Securing clouds and taking educated steps
The most common objections for holding back SaaS (Software as a Service) adoption, as reported from end customers, are ‘security’ and ‘reliability’.
This is interesting when you consider that SaaS Security is consistently reported as the fastest growth area of SaaS. This ‘security’ objection usually stems from the customers’ perspective; they are concerned about the security of their data held outside their perimeter by the cloud provider.
Yet despite these concerns there has been a thunderstorm of growing noise surrounding cloud computing in the past 24 months.
Vendors, analysts, journalists and membership groups have all rushed to cover the cloud medium, although everyone seems to have their own opinion and differing definition of cloud computing. Similar to many new sectors of technology, the key is to separate the truth from the hype before making educated decisions on the right time to participate.
While still evolving and changing, cloud computing is here to stay. It promises a transformation – a move from capital intensive, high-cost, complex IT delivery methods to a simplified, resilient, predictable and a cost-efficient form factor.
As an end user organisation of different sizes, you need to consider where and when cloud may offer benefit and a positive edge to your business.
Cloud computing is a new concept of delivering computing resources, not a new technology. Services ranging from full business applications, security, data storage and processing through to Platforms as a Service (PaaS) are now available instantly in an on-demand commercial model. In this time of belt-tightening, this new economic model for computing is achieving rapid interest and adoption.
Cloud represents an IT service utility that enables organisations to deliver agile services at the right cost and the right service level: cloud computing offers the potential for efficiency, cost savings and innovation gains to governments, businesses and individual users alike.
Wide-scale adoption and the full potential of cloud will come by giving users the confidence and by demonstrating the solid information security that it promises to deliver.
Computing is experiencing a powerful transformation across the world.
Driven by innovations in software, hardware and network capacity, the traditional model of computing, where users operate software and hardware locally under their ownership, is being replaced by zero local infrastructure. You can leverage a simple browser access point through to powerful applications and large amounts of data and information from anywhere at any time, and in a cost effective manner.
Cloud computing offers substantial benefits including efficiencies, innovation acceleration, cost savings and greater computing power. No more 12-18 month upgrade cycles; as huge IT burden like system or software updates are now delivered automatically with cloud computing and both small and large organisations can now afford to get access to cutting-edge innovative solutions. Cloud computing also brings green benefits such as reducing carbon footprint and promoting sustainability by utilising computing power more efficiently.
SaaS is generally regarded as well suited to the delivery of standardised software applications and platforms, like email, CRM, accounting and payroll. The development of the SaaS business model has been rapid and it is now being used to provide high performance, resilient and secure applications across a range of company sizes and industries.
However as already mentioned in end-user survey after survey the top two issues that surface to the top are security (data being the typical lead in this) and reliability (being availability and accessibility).
A good reference point for this is the Cloud Industry Forums 2011 survey extract below:
Is this so different when you consider the traditional on network form factor? Consider the increasing number of recent and well publicised data breaches and reliability issues from the likes of Sony, BlackBerry and TK Maxx.
Often these are tarred with the cloud brush, however these are breaches where the company was hosting its own solution as a provider and yet was hacked from outside. These are sizeable targets and with larger IT teams and budgets than the average size business in the market today.
Look at end-user surveys on IT challenges in general and managing the complexity of security appears high if not top of those lists, with other contributors around lack of IT expertise or not enough IT staff. Increasingly businesses are concerned about protection of the organisations information assets both from external as well as internal threats. In a time of financial challenge protecting against the disgruntled employee is also to be taken seriously.
There is no doubt cloud is bringing change. With the Internet and technology, we have a generation of users demanding access to their applications from their iPhone, iPad, BlackBerry or Android devices. We have entered an era where infinite IT power and information is available to a user on the smallest of devices, on the move and at an affordable price.
As devices get more powerful, and the Internet faster, the demand and supply of cloud applications will skyrocket and the power in the hands of the user will be greater than we have ever delivered before. Expect the marriage between mobility and the cloud to continue to grow.
