Cloud computing aims to bring new flexibility to enterprise IT: the idea of virtualizing computing resources removing them from physical hardware opens up many possibilities, not just in terms of cost cutting, but also in security and availability.
Security, availability, and integrity are all essential for enterprise IT and cloud computing promises to help businesses have access to data and applications at all times. Instead of thinking about business continuity in terms of disaster recovery, where the focus in on how quickly enterprises can restore operations, cloud computing could make the traditional concept of backups and recovery obsolete. Instead, the idea of totally-resilient operations becomes much more feasible, in which cloud-based resources are constantly replicated between sites to protect applications and data in the event of a physical incident.
“We used to focus on internal data centre redundancy. Now we’re seeing it as remote redundancy. So this idea of instantaneous remote backup is gaining traction,” explains Al Berman, executive director at DRI International, which trains professionals in business continuity. “I just came back from a meeting at the White House, and all they wanted to talk about was cloud computing and why no-one was talking about it. I said, ‘in the private sector, we’re not talking about it – we’re just doing it’.”
Mitigating risks
However, while enterprises embrace cloud computing’s ability to protect business operations, they should not enter into cloud computing relationships without first assessing and mitigating risks. Enterprises need to assess the security issues associated with virtualizing one’s data so that it becomes independent of a physical computing platform. Where is the data is to be kept? Who will have access to it? What access controls are in place to prevent the wrong people seeing it? And what technical measures are in place to prevent it being misappropriated?
“Cloud computing can be risky, which is why we are seeing the emergence of trusted intermediaries,” explains Alexandre Rigaldo, cloud computing program director at Orange Business Services. He identifies several broad risks that customers should consider when engaging in cloud computing relationships. “We are talking about a shared infrastructure, so that we have data from different people shared on the same physical machines. Also, you don’t know where your data is located, and this can be an issue in specific sectors.”
This emphasis on location stretches beyond where the data is stored into the area of accreditation. Certifications used by cloud computing providers may differ between one region and another, and what is acceptable from a regulatory perspective in one region may not be acceptable in another, he warns.
Finally, the data may be at risk if the communication mechanisms used to get it into the cloud and out again are not secure. Using the public Internet to communicate that data without encrypting it, for example, could incur regulatory risk.
“To mitigate this risk is not rocket science. The goal is to apply some basic IT security principles, and not believe in Santa Claus,” Rigaldo says. “Cloud computing doesn’t solve all of your issues. You have to be as careful when you buy cloud computing services as with traditional IT.”
One crucial step is to look at the life cycle of your information, says Rigaldo. Defining the sensitivity of specific types of data, based on the business processes that it serves, and the legal liability that it incurs, is vital when it comes to understanding how to deal with it.
Different approaches to the cloud
How an enterprise tackles these tasks will depend partly on the type of cloud computing model it is employing. Cloud computing models can be split in different ways. For example, platform as a service differs from software as a service, which is in turn a separate proposition to infrastructure as a service. All of these carry different risks in varying proportions.
It is also possible to slice the model along organizational lines. Some may prefer private clouds, where individual companies host their own data, while others may prefer a publicly available cloud service in which everything is hosted by a third party and runs from a shared platform. Alternatively, it’s possible to combine the two with a hybrid model that allows enterprises to retain some control, while still taking advantage of the economies of scale of the shared platform. All of these choices will have a bearing on the risk analysis process.
With such a bewildering array of options, how can an enterprise begin to make sense of it all?
Different organizations have published their approaches to securing cloud computing. The European Network and Information Security Agency (ENISA) recently published an information assurance framework as part of a broader report entitled “Cloud Computing: benefits, risks, and recommendations for information Security”. This framework is designed to help customers understand which questions to ask potential cloud suppliers.
The Cloud Security Alliance (CSA) also published its “Security Guidance For Critical Areas of Focus in Cloud Computing” in December, which discusses different cloud architectures and assesses how each of them can be best managed in the context of information lifecycle management, data portability, and application security. Governance featured heavily in the document, which laid out each party’s roles and responsibilities in areas such as lawfulness of content and incident response.
As enterprise IT moves firmly in the direction of a more virtualized world, in which logical resources are shunted between sites for maximum efficiency, guidelines such as these will be vital for enterprises looking to tackle the process of due diligence with service providers, or attempting to automate cloud processes within their own, private networks. In spite of the name, cloud computing should be about transparency and enterprises need to stress accountability and openness in all of their service relationships.
This article first appeared in the email newsletter we help produce for Orange Business Services called Enterprise Briefing: http://www.orange-business.com/en/mnc2/footer/news/enterprise_briefing/feb2010/technology.jsp