So many things can happen to locally-stored data: it can be lost, leaked, hacked and vandalized. But what about the cloud, is it any safer?
Whether your company has already taken the plunge into the cloud, or still waiting on the sidelines, cloud-based computing is definitely the long-term direction for where information technology is headed. And there are few businesses that won’t be affected.
In its SMB Cloud Adoption Study 2011, Microsoft Research recently found that 39% of small and medium-sized business expect to be using one or more cloud services within three years. That is an increase of 34% from the current 29% of businesses that already use these services.
But before business owners enter this brave new world, they should understand their own requirements before entrusting their data to a third party.
As an IT security strategist, most businesses I talk to today are excited, but nervous, about the potential of the cloud. One of the biggest concerns they have is regarding safety. To business and enterprise users who’ve grown accustomed to harboring and firewalling networks and data, the jump to the cloud can feel more like a plunge.
Safety and availability are the top two issues with the cloud that business owners should be aware of. But they aren’t the only ones.
Here are seven key areas that every business owner should evaluate before establishing service with a cloud provider:
1. Compliance: It’s critical for business owners to ask up front if the service satisfies their compliance requirements, for example: ISO, SAS70 type 2 and FISMA. You are more likely to find compliance standards with a global provider that has a proven track record for security operations, large customers and uptime. Companies like Google (GOOG), Microsoft (MSFT) and Amazon (AMZN) all offer various certifications depending on a business’ needs.
2. Auditing: Auditability is another important compliance issue. Make sure you know how the service provider will make audit information available and what information will be provided.
3. Continuity Plan: The next key question, after compliance, is does the service have a continuity plan in place? You want to make sure your services aren’t dependent on one data center; should that center crash, your business will be on standby indefinitely. Make sure the service provider has multiple data centers with geo-replication available.
4. Application Support: Does the service supply application-level support? Is the provided app support SLA acceptable? Will application updates be applied in a timely manner? How easy is it to migrate your data onto the service? Conversely, you need to ask how easy it is to retrieve your data in the event you wish to switch service providers and what is required to make an engineering change--is it even possible?
5. Response Time: Every virtualization service provider will claim to provide fast and ready service should something go wrong. But how can you be sure? Ask about "guaranteed response times" and make sure they have a 24/7 ticketing system.
6. Cost: How are costs calculated for the service? Per user? Data in and out? CPU use? Are there extra charges for isolation of data or processing environment? Depending on your requirements, the costs of these services can rise exponentially. It’s important for business owners to have a full understanding of the types of charges they might incur and how these fees are processed. Another key question to ask: How are changes to service fees communicated to the business?
7. Geography: Businesses need to be aware of where their data is physically stored. The physical location of data storage is very important, different countries have different rules about what constitutes personal identifiable information, such as addresses and phone numbers, credit cards and the like. Some businesses are required to ensure that all their data is stored in the United States. The location of data is an issue that should not be ignored.
Businesses can gain enormous benefits from utilizing cloud-based services. From scalability, ease of access and reduced IT costs, the cloud is transforming the way businesses operate. The key, however, is for businesses to be smart about how they choose to transition to the cloud. Safety, availability and compliance issues are top concerns - and it’s important for business owners to do due diligence on several cloud service providers before choosing one to make the transition.
Jason Glassberg, co-founder of Casaba, LLC has provided security consulting to US technology companies for over a decade, including Fortune 50s. His company provides security testing and advisory services to key software developers like Microsoft, as well as traditional businesses. Areas of expertise include threat modeling, penetration testing, reverse engineering, malware analysis, source code review, network review and regulatory compliance review. Casaba helped to create Microsoft’s software Security Development Lifecycle (SDL) and is to this day a part of Microsoft’s SDL Pro Network.