5 tips for secure cloud computing

By David Ridout 

Risks of the cloud have recently become an issue with well-publicized failures in popular public cloud services.  

Organizations are thus under more pressure than ever to evaluate their management solutions, including those focused on security and how they are deployed as they get onto the cloud. Here are five general tips for companies getting on the cloud:

#1: Consider the full business case

Choose carefully as to which of your services should and should not go onto the cloud. While for example Infrastructure-as-a-service (IaaS) cloud computing services can certainly have a cost advantage for raw computing and bandwidth charges, it may not be as cost effective for enterprise services with higher availability and reliability needs, at least for now.  The complexity and cost of building an equivalent system within public cloud services often nullifies much of the expected savings while offering a more opaque operating environment. 

#2: Plan for problems

Enterprises should decide which services are vital to their customers and/or to their own continuity, and whether these services should go on the cloud, no matter the savings.  In addition there should be contingency planning, both for downtime in the traditional infrastructure or in the cloud. Many companies still assume that resilience is automatically delivered as part of a public cloud service, but like anything else this must also be planned for. A basic truism remains if the cloud service provider goes down, it is still the business which will take the blame from its customers.  

#3: Read the fine print

Enterprises need to fully understand what the service level agreements (SLAs) with their service providers actually cover.  For example a performance degradation in the provider’s network can hurt a company’s reputation just as badly as a complete cloud outage, so service provider uptime is not the only criterion to consider in cloud performance. SLAs should detail obligations such as what the service provider must do when disruptions occur, the penalties for failing to deliver, maximum recovery periods, and the procedures (and extra costs) if a company should want to change cloud providers.

#4: Track your users and their usage

Companies need to find solutions to manage their user identities and their access to both on-premise and cloud-based applications. As organizations migrate more business-critical applications to the cloud, robust identity and access management that bridges the hybrid environment is essential to properly and efficiently control the organization’s IT assets. In addition the management of mobile access and authentication which supports a mobile environment will also become more important.  In the age of multiple access devices, many of which are not managed by the organization, usage must still remain secure and reliable. 

#5: Know where your data is

Even if a corporation just stores peripheral data in the cloud, the organization would need to provide enterprise-grade security processes to protect that data both at rest and in motion. Storage locations will vary in a cloud environment depending on the cloud provider, much more so than with a traditional data centre environment which generally doesn’t change that often.  An enterprise-grade solution that addresses regulatory compliance, content and context should be used. 

In conclusion, an organization interested in using the public cloud today needs to make IT more secure across the physical and virtual as well as cloud environments, have a good understanding of what third party cloud service providers can offer, and ensure it has solutions in place that support: 

•         identity and access management
•         multiple channels of information access
•         multiple data storage locations
•         compliance
•         improved operational efficiency
•         reliability
•         scalability

 David Ridout is  country manager and vice president for area sales at Canada, CA Technologies