So as you extend your footprint into utilising an increasing number of cloud based services so you need to consider the security aspects from an access control perspective (i.e. who can access what, from where and what device and what are the additional risks if any of this).
For example, can a user store their login details on their personal iPad and is that device secured enough that if they lost it your cloud systems access would not be breached?
Cloud or SaaS does not provide one-size-fits-all solutions, and not every application in the cloud will be right for your business.
You should consider in what areas it makes sense to utilise the cloud. Where can your organisation gain improvement in areas of business efficiency, resilience and cost reduction? Look to others in your sector and what they have done, and look for simplicity and obvious choices in your first cloud solution adoptions.
Review your shortlisted vendors carefully and compare them across multiple areas but not just price. With cloud computing you need to ensure that you validate who you are dealing with, what their reputation is and the quality of service you will receive.
Some examples to check before signing up, that a reputable cloud provider will be happy to answer include:
- What are the terms and conditions in the service level agreement (SLA)?
- Are there penalties if a supplier fails to deliver?
- What has the provider’s success rate been over a certain period?
- Can they provide customer testimonials? Can you speak to the customers directly?
- Who is going to support the services? Will it be their own supporting staff or a third party? Where are the support staff?
- Do they provide out of hours support? If so, what kind of support do you get?
- Where are the suppliers data centres? Which will you be utilising ?
- Where is your data stored? Is it in the UK, Europe, or the US?
- Who has access to your data?
- What security certifications does the vendor hold for their data centre operations?
- How often has the vendor updated its service in the past 12 months?
- Will you be getting ongoing value for money from the enhancements?
- Can you see the service roadmap the vendor delivered in the past year?
There is nothing to fear inherently about the cloud. Companies simply have to perform their diligence as they would when buying any other solution, as long as they know the right questions to ask.
In addition to considering the security aspects that may change in utilising cloud solutions such as mobility, access control and the security of the chosen vendor itself you should also consider the education of cloud inherent in your own IT staff. Whilst the fundamental technology being utilised is not new the architectures, security methods and mobility aspects do require adoption of new skills and mind-sets and you will likely also be engaging with vendors you may not have dealt with or even have heard of prior.
Cloud offers opportunities for those that embrace the new form factor and self-educate and certify themselves for the needs of employers today and tomorrow.
More education is needed in cloud across all sectors to enable businesses to understand and utilise this important new technology to its advantage.
CompTIA’s Cloud Essentials certification is an example that enables employees of varying roles to validate their cloud knowledge, take online training and exam condition testing, and differentiate themselves in the competitive job market.
John McGlinchey,Vice President, Europe & Middle East, CompTIA commented: “We have had a demand from the user market for a training curriculum with testing to support this rapidly growing new form factor.
“The demand and adoption is outstripping the skill base and it is key that individuals and businesses recognise and address this shortfall, before it becomes a serious issue for all concerned.”
More education is needed in cloud across all sectors to enable businesses to understand and utilise this important new technology option to its advantage and this need for understanding stretches past simply the border of the IT department. Expect to see more cloud courses and exams providing the market with the required validations in this new cloudy world.
The IT department in this form factor may not be deploying the hardware and software any longer, but they will play a key role in ensuring the integrity of your systems and security controls that you have in place for your cloud operations.
Ignoring the cloud or moving everything to it in a race to be ‘all cloud’ are both perilous positions. Taking educated steps to the cloud will ensure you gain the benefits that it can bring in a secure manner and that you don’t end up in a technological storm.
- » Doubling down on disaster recovery-as-a-service – for business continuity and beyond
- » How to prevent AIOps from becoming just another cog in the machine
- » Why cloud projects need a small team of effective IT stakeholders to keep things going
- » How to improve privileged users' security experiences with machine learning
- » Why the real multi-cloud motivator is choice - rather than lock-in