Cloud security 101: Are Cloud providers reliable?

The value of an airtight SLA with your Cloud provider

Companies relying on Cloud services from Amazon were in April left hanging when the Cloud provider’s EC2 went down. For Gartner research director, Rob McMillan, this outage highlighted the need for airtight service level agreements (SLAs) to ensure their provider’s — and therefore their data’s — reliability.

This article is part of a Computerworld Australia series looking at the issues surrounding Cloud security and reliability.

Whereas SLAs with data centre providers are relatively mature, SLAs with Cloud providers are still going through an evolutionary process, McMillan says, so those sourcing Cloud services need to ensure theirs is tailored to enterprise-level standards.

“Service levels… should be about outcomes, not necessarily about technology and they will have to be tailored for end user customers but in other areas there will be cookie cutter parts to them,” he says.

Further reading

Frost & Sullivan ICT practice research director, Arun Chandrasekaran, agrees that people are learning lessons about Cloud security assurances the hard way and warns Amazon’s EC2 outage will not be the last.

He also cautions against enterprise customers rushing to sign an SLA with providers. “My opinion, and that of enterprise customers I have spoken to, is that SLAs are not yet enterprise grade,” he says.

“They are good for small and medium businesses, but I can’t put my mission critical SAP or Oracle application on a public Cloud because the downtime that is allowed is simply not acceptable.

"In a public Cloud you do not get dedicated infrastructure but multi-tenanted infrastructure, so you are sharing that with other people.

"As well as dictating terms for uptime, SLAs play an important role when it comes to getting company data back in a timely fashion should a Cloud provider go out of business."

“The Cloud provider might go into administration or receivership,” says Sophos Asia Pacific head of technology, Paul Ducklin.

“Imagine if they are unsuccessful, when a company goes into receivership and the creditors line up to see who is going to get how many cents in the dollar.”

As Ducklin explains it, the Australian Taxation Office (ATO) gets the first bite of the cherry; the biggest creditors get the next bite, and so on.

The “poor old person” at the end might get one cent in the dollar if they’re lucky, and the same issues are waiting to happen with Cloud orientated services when the poor old IT manager tries to get his or her data back. Mergers and acquisitions also affect access to data — as well as data sovereignty.

This is because if your Cloud provider gets acquired then it may end up in a whole new jurisdiction with a new owner, under a new legal regime that neither they nor you are familiar with.

“You need to be able to do so as well because you might decide that their security isn’t up to the standard that you have now decided is appropriate for your data ,” Ducklin says.

“You also need to think about how you withdraw permission for other people to look after your services and your data. It’s a little more subtle issue than a straight outsourcing agreement.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Tags cloud computing

Show Comments