In Clouds We Trust?

When the economic crisis hit last year, much of the government response was targeted at shoring up public faith in what once had been perceived as rock solid institutions. We all are now highly aware that these foundations were not as sturdy as once believed, and as a result, many are justifiably skeptical when being asked to trust the same organizations with their now-diminished portfolios.

Yet it doesn’t take much historical digging to realize that bank failures and financial panics are nothing new — they have occurred numerous times in the past. Looking on the “bright” side of the current crisis — if such a side exists! — we have now been (rudely) awakened, poorer but hopefully wiser, from our financial complacency.

As IT organizations evaluate the many options available to them with cloud-based technologies, it is important to consider this lesson and realize that in some ways, entrusting your data to the cloud is like selecting an investment vehicle. It’s essential to evaluate basic attributes such as safety, availability and liquidity.

Fundamentally, the same consideration of key attributes is true for any IT initiative — security is always an essential consideration. However, two factors set cloud services apart and suggest that closer scrutiny is warranted.

The first is simply the fact that cloud is a new paradigm and, as such, many long-established policies and processes that are often business-as-usual in traditional IT initiatives may no longer apply or may need to be modified to accommodate “the cloud.”

Second, with public and other external cloud services, the reins of control are being, at least in part, ceded to another party — it is critical to fully understand the implications and what organizations must do to ensure that their treasured data is appropriately protected and secured.

Key Questions

A good starting point in evaluating any cloud service is to ask some basic questions:

Where is my data?

While your data may logically reside in the cloud, it’s physically sitting on storage in one or more locations. This could be anywhere — even in another country. Find out which locations, as this has implications regarding both availability (is it residing in a single data center situated on a fault line?) as well as regulatory and legal matters (inadvertently storing sensitive information in a foreign country with conflicting governance rules).

How is my data protected?

This is a multifaceted question in that it encompasses areas such as availability and recoverability as well as security. Let’s set aside security for a moment and consider traditional data protection concerns. How is the data being protected against loss and corruption? Is it mirrored, replicated, backed up, checksumed, etc.? Ideally, multiple copies of data are geographically distributed.

Who can see or access my data?

In the interest of efficiency and financial viability, most cloud services employ a multitenancy model — your data co-resides with other data, often within the same database. It’s important to know how access and visibility are managed and recorded, and what steps are in place to ensure security and confidentiality.

This also extends to the personnel of the cloud service provider. What exactly can their administrators see? Many cloud providers leverage colocation or hosting facilities — so there may in fact be a hierarchy of service providers with varying degrees of accessibility depending on the host services being provided. Additionally, it is important to understand capabilities relating to such common concerns as intrusion detection, hacker attack, post attack containment, etc.

How can I take my data back?

After a period of time, you may want to bring your data or application back in-house or even change your service provider. What exactly happens to your data after severing your relationship with the cloud provider? Is your exiting data purged? How locked-in to the vendor are you, and what options are available for migration?

What are the regulatory implications of cloud services?

In addition to fundamental security concerns like access and visibility, another area of concern is related to compliance and regulations. For example, if one must provide audit details relating to immutability or chain of custody, how is this accomplished in the cloud?

Looking for the Silver Lining

While there are certainly a number of questions to answer regarding data protection in the cloud, the news is not all negative. For many who venture into the cloud, there can actually be advantages and enhancements to data availability, protection and security. So, depending on the service offering and the particular provider, some of the concerns can become advantages.

In an effort to allay the concerns that we’ve discussed, some cloud service providers have instituted data security measures that may well exceed those currently available internally within many organizations, particularly smaller ones. For example, in areas such as network intrusion prevention, detection and access control, more mature policies, processes and better monitoring may be in place.

From a data availability and protection perspective, a cloud vendor that distributes data over multiple geographies may offer a step up in disaster recovery and in some situations, even improved user access response. (Consider geographically dispersed users accessing a distributed cloud service in comparison to data access through a slow link to corporate headquarters.) Also, don’t forget that the cloud provider may be offering more robust data backup, and it may be able to do so at a lower cost.

Reporting and audit control for security and data protection is another challenge within many organizations. A cloud provider, particularly if it offers comprehensive service level agreements (SLAs), may offer more complete reporting on data protection and therefore ease some regulatory burdens.

Leveraging the Cloud

There will likely be multiple opportunities for leveraging cloud-based services within an organization. Many organizations have already deployed applications via Software as a Service (SaaS) providers, rather than hosting and managing them in-house. Others are taking advantage of cloud services at the middleware, server, and storage services levels. Further, the multitude of offerings available range from those offering little or no security and protection features, to others with high levels of data security (e.g. access control and encryption) as well as other forms of protection.

Don’t assume that the lack of a particular protection feature necessarily represents a deficiency. The key is to understand requirements and align the service appropriately. A particular data set or application may not require a full suite of protection bells and whistles. A major attraction of “the cloud” is the opportunity to purchase “just enough” of a particular service, and there are lots of applications that don’t necessarily depend on protection at the cloud level.

An organization considering cloud services should have a solid understanding of the service level attributes that it currently provides internally, particularly with regard to data protection and availability. Presumably there are multiple service levels based on differing needs with the enterprise. It is possible that some subset of these offerings would be potential candidates for relocation or migration into the cloud. The next step is to then clearly delineate the security requirements (along with performance and other feature/functions, of course) and determine whether a cloud service offering can meet these requirements. Every effort should be made to articulate these requirements within SLAs when possible.

Cloud services at all levels are evolving rapidly, and more offerings are being introduced every day. This means that there is a growing opportunity to find services tailored to specific needs that can enrich or enhance in-house offerings or provide cost-effective alternatives. While the opportunities to leverage cloud services initially may represent a niche within the IT services landscape, expansion of cloud services will follow as these services improve, and as organizations develop an understanding of managing in the cloud.

The necessary underpinning to that expansion will be a mature, service-focused approach to security and protection.