Friday, July 29, 2011

Is Your Head (Safe) in the Cloud - Part II

While the "cloud" is a strange and wonderful new thing, in my humble opinion it has actually been with us for a long time (read here) and cloud based services should be managed like any "service" we purchase or otherwise provide to our partners. As IT professionals we may be attracted by cost, flexibility and other benefits, but we must focus on managing performance, reliability and security just as we do with all of the systems we provide.

When use of the cloud is discussed, invariably someone raises the number one concern; security. How do I know my information will be safe in the cloud? Indeed, we have seen a number of news stories that suggest hackers have been able to penetrate the defenses at some of the major cloud players including Amazon, Google and Microsoft.

But we also know that some of the very best private system defenses have been compromised including RSA (the security people), NATO, the Pentagon, the FBI, numerous banks, credit card companies, department stores, energy companies and others. The list is long and growing. You get the feeling no place is secure once the hackers have you in their crosshairs.

Security is a concern for all systems, whether running in-house or at a third party site. The cloud may be no less or more secure than any other location for your data.

Vivek Kundra, the Federal CIO, thinks (as I do) the issue has been exaggerated (read here) and he actively encourages use of the cloud. The government can save considerable money (something it sorely needs to do) and be much more efficient by using these services.

In fact, it is likely a cloud service could help lots of small to mid-size companies, offering them better security at a lower cost than they could achieve on their own.

So what should you do differently when dealing with a cloud provider? Obviously you have complete visibility into your technical infrastructure and direct control over your people and policies. With any third party provider, you must determine if the security measures in place meet the level of protection commensurate with  the importance of any information that will be reside there.

It is important to investigate and confirm any claims made by your provider. Perhaps we need ways making the provider's security more transparent as was suggested in this article. The approach is to provide a means of rating services much like hotels or restaurants.

You must go beyond the physical infrastructure and discuss policies and procedures. Importantly, look at employee policies and how employees are managed. Look at who your provider relies upon and make sure the risk is transfered down and mitigated at all levels.

Security, along with performance and reliability, must be carefully addressed with provisions embodied in contracts, including specific remedies, and comprehensive plans for dealing with failures of any kind.

Do you have any advice to add to this list?

Captain Joe


Follow me on Twitter @JPuglisiLLC