How prepared are you for challenges in cloud computing?

Cloud computing is here, and has been embraced by many an organisation.

Cloud computing is defined by the US National Institute of Standards and Technology (NIST) as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

Cloud computing is about outsourcing IT resources just like you would outsource utilities like electricity or water off a shared public grid.

 The cloud services options include: Software as a Service (SaaS): Whereby the consumer uses the cloud provider’s applications running on a cloud infrastructure and the applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email).

Platform as a Service (PaaS): Here the consumer deploys their own applications on the provider’s infrastructure. This option allows the customer to build business applications and bring them online quickly; they include services like Email Campaign management, Sales Force Automation, Employee management, Vendor management etc.

Infrastructure as a Service (IaaS): The consumer has access to processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.

The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of selected networking components (e.g., host firewalls).

Cloud computing has become popular because enterprises are constantly looking to cut costs by outsourcing storage, software (as a service) from third parties, allowing them to concentrate on their core business activities.

With cloud computing, enterprises save on setting up their own IT infrastructure which would otherwise be costly in terms of initial investment on hardware and software, as well as continued maintenance and human resource costs.

According to the Gartner report on cloud security [2], Enterprises require new skill sets in order to handle the challenges of cloud security.

Concerns addressed

Enterprises need to see to it that their cloud service provider has most of “the boxes ticked” and that they have their security concerns addressed. Cloud computing being a somewhat a new field of IT with no specific standards for security or data privacy, cloud security continues to present managers with several challenges.

There is need for your provider to be able to address some of the issues that come up including the following: Access control / user authentication: How is the access control managed by your cloud service provider? To be more specific, do you have options for role based access to resources in the cloud,?

How is the process of password management handled? How does that compare to your organization’s Information security policy on access control?

Regulatory compliance: How do you reconcile the regulatory compliance issues regarding data in a totally different country or location?

How about data logs, events and monitoring options for your data; does the provider allow for audit trails which could be a regulatory requirement for your organisation? Legal issues: Who is liable in case of a data breach?

How is the legal framework in the country where your cloud provider is based, visa vi your own country?

What contracts have you signed and what issues have you covered/discussed with the provider in case of legal disputes. How about local laws and jurisdiction where data is held? Do you know exactly where you data is stored?

Are you aware of the conflicting regulations on data and privacy? Have you asked your provider all the right questions?

Data safety: Is your data safe in the cloud? How about the problems of Man-in-the-middle attacks and Trojans, for data moving to and from the cloud. What are the encryption options offered by the provider?

Another important question to ask is; who is responsible for the encryption /decryption keys? . Also you will find that cloud providers work with several other third parties, who might have access to your data. Have you had all these concerns addressed by your provider?

Data separation / segregation: Your provider could be hosting your data along with several other clients’ (multi-tenancy).

Time policy

Have you been given verifiable assurance that this data is segregated and separated from the data of the provider’s other clients? According to the Gartner report, it’s a good practice to find out “what is done to segregate data at rest.”

Business continuity: What is the acceptable cloud service down time that you have agreed with your provider? Do these downtimes compare well with your organisation acceptable down time policy?

Are there are any penalties/compensations for downtime, which could lead to business loss?

What measures are in place by your provider to ensure business continuity and availability of your data / services that are hosted on their cloud infrastructure in case of disaster?

Does your provider have options for data replication across multiple sites? How easy is restoring data in case a need arises?

Cloud services providers have increased their efforts in addressing some of the most pressing issues with cloud security.

In response to cloud security challenges, an umbrella non-profit organisation called the Cloud Security Alliance (CSA) was been formed.

[email protected]