cloud services do seem to offer a silver bullet solution when it comes to infrastructure and ancillary IT services.
It does sound a little bit like the late 1990s and early 2000s when outsourcing and offshoring seemed to be the answer to an effective cost management. There was no project or initiative that would not consider either outsourcing and/or offshoring. Today, this seems to be the case today for cloud services — every project is required to consider what it might offer.
Cloud computing does offer potential cost benefits to businesses and government agencies. Major deals have been struck by big vendors such as IBM, HP and CSC in the past 2 years, and there has been a big push by US and UK Governments to adopt cloud services. The US federal government's Cloud First strategy requires agencies to consider cloud computing as an option in any major IT acquisition and each federal agency must complete at least one cloud project by the end of the year, and two more by June 2012.
If the US Government is doing it, and Salesforce.com (for example) touts big industry names like FujiFilm, Google, medibank, Australian Air Express and Dell as cloud service customers, it’s a no-brainer for the rest of us? Well maybe, but don’t be blindsided by simple cost savings.
The US Government has just released its Cloud Security Guidance through NIST, and other open source organisations like the Cloud Security Alliance have made sure there is industry guidance available to help organisations make the right decision.
So the right decision isn’t simple? Don’t forget, you are putting your data in the cloud, and the security and protection of your data is key, never more-so than in the cloud. There are other considerations that you therefore need to take into account. Items like service level agreements for availability of the service, incident management, growth on demand through compute and storage can all impact the simplicity of your decision.
From a security perspective, the following might help your decide to cloud or not to cloud:
- Ensure that the cloud services model you chose aligns with your risk tolerance and acceptance thresholds, and that the cloud services model is commensurate with the sensitivity and/or classification of the data being stored/processed in the cloud.
- Understand and document clear data ownership obligations and accountability of actions in the event of a breach.
- Ensure your legislative obligations for data protection and management are addressed.
- Understand where your data is being hosted and any impact the host country’s privacy laws will have on your data.
- Understand the legislative obligations that foreign owned vendors may be subject to (with regards to their local country’s laws) whilst operating within your country.
- Understand the architecture of the cloud service and the proposed solution to ensure the isolation of tenant applications is appropriate and in line with your policies and data security standards.
- Ensure the cloud services provider has a secure gateway environment that is certified by an authoritative third party and the infrastructure is using validated products meeting federal or national standards.
- Ensure there is strong encryption at the gateway, further supported by robust threat monitoring and secure logging of all access to applications and infrastructure instances hosting your data assets.
- Ensure and validate the cloud service provider’s police check and employee vetting procedures.
- Ensure the cloud services provider has robust incident response and breach notification processes in place that are in-line with your own security incident response processes, and that they will support forensic investigation if required.
These 10 security considerations will give you a quick snapshot. If you do decide to cloud, there are more in-depth checklists available.