“The cloud” has acquired semi-mythical status in the world of information technology. Not only is it pretty much ubiquitous in any technology-related discussion these days, but the term is also being misused by some and misunderstood by others, which can lead to data security and governance problems down the line.
The problem is that there are far too many so-called cloud providers who are nothing more than bandwagon jumpers. IT teams with little or no experience of dealing with the cloud computing tendering process need to be particularly careful when navigating this minefield for the first time.
In my new role as Chairman of the new Cloud Industry Forum Special Interest Group for Security, I’ve heard many tales of IT leaders being told confidently by providers that they can handle their journey to the cloud, but then on closer inspection finding out that the promises amount to little more than marketing hype and vapourware. It’s a particular problem among the smaller cloud vendors, although size of organisation is not necessarily related to quality of service.
The key thing to remember is choosing a financially stable firm offering a secure cloud package from which data can be easily extricated at the end of a contract. This is obviously easier said than done and later on I’ll be discussing in more detail the kind of best practice steps needed to achieve this. First, though, a word about the challenges and potential pitfalls involved in choosing the right provider.
Regulatory compliance is one of the IT team’s most onerous tasks and moving your data into the cloud isn’t suddenly going to make it go away. That’s why care must be taken to find out exactly how secure a provider’s datacentre is and – depending on which industry you’re in – possibly even where data will be stored geographically. The regulatory environment is getting more onerous, in fact, not less.
Changes to the Data Protection Act expected by 2014 as new European regulations kick in, will pave the way for penalties of up to €1 million or up to 2 per cent of a company’s global annual turnover in the event of a serious violation. The impact of a breach of sensitive customer data or valuable intellectual property, can also of course dent your brand and possibly even lead to an even more damaging customer exodus.
Just as important is finding a cloud provider which is financially stable and reliable. The prospect of signing a contract with one firm only for it to go out of business or be acquired by a rival is unsettling for IT managers and could mean mission critical data is suddenly unavailable. Contracts should be drawn up to ensure that in the event of this happening, there is a clear and easy migratory path, allowing company data to come either back on premise or move over to another third party provider.
Due diligence should be first and foremost in the mind of the IT boss. It is a worryingly common sight to see dedicated IT staff still forced to stay hands on by managing cloud data because the cloud provider is not doing its job properly. This is obviously a false economy. Taking that journey to the cloud should generate a range of business benefits around greater agility, cost reduction and more efficient use of resources – a key one of which is your human resources. Moving to the cloud should free up certain IT roles to be repurposed elsewhere in the organisation – not add to the burden.
The journey to the cloud can be like navigating a minefield at times, thanks to unscrupulous service providers and SIs whose service offerings claim to answer all of your needs but then turn out to be filled with little more than marketing hype and false promises. It can seem like a daunting task to some, especially for smaller organisations with fewer resources at their disposal and less experience in choosing cloud providers. But it’s certainly not impossible and I’ve outlined a few best practice tips which could help to ease the burden and ensure you make the right decision.
The most important thing to remember from the get go is that taking that journey to the cloud doesn’t mean forgetting all about your data just because someone else is storing and managing it. It’s vital to remember that no matter what the cloud provider might say, responsibility for the security and integrity of your data will fundamentally always rest with the customer.
With that in mind, it’s time to do due diligence. It’s all about finding a provider which is able to match the customer’s requirements. Now these will depend on what you’re using the cloud for. If it’s to run a heavy transactional database, for example, latency will be a major issue and you may need to search for a provider which has datacentres located close by. Ditto, if regulatory requirements stipulate that data can’t leave the country or that certain strict security standards must be met, then these need to be added into SLAs.
A different set of requirements will also be needed if the organisation is using a cloud platform for a production environment or a development and testing one. In the latter use case, for example, sensitive IP may need to be pushed out to the cloud securely in short bursts then brought back on premise, which some providers may not be able to do in a satisfactory manner.
The biggest two areas of concern are probably data security and latency or performance, but billing and support are also important to ensure a trouble-free service. Billing in particular needs to be automated and transparent to avoid any shocks down the line, while support options need to meet the IT team’s own standards.
You’ll also need to look closely at system administration – ensuring that the provider enforces tightly controlled roles-based access and that directory services can be moved seamlessly from your on-premise environment to off. On that note, it’s key that enterprise systems are able to interface smoothly with those of the cloud provider. Sysadmins will be looking for the ability to manage both through a single pane of glass – which will also benefit the customer by maximising IT resources.
One of the major problems with cloud projects is that there’s no one universal framework of standards by which to help source the right provider. In fact, cloud computing often defies a single definition, making it doubly important to set plenty of time aside to draw up that all-important list of business and IT requirements. It then goes without saying that these requirements need to be rigorously enforced and harsh penalties included in the contract in the event SLAs are broken.
Help is at hand, though. There are several independent cloud industry bodies like the Cloud Industry Forum which can provide a wealth of useful information and advice. Another good idea is to get out to as many industry events as possible and network with your peers – find out what their requirements are, which providers they’re using, and get those references. There must be about 4 or 5 conferences a month on cloud and cloud security so my advice is to get out there and collect as much info as possible before making your decision